-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Borislav,
On 9/20/14 11:57 PM, Borislav Trifonov wrote: > Switched to a configuration where Tomcat is now front-ended by > Nginx acting as a load balancer, so now the problem has moved to a > different spot. Just curious: how does Nginx do this? IIRC, Nginx can use either OpenSSL or GnuTLS. What does the configuration look like? It seems reasonable for httpd/APR to support PSK... perhaps it can be added if it does not already exist. > As for the PSK: the computational expense of key exchange (we have > many frequent short lived connections) is a con that brings zero > benefit to our setup, as the clients are fixed and already have the > symmetric keys. Makes sense. > I could ask the inverse question: if one controls not just the > server but also the clients, what's the point of public key > crypto? You never mentioned that you had "control" of the clients. Using PSKs of course means you have some measure of control over the clients, but it is not always so. > The only reason I'm relying on TLS is because the same server also > needs to occasionally support regular connections using > certificates. Would it be an option to use something like stunnel (I'm not sure if that allows PSKs, either) between the client and server? It's a lot of extra processes, but it might get the job done. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUIBxHAAoJEBzwKT+lPKRYascP/jYod5rNgvfmJjF7FBdWp0ld uVJJ6BnrfaNOwqEEjMMy/lj93k/bwrkNmdwivIjrQ8dV5HH1AS6HTFFJbU9lPril fyY4Sz3HE9b1yDtKizqfxgs+7pJ6qCxRMY3LX/R/wk5R2RNgPvS8/0o1XeCsU3Ck r8dh+wVH3eb0PpIRSvdc6jDZ9QoEyTgOZtqVrNwmeo5utVlszLm16rBenlrxHEen iFHd7eVzayhsW7pvwNXaRO8UK5GpFKdE4yn3fEQu8OQmX3UR9hUREWJikE/3yszT rSajQJW941YMw9fzW6B/tH8+JA21fvCL5pK7r2Nac+IWbXExRHbcdbtGpF2aUev9 184jE3W9qa27zanox4WCArkNwYSU4PskSpDfQPVCX6Wuem6fQP7zli+JA+HGHmdI kRfTskkaH5u7fMANGJB7HVeH9GQIcBDHcsWpYeYVUB9sMk35TL8b3T/UvzP5SOGR 01doESxIsG5H10R9fUOKAEU2DIee+CmwMGWI58YbCNONWAabJ1tVIRzUp74XbfPc aGPBie7p/xqpo/d9He5fnHWsyLLPHzyfsTRUnsCVwuCnZup/FRt1AnL1W6/TP4Lh GpHc1EZxpXAlkEJPAGzVT3QwskGKg6RvQX3uqcIqquTdJ0o1OlpMfnFm6c59EwKa Y825QMbFT7SZOL8ylSxu =5Wp9 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
