Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 5 years ago.
Improve this question
We are looking into supporting TLS-PSK for a set of constrained devices that do not have sufficient resources to do the normal TLS handshake using certificates. To that end we are looking for a TLS-PSK component, that we can integrate on our (cloud) servers. This component may be anything, a proxy, module for apache or anything else that scales well.
So far we have found several libraries that support TLS-PSK: GnuTLS, OpenSSL amongst others. Moreover, we can find several HTTPS/TLS client libraries that we can use to send HTTP(S) requests over a TLS-PSK connection. However, what we have not been able to find are server-side solutions that would accept such TLS-PSK connections. Apache modules mod_ssl, and mod_gnutls do not expose the TLS-PSK capabilities of the underlying libraries. F5 Big-IP has TLS-PSK not in its cipher lists. HAProxy does not have TLS-PSK interfaces as well. The node.js TLS library had a pull-request that became stale and hard to apply with all the recent TLS lib refactorings...
So in short: does anyone know of a TLS-PSK capable component that we can integrate in our server backends to accept TLS-PSK connections from a large set of clients?
stunnel might be capable of helping here. PSK was added in 5.09
Installation
/etc/stunnel/stunnel.conf:
[PSK server]
accept = 443
connect = 80
ciphers = PSK
PSKsecrets = /path/to/psk.txt
debug = 7
psk.txt (chmod 600):
client1:oaP4EishaeSaishei6rio6xeeph3az
Run with stunnel, or set up a service
Related
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 3 years ago.
Improve this question
We have implemented TLS 1.2 on SERVER 2019, how can we know the best chiper suite used for IIS 10.
Please, someone, give me Priority Order would be great for me.
There is generally no "best" or "most secure" cipher suite you can use in all cases. Generally, when chosing a ciphersuite you want to support, you follow some principles to come up with a suitable cipher suite for your use case. Some of those are:
Chose ciphers which are supported by both your server and your intended clients
Eliminate insecure ciphers (e.g. cryptographically broken ones or ciphers with too small key sizes)
Performance considerations (ECDSA is faster than RSA but not supported everywhere, longer key sizes are (significantly) slower than smaller keysizes but are more secure, ...)
forward secrecy
...
If you don't want to deal with the propertyies of all the affected ciphers, there is a config generator maintained by Mozilla which can generate secure configurations for a variety of webservers for one of three security profiles at
https://ssl-config.mozilla.org/
You still need to decide based on the clients you intend to support and their supported ciphers which security profile is suitable.
An updated description of the available profiles along with some reasoning for the chosen options is available at https://wiki.mozilla.org/Security/Server_Side_TLS
To check your server and top get an overview about which browsers are able to connect to it, you could use the Qualys SSL Server Test at https://www.ssllabs.com/ssltest/
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 5 years ago.
Improve this question
I have an Arduino Uno Rev 3 with an Ethernet Shield. Can I use this to connect to a secure MQTT broker (using port 8883)?
What library do I use?
The Arduino Uno only has 2kB of RAM and 32kB of program memory - this is a very constrained device and I do not believe is enough to implement any kind of SSL/TLS.
For example WolfSSL is designed for embedded devices but it states that it uses between 20-100kB kB of program memory and 1-36kB of RAM:
https://www.wolfssl.com/wolfSSL/benchmarks-wolfssl.html
So I suspect that the only option would be to off-load the encryption to another device.
You could have an MQTT broker on your local network (Raspberry Pi?) that your Arduino(s) connect to over port 1883, and then connects them securely over port 8883 over the internet.
You could use an ESP8266 to perform both the network connection and encryption. For example a ESP8266 Arduino shield is available.
There may be some other kind of IC that you could off-load the TLS encryption to, but still have the Arduino Uno doing the networking - but I am not sure if anything like this actually exists.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 9 years ago.
Improve this question
I'm about to get an SSL Certificate for my website. In particular, it will be used because I'm switching over to a payment processor which requires it. A few "noob" questions:
1) Will I have to change any code that directs users to http://www.mysite.com to https://www.mysite.com, or will users who go to http://www.mysite.com be automatically re-directed to https://www.mysite.com?
2) I assume that https "slows" things down on a site? If this is the case, can I maintain the http everywhere on my site except when they make a payment to the processor? i.e. http://www.mysite.com/any_old_page.php, while https://www.mysite.com/pay_for_the_stuff.php
Thanks!
No, that won't happen automatically. You will have to change your server configuration to do that.
Yes, it slows things down. How much depends on the cipher suite used for the server, the server software and hardware. You should play around with different TLS cipher suites to see how much. It depends on that (and of the nature of your site) if you should only use TLS on part of your site or all of your site. As for the requirements of the payment processor: ASK!
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 5 years ago.
Improve this question
Does DNS server software exist with a built-in authenticated REST API for managing records?
Alternatively, is there a layer on top of any existing DNS software to manage DNS records?
You might try Openstack Designate. It's a REST API that runs on top of a standard dns nameserver.
REST API for domain & record management
Multi-tenant
Integrated with Keystone for authentication
Framework in place to integrate with Nova and Neutron notifications (for auto-generated records)
Support for PowerDNS and Bind9 out of the box
callsign is a mini DNS server written in Python that supplies a REST API. In order to authenticate your requests you can use iptables to restrict access to specific IP addresses.
If you 'd like something different for authentication, you can write your own API over either its command-line interface or its internal Python API by importing the package. It is licensed under the Apache license, so its quite permissive on what you can do with your code that uses it.
There's no DNS server software I know of with a built-in REST API.
The options I know of are:
use standard dynamic updates
use the IETF "Name Server Control Protocol", once it's finished and clients available (e.g. DNSCCM)
It wouldn't be hard to write a quick set of RESTful scripts that can produce dynamic update messages - I've seen it done using Net::DNS for Perl.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 7 years ago.
Improve this question
Is it doable to set up a non-domain-based (standalone) Windows Server 2008 as an SSTP VPN (Secure Socket Layer Tunneling Protocol VPN)?
I'd like to enable remote users to access a network via SSL-based VPN (currently using PPTP) by making an SSTP VPN connection via a Win2k8 server. Most of the docs seem to include running in an AD domain with an in-house Certificate Authority to enable this feature.
Is it possible to do this with a stand-alone Win2k8 server? If so, how?
you connect with host address for sstp. you can use standard web certificate from any ssl cert provider. that host address need to resolve to your vpn server.
step-by-step guide
http://www.windowsecurity.com/articles/Configuring-Windows-Server-2008-Remote-Access-SSL-VPN-Server-Part2.html
My understanding is that the certificate used as part of the authentication hasto come from Active Directory Certificate Services, and there is no way to get it from any other source (I'll admit to not trying too hard to figure out if it was possible, I was investigating SSTP for another VPN related project)
Setting up the 2008 server as a standalone AD controller would get around the issue; the client systems don't need to be in the domain.