Mailing List Archive

On Sunday 30 May 2021 at 08:43:59, Garry Adkins wrote:

> Hi,
>
> I'm new to the maling list, and was wondering if anyone used pre-shared
> keys with Apache for encrypted connections?

I don't know about PSK with Apache, but...

> I'm working with some processor constrained IOT devices, and doing a full
> TLS 1.3 setup is quite heavy. These devices don't have access to the
> internet, so updating certs becomes a problem too.

If these things don't have access to the Internet, what security concerns are
you trying to address by using encryption at all?

Maybe you could explain where the IoT devices are and where Apache is, in
networking terms, so we can understand what communications you are trying to
secure, and against what threats.


Antony.

--
"If I've told you once, I've told you a million times - stop exaggerating!"

Please reply to the list;
please *don't* CC me.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

>If these things don't have access to the Internet, what security concerns
are
>you trying to address by using encryption at all?

I'm going to answer these in reverse order, I think that will make more
sense.

>Maybe you could explain where the IoT devices are and where Apache is, in
>networking terms, so we can understand what communications you are trying
to
>secure, and against what threats.

The devices are very simple embedded controllers, and they're monitoring
environmental factors, the exact things they monitor depends on how they're
configured.
Here's one example, the unit has a temperature probe sensor for monitoring
refrigerator temperatures. It sends temperature status readings every few
minutes over wifi to Apache. Apache then logs the data into a database.
The unit also can instantly send a message to Apache if the device being
monitored gets outside of a predetermined range.
The unit also regularly requests configuration updates, which can change
various internal parameters (how often to report, what is considered out of
range, etc.). This can also do an over-the-air update to download new
firmware.

Apache is installed on a dedicated computer with a private wifi network
that houses the control scripts, update files, and database. This machine
is also not internet connected. The machine can be queried to create
reports on the data, and can reach out to a third machine (via wired lan)
to send alerts if something goes out of range. It currently runs a version
of Debian.

The security concerns are two fold, one technical, one political.
Here's an example:
Say the unit is monitoring a refrigerator temperature in a pharmacy in a
hospital. If the temperature gets out of range, the drugs inside need to
be discarded for patient safety. The unit will alert before that threshold
is reached, but the overall data is used for manufacturer compliance and
legal protection. Being able to produce reports and graphs of the
refrigerator temperature eliminates a good bit of patient and legal risk.

The technical issue is fairly straightforward. Using PSK, only devices that
have the PSK can talk to Apache, giving a degree of validation that only
verified devices can send data. This is for data integrity purposes.
Others cannot connect. In a large (physical size) organization, they can be
configured to connect over the location's internal WiFi so WiFi encryption
alone is not sufficient.

The political issue is (imho) kind of pointless but very real. Many
organizations have little checklists that will eliminate you from competing
for business. Very often there will be a requirement like "All
communication is encrypted using a minimum of TLS 1.2 or higher". If you
can't pass that checkbox, you are disqualified.

So the question is:
Can I configure Apache to use PSK (preferably TLS1.3 version of PSK) by
sharing a key between the server and the client?

I hope that makes it more clear.

-Garry





On Sun, May 30, 2021 at 3:57 AM Antony Stone <
Antony.Stone@apache.open.source.it> wrote:

> On Sunday 30 May 2021 at 08:43:59, Garry Adkins wrote:
>
> > Hi,
> >
> > I'm new to the maling list, and was wondering if anyone used pre-shared
> > keys with Apache for encrypted connections?
>
> I don't know about PSK with Apache, but...
>
> > I'm working with some processor constrained IOT devices, and doing a full
> > TLS 1.3 setup is quite heavy. These devices don't have access to the
> > internet, so updating certs becomes a problem too.
>
> If these things don't have access to the Internet, what security concerns
> are
> you trying to address by using encryption at all?
>
> Maybe you could explain where the IoT devices are and where Apache is, in
> networking terms, so we can understand what communications you are trying
> to
> secure, and against what threats.
>
>
> Antony.
>
> --
> "If I've told you once, I've told you a million times - stop exaggerating!"
>
> Please reply to the
> list;
> please *don't* CC
> me.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

--
Garry Adkins
****************************************************
https://www.linkedin.com/in/garryadkins/
garryadkins@gmail.com
251-487-1803 (c)

On Monday 31 May 2021 at 07:17:52, Garry Adkins wrote:

> > If these things don't have access to the Internet, what security concerns
> > are you trying to address by using encryption at all?
>
> > Maybe you could explain where the IoT devices are and where Apache is, in
> > networking terms, so we can understand what communications you are trying
> > to secure, and against what threats.
>
> The devices are very simple embedded controllers, and they're monitoring
> environmental factors, the exact things they monitor depends on how they're
> configured.

> Apache is installed on a dedicated computer with a private wifi network
> that houses the control scripts, update files, and database. This machine
> is also not internet connected. The machine can be queried to create
> reports on the data, and can reach out to a third machine (via wired lan)
> to send alerts if something goes out of range. It currently runs a version
> of Debian.

> The security concerns are two fold, one technical, one political.

> The technical issue is fairly straightforward. Using PSK, only devices that
> have the PSK can talk to Apache, giving a degree of validation that only
> verified devices can send data. This is for data integrity purposes.
> Others cannot connect. In a large (physical size) organization, they can be
> configured to connect over the location's internal WiFi so WiFi encryption
> alone is not sufficient.
>
> The political issue is (imho) kind of pointless but very real. Many
> organizations have little checklists that will eliminate you from competing
> for business. Very often there will be a requirement like "All
> communication is encrypted using a minimum of TLS 1.2 or higher". If you
> can't pass that checkbox, you are disqualified.
>
> So the question is:
> Can I configure Apache to use PSK (preferably TLS1.3 version of PSK) by
> sharing a key between the server and the client?

I can find no indication that Apache supports TLS / PSK.

Provided your IoT devices can manage the client end, I would suggest you look
into using https://www.stunnel.org/ on the Apache server, to provide TLS over
the network, and plain HTTP internally on the server (localhost only) between
stunnel and Apache.


Antony.

--
Behind the counter a boy with a shaven head stared vacantly into space,
a dozen spikes of microsoft protruding from the socket behind his ear.

- William Gibson, Neuromancer (1984)

Please reply to the list;
please *don't* CC me.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Hello Garry,

Thanks for explaining in depth the situation you are dealing and what
you want to do. Full disclosure, I know nothing of PSK and never tried
to use it, but having said this...

If PSK setup is not a thing in Apache, have you considered Client
Certificate Authentication instead? If I understood correctly Client
Certificate Authentication also seems to match the needs you have, you
can set clients with a certificate signed by a CA of your choice and
set up that Apache to allow connections from clients which
certificates are signed by said CA and maybe just others you specify.

Regards

El lun, 31 may 2021 a las 7:18, Garry Adkins (<garryadkins@gmail.com>) escribió:
>
> >If these things don't have access to the Internet, what security concerns are
> >you trying to address by using encryption at all?
>
> I'm going to answer these in reverse order, I think that will make more sense.
>
> >Maybe you could explain where the IoT devices are and where Apache is, in
> >networking terms, so we can understand what communications you are trying to
> >secure, and against what threats.
>
> The devices are very simple embedded controllers, and they're monitoring environmental factors, the exact things they monitor depends on how they're configured.
> Here's one example, the unit has a temperature probe sensor for monitoring refrigerator temperatures. It sends temperature status readings every few minutes over wifi to Apache. Apache then logs the data into a database. The unit also can instantly send a message to Apache if the device being monitored gets outside of a predetermined range.
> The unit also regularly requests configuration updates, which can change various internal parameters (how often to report, what is considered out of range, etc.). This can also do an over-the-air update to download new firmware.
>
> Apache is installed on a dedicated computer with a private wifi network that houses the control scripts, update files, and database. This machine is also not internet connected. The machine can be queried to create reports on the data, and can reach out to a third machine (via wired lan) to send alerts if something goes out of range. It currently runs a version of Debian.
>
> The security concerns are two fold, one technical, one political.
> Here's an example:
> Say the unit is monitoring a refrigerator temperature in a pharmacy in a hospital. If the temperature gets out of range, the drugs inside need to be discarded for patient safety. The unit will alert before that threshold is reached, but the overall data is used for manufacturer compliance and legal protection. Being able to produce reports and graphs of the refrigerator temperature eliminates a good bit of patient and legal risk.
>
> The technical issue is fairly straightforward. Using PSK, only devices that have the PSK can talk to Apache, giving a degree of validation that only verified devices can send data. This is for data integrity purposes. Others cannot connect. In a large (physical size) organization, they can be configured to connect over the location's internal WiFi so WiFi encryption alone is not sufficient.
>
> The political issue is (imho) kind of pointless but very real. Many organizations have little checklists that will eliminate you from competing for business. Very often there will be a requirement like "All communication is encrypted using a minimum of TLS 1.2 or higher". If you can't pass that checkbox, you are disqualified.
>
> So the question is:
> Can I configure Apache to use PSK (preferably TLS1.3 version of PSK) by sharing a key between the server and the client?
>
> I hope that makes it more clear.
>
> -Garry
>
>
>
>
>
> On Sun, May 30, 2021 at 3:57 AM Antony Stone <Antony.Stone@apache.open.source.it> wrote:
>>
>> On Sunday 30 May 2021 at 08:43:59, Garry Adkins wrote:
>>
>> > Hi,
>> >
>> > I'm new to the maling list, and was wondering if anyone used pre-shared
>> > keys with Apache for encrypted connections?
>>
>> I don't know about PSK with Apache, but...
>>
>> > I'm working with some processor constrained IOT devices, and doing a full
>> > TLS 1.3 setup is quite heavy. These devices don't have access to the
>> > internet, so updating certs becomes a problem too.
>>
>> If these things don't have access to the Internet, what security concerns are
>> you trying to address by using encryption at all?
>>
>> Maybe you could explain where the IoT devices are and where Apache is, in
>> networking terms, so we can understand what communications you are trying to
>> secure, and against what threats.
>>
>>
>> Antony.
>>
>> --
>> "If I've told you once, I've told you a million times - stop exaggerating!"
>>
>> Please reply to the list;
>> please *don't* CC me.
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>
>
> --
> Garry Adkins
> ****************************************************
> https://www.linkedin.com/in/garryadkins/
> garryadkins@gmail.com
> 251-487-1803 (c)
>


--
Daniel Ferradal
HTTPD Project
#httpd help at Libera.Chat

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Thanks for all the help everyone! I discovered Antony Stone's idea after I
sent the original email, but before I saw his response. I think he's
right, and stunnel is the way to go. It simplifies a lot of things and
provides the network security that I'm looking for.

Here's what I'm going to test:
1) Set apache to ONLY listen to loopback (127.0.0.1)
2) Set STUNNEL up with PSK (there is even a specific example for this in
the documentation), using TLS 1.3 (There's my checkbox checked!)
3) Set STUNNEL to forward input from port *:443 to 127.0.0.1:80, refuse
connections if bad PSK


Thanks for all the suggestions.

-Garry

On Mon, May 31, 2021 at 3:28 AM Antony Stone <
Antony.Stone@apache.open.source.it> wrote:

> On Monday 31 May 2021 at 07:17:52, Garry Adkins wrote:
>
> > > If these things don't have access to the Internet, what security
> concerns
> > > are you trying to address by using encryption at all?
> >
> > > Maybe you could explain where the IoT devices are and where Apache is,
> in
> > > networking terms, so we can understand what communications you are
> trying
> > > to secure, and against what threats.
> >
> > The devices are very simple embedded controllers, and they're monitoring
> > environmental factors, the exact things they monitor depends on how
> they're
> > configured.
>
> > Apache is installed on a dedicated computer with a private wifi network
> > that houses the control scripts, update files, and database. This
> machine
> > is also not internet connected. The machine can be queried to create
> > reports on the data, and can reach out to a third machine (via wired lan)
> > to send alerts if something goes out of range. It currently runs a
> version
> > of Debian.
>
> > The security concerns are two fold, one technical, one political.
>
> > The technical issue is fairly straightforward. Using PSK, only devices
> that
> > have the PSK can talk to Apache, giving a degree of validation that only
> > verified devices can send data. This is for data integrity purposes.
> > Others cannot connect. In a large (physical size) organization, they can
> be
> > configured to connect over the location's internal WiFi so WiFi
> encryption
> > alone is not sufficient.
> >
> > The political issue is (imho) kind of pointless but very real. Many
> > organizations have little checklists that will eliminate you from
> competing
> > for business. Very often there will be a requirement like "All
> > communication is encrypted using a minimum of TLS 1.2 or higher". If you
> > can't pass that checkbox, you are disqualified.
> >
> > So the question is:
> > Can I configure Apache to use PSK (preferably TLS1.3 version of PSK) by
> > sharing a key between the server and the client?
>
> I can find no indication that Apache supports TLS / PSK.
>
> Provided your IoT devices can manage the client end, I would suggest you
> look
> into using https://www.stunnel.org/ on the Apache server, to provide TLS
> over
> the network, and plain HTTP internally on the server (localhost only)
> between
> stunnel and Apache.
>
>
> Antony.
>
> --
> Behind the counter a boy with a shaven head stared vacantly into space,
> a dozen spikes of microsoft protruding from the socket behind his ear.
>
> - William Gibson, Neuromancer (1984)
>
> Please reply to the
> list;
> please *don't* CC
> me.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

--
Garry Adkins
****************************************************
https://www.linkedin.com/in/garryadkins/
garryadkins@gmail.com
251-487-1803 (c)

Hi Daniel,

This is a really interesting idea, and might be worth pursuing if the
STUNNEL idea doesn't pan out. Thanks for a great suggestion.

-G

On Mon, May 31, 2021 at 4:01 AM Daniel Ferradal <dferradal@apache.org>
wrote:

> Hello Garry,
>
> Thanks for explaining in depth the situation you are dealing and what
> you want to do. Full disclosure, I know nothing of PSK and never tried
> to use it, but having said this...
>
> If PSK setup is not a thing in Apache, have you considered Client
> Certificate Authentication instead? If I understood correctly Client
> Certificate Authentication also seems to match the needs you have, you
> can set clients with a certificate signed by a CA of your choice and
> set up that Apache to allow connections from clients which
> certificates are signed by said CA and maybe just others you specify.
>
> Regards
>
> El lun, 31 may 2021 a las 7:18, Garry Adkins (<garryadkins@gmail.com>)
> escribió:
> >
> > >If these things don't have access to the Internet, what security
> concerns are
> > >you trying to address by using encryption at all?
> >
> > I'm going to answer these in reverse order, I think that will make more
> sense.
> >
> > >Maybe you could explain where the IoT devices are and where Apache is,
> in
> > >networking terms, so we can understand what communications you are
> trying to
> > >secure, and against what threats.
> >
> > The devices are very simple embedded controllers, and they're monitoring
> environmental factors, the exact things they monitor depends on how they're
> configured.
> > Here's one example, the unit has a temperature probe sensor for
> monitoring refrigerator temperatures. It sends temperature status readings
> every few minutes over wifi to Apache. Apache then logs the data into a
> database. The unit also can instantly send a message to Apache if the
> device being monitored gets outside of a predetermined range.
> > The unit also regularly requests configuration updates, which can change
> various internal parameters (how often to report, what is considered out of
> range, etc.). This can also do an over-the-air update to download new
> firmware.
> >
> > Apache is installed on a dedicated computer with a private wifi network
> that houses the control scripts, update files, and database. This machine
> is also not internet connected. The machine can be queried to create
> reports on the data, and can reach out to a third machine (via wired lan)
> to send alerts if something goes out of range. It currently runs a version
> of Debian.
> >
> > The security concerns are two fold, one technical, one political.
> > Here's an example:
> > Say the unit is monitoring a refrigerator temperature in a pharmacy in a
> hospital. If the temperature gets out of range, the drugs inside need to
> be discarded for patient safety. The unit will alert before that threshold
> is reached, but the overall data is used for manufacturer compliance and
> legal protection. Being able to produce reports and graphs of the
> refrigerator temperature eliminates a good bit of patient and legal risk.
> >
> > The technical issue is fairly straightforward. Using PSK, only devices
> that have the PSK can talk to Apache, giving a degree of validation that
> only verified devices can send data. This is for data integrity purposes.
> Others cannot connect. In a large (physical size) organization, they can be
> configured to connect over the location's internal WiFi so WiFi encryption
> alone is not sufficient.
> >
> > The political issue is (imho) kind of pointless but very real. Many
> organizations have little checklists that will eliminate you from competing
> for business. Very often there will be a requirement like "All
> communication is encrypted using a minimum of TLS 1.2 or higher". If you
> can't pass that checkbox, you are disqualified.
> >
> > So the question is:
> > Can I configure Apache to use PSK (preferably TLS1.3 version of PSK) by
> sharing a key between the server and the client?
> >
> > I hope that makes it more clear.
> >
> > -Garry
> >
> >
> >
> >
> >
> > On Sun, May 30, 2021 at 3:57 AM Antony Stone <
> Antony.Stone@apache.open.source.it> wrote:
> >>
> >> On Sunday 30 May 2021 at 08:43:59, Garry Adkins wrote:
> >>
> >> > Hi,
> >> >
> >> > I'm new to the maling list, and was wondering if anyone used
> pre-shared
> >> > keys with Apache for encrypted connections?
> >>
> >> I don't know about PSK with Apache, but...
> >>
> >> > I'm working with some processor constrained IOT devices, and doing a
> full
> >> > TLS 1.3 setup is quite heavy. These devices don't have access to the
> >> > internet, so updating certs becomes a problem too.
> >>
> >> If these things don't have access to the Internet, what security
> concerns are
> >> you trying to address by using encryption at all?
> >>
> >> Maybe you could explain where the IoT devices are and where Apache is,
> in
> >> networking terms, so we can understand what communications you are
> trying to
> >> secure, and against what threats.
> >>
> >>
> >> Antony.
> >>
> >> --
> >> "If I've told you once, I've told you a million times - stop
> exaggerating!"
> >>
> >> Please reply to the
> list;
> >> please *don't*
> CC me.
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> >> For additional commands, e-mail: users-help@httpd.apache.org
> >>
> >
> >
> > --
> > Garry Adkins
> > ****************************************************
> > https://www.linkedin.com/in/garryadkins/
> > garryadkins@gmail.com
> > 251-487-1803 (c)
> >
>
>
> --
> Daniel Ferradal
> HTTPD Project
> #httpd help at Libera.Chat
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

--
Garry Adkins
****************************************************
https://www.linkedin.com/in/garryadkins/
garryadkins@gmail.com
251-487-1803 (c)