Christopher Schultz wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Borislav,
On 9/20/14 11:57 PM, Borislav Trifonov wrote:
Switched to a configuration where Tomcat is now front-ended by
Nginx acting as a load balancer, so now the problem has moved to a
different spot.
Just curious: how does Nginx do this? IIRC, Nginx can use either
OpenSSL or GnuTLS. What does the configuration look like? It seems
reasonable for httpd/APR to support PSK... perhaps it can be added if
it does not already exist.
As for the PSK: the computational expense of key exchange (we have
many frequent short lived connections) is a con that brings zero
benefit to our setup, as the clients are fixed and already have the
symmetric keys.
Makes sense.
I could ask the inverse question: if one controls not just the
server but also the clients, what's the point of public key
crypto?
You never mentioned that you had "control" of the clients. Using PSKs
of course means you have some measure of control over the clients,
but it is not always so.
The only reason I'm relying on TLS is because the same server also
needs to occasionally support regular connections using
certificates.
Would it be an option to use something like stunnel (I'm not sure if
that allows PSKs, either) between the client and server? It's a lot of
extra processes, but it might get the job done.
And maybe a stupid question : since you are saying that you have control over both the
clients and the server, are your clients/servers really "external" ?
And if they are, would it not make sense to have them connected first via a VPN, and then
do the HTTP exchanges in clear, but over that (encrypted) VPN ?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org