-1

The Tomcat people won't help me, so I'm hoping someone here will come through. I can't figure out how to set up Tomcat to use pre-shared keys. All the SSL/TLS guides for it assume certificates. Please help!

Display Name
  • 761
  • 1
  • 8
  • 13
  • The Tomcat people won't help you? You didn't wait very long for a reply to your question on the Tomcat users mailing list before posting here. I'll repeat the answer I gave you on the users list below. – Mark Thomas Sep 19 '14 at 08:05
  • Mark, I was referring to the (semi?-)official #tomcat IRC channel. I only posted on the mailing list after total silence on IRC for a good while after I asked, despite the channel being full (of idlers, apparently). – Display Name Sep 19 '14 at 19:36

1 Answers1

3

PSK ciphers are not supported in the JSSE provider provided by Oracle (or any of the other JVM vendors as far as I am aware).

You'll have to find a JSSE provider that supports PSK ciphers. That provider should include documentation on how to configure it.

Note that while Oracle does list PSK ciphers in the Java standard names, that does not mean that they are implemented in the default JSSE implementation.

Mark Thomas
  • 887
  • 5
  • 8
  • Why is it not sufficient that the JCE provider support it (for example, BouncyCastle)? On the one hand, I read that SSL/TLS requires JSSE, and it says that the JSSE provider has to support the cipher-suites: http://bouncy-castle.1462172.n4.nabble.com/BouncyCastle-and-JSSE-Camellia-not-showing-in-enabled-ciphers-td3229575.html On the other hand, on this very site people are doing TLS-PSK with BouncyCastle: http://stackoverflow.com/questions/11154263/tls-connection-with-psk-using-bouncycastle – Display Name Sep 19 '14 at 19:40
  • 1
    When I said JSSE provider, I should have said Jave Cryptography Extension (JCE) provider. If BouncyCastle supports PSK ciphers then you should be able to configure your JRE to use BouncyCastle and then configure Tomcat for SSL using a PSK cipher. I would hope that this would then 'just work' but there is a possibility (I haven't investigated) that Tomcat might not call the right JSSE methods in the right order to correctly initalise a PSK cipher. I'd hope that the JSSE API would work the same way for all cipher types. – Mark Thomas Sep 20 '14 at 06:06