Hi Daniel, This is a really interesting idea, and might be worth pursuing if the STUNNEL idea doesn't pan out. Thanks for a great suggestion.
-G On Mon, May 31, 2021 at 4:01 AM Daniel Ferradal <dferra...@apache.org> wrote: > Hello Garry, > > Thanks for explaining in depth the situation you are dealing and what > you want to do. Full disclosure, I know nothing of PSK and never tried > to use it, but having said this... > > If PSK setup is not a thing in Apache, have you considered Client > Certificate Authentication instead? If I understood correctly Client > Certificate Authentication also seems to match the needs you have, you > can set clients with a certificate signed by a CA of your choice and > set up that Apache to allow connections from clients which > certificates are signed by said CA and maybe just others you specify. > > Regards > > El lun, 31 may 2021 a las 7:18, Garry Adkins (<garryadk...@gmail.com>) > escribió: > > > > >If these things don't have access to the Internet, what security > concerns are > > >you trying to address by using encryption at all? > > > > I'm going to answer these in reverse order, I think that will make more > sense. > > > > >Maybe you could explain where the IoT devices are and where Apache is, > in > > >networking terms, so we can understand what communications you are > trying to > > >secure, and against what threats. > > > > The devices are very simple embedded controllers, and they're monitoring > environmental factors, the exact things they monitor depends on how they're > configured. > > Here's one example, the unit has a temperature probe sensor for > monitoring refrigerator temperatures. It sends temperature status readings > every few minutes over wifi to Apache. Apache then logs the data into a > database. The unit also can instantly send a message to Apache if the > device being monitored gets outside of a predetermined range. > > The unit also regularly requests configuration updates, which can change > various internal parameters (how often to report, what is considered out of > range, etc.). This can also do an over-the-air update to download new > firmware. > > > > Apache is installed on a dedicated computer with a private wifi network > that houses the control scripts, update files, and database. This machine > is also not internet connected. The machine can be queried to create > reports on the data, and can reach out to a third machine (via wired lan) > to send alerts if something goes out of range. It currently runs a version > of Debian. > > > > The security concerns are two fold, one technical, one political. > > Here's an example: > > Say the unit is monitoring a refrigerator temperature in a pharmacy in a > hospital. If the temperature gets out of range, the drugs inside need to > be discarded for patient safety. The unit will alert before that threshold > is reached, but the overall data is used for manufacturer compliance and > legal protection. Being able to produce reports and graphs of the > refrigerator temperature eliminates a good bit of patient and legal risk. > > > > The technical issue is fairly straightforward. Using PSK, only devices > that have the PSK can talk to Apache, giving a degree of validation that > only verified devices can send data. This is for data integrity purposes. > Others cannot connect. In a large (physical size) organization, they can be > configured to connect over the location's internal WiFi so WiFi encryption > alone is not sufficient. > > > > The political issue is (imho) kind of pointless but very real. Many > organizations have little checklists that will eliminate you from competing > for business. Very often there will be a requirement like "All > communication is encrypted using a minimum of TLS 1.2 or higher". If you > can't pass that checkbox, you are disqualified. > > > > So the question is: > > Can I configure Apache to use PSK (preferably TLS1.3 version of PSK) by > sharing a key between the server and the client? > > > > I hope that makes it more clear. > > > > -Garry > > > > > > > > > > > > On Sun, May 30, 2021 at 3:57 AM Antony Stone < > antony.st...@apache.open.source.it> wrote: > >> > >> On Sunday 30 May 2021 at 08:43:59, Garry Adkins wrote: > >> > >> > Hi, > >> > > >> > I'm new to the maling list, and was wondering if anyone used > pre-shared > >> > keys with Apache for encrypted connections? > >> > >> I don't know about PSK with Apache, but... > >> > >> > I'm working with some processor constrained IOT devices, and doing a > full > >> > TLS 1.3 setup is quite heavy. These devices don't have access to the > >> > internet, so updating certs becomes a problem too. > >> > >> If these things don't have access to the Internet, what security > concerns are > >> you trying to address by using encryption at all? > >> > >> Maybe you could explain where the IoT devices are and where Apache is, > in > >> networking terms, so we can understand what communications you are > trying to > >> secure, and against what threats. > >> > >> > >> Antony. > >> > >> -- > >> "If I've told you once, I've told you a million times - stop > exaggerating!" > >> > >> Please reply to the > list; > >> please *don't* > CC me. > >> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > >> For additional commands, e-mail: users-h...@httpd.apache.org > >> > > > > > > -- > > Garry Adkins > > **************************************************** > > https://www.linkedin.com/in/garryadkins/ > > garryadk...@gmail.com > > 251-487-1803 (c) > > > > > -- > Daniel Ferradal > HTTPD Project > #httpd help at Libera.Chat > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > > -- Garry Adkins **************************************************** https://www.linkedin.com/in/garryadkins/ garryadk...@gmail.com 251-487-1803 (c)
