Opentalk or PostgresEXDI over SSL

Is there any way to configure Opentalk connections to use SSL?
Is SSL also availble for PostgresEXDI connections?

I could not find any solution "out of the box". So I guess there must be
some tricky patching be necessary.

Andre

Andre Schnoor wrote:
> Is there any way to configure Opentalk connections to use SSL?
> Is SSL also availble for PostgresEXDI connections?
>

The easiest way is to use a tunnel, via ssh or stunnel. If you just need
a secure connection and not SSL in particular, Zebedee is another tunnel
solution that is easy to use.

If you are talking about Opentalk ST-ST , I'm pretty sure the answer is  
no. The standard answer is that you can wrap the connections in something  
like Stunnel (www.stunnel.org). Even if you could though Opentalk ST-ST  
has issues crossing over NATs so it would not viable to you on the open  
"Web". Again, as far as PostgresEXDI you should be able to wrap them in  
Stunnel.

hth,

-Charles

On Wed, 05 Apr 2006 05:07:08 -0400, Andre Schnoor <[hidden email]>  
wrote:

> Is there any way to configure Opentalk connections to use SSL?
> Is SSL also availble for PostgresEXDI connections?
>
> I could not find any solution "out of the box". So I guess there must be  
> some tricky patching be necessary.
>
> Andre
>



--
Charles A. Monteiro

had not heard of this one, I guess you have used it and it works well.  
Have you used Stunnel? If so can you give a brief comparison besides the  
fact that Stunnel uses SSL.

thanks

-Charles

On Wed, 05 Apr 2006 08:51:53 -0400, Holger Kleinsorgen  
<[hidden email]> wrote:

> Zebedee



--
Charles A. Monteiro

Holger Kleinsorgen schrieb: Holger, thanks for the hints. Unfortunately I need something 100%
transparent to the user that doesn't require additional installations
and works from within VW alone. Postgres servers natively support SSL.
It should be possible somehow to connect to them directly.

Regarding Opentalk, one could perhaps simply insert
encryption/decryption in the object marshaller. As long as the soure
code is not published, this could be suffiencent even with a static key
(no negotioation). At least it prevents from simple sniffing by
keywords, etc.

Andre

Andre Schnoor wrote:

> Is there any way to configure Opentalk connections to use SSL?

Not out of the box. It's actually not hard to plug the SSL
infrastructure in, the tricky issues are more logistical than technical.
The thing is that the primary authentication mechanism in SSL is based
on X.509 certificates. Since the network of connections between Opentalk
nodes is quite fluid, it's not clear what would be the most practical
setup in that regard. Certainly issuing a separate certificate to each
node would work, but is that practical ? For example if a set of nodes
can trust each other, they could share the same certificate and private
key. That should work as long as all the nodes play fair. This reduces
complexity of the setup, but a compromise would be more severe. There
are probably other options too.

Another issue is how to set up certificate "subject validation". Web
browsers generally expect a DNS name of the server embedded in the
subject name and simply compare that to the URL the user types in. In
Opentalk the connections are made to IP addresses embedded in ObjRefs.
Embedding IP addresses in certificates is certainly non-standard
practice. Moreover Opentalk nodes often play both client and server
roles in their interactions making the setup and interactions that much
more complicated.

So there are issues that need to be thought through. Of course if your
setup is rather static, resembling a "web server" type of scenario, then
the situation might be much simpler than described.

> Is SSL also availble for PostgresEXDI connections?

It should be pretty simple to wrap the SSL framework around the socket
that PostgresEXDI uses to communicate. You can see an example in
HttpClient which handles both http and https.

HTH,

Martin

Martin Kobetic wrote:

Interesting points. I didn't see the complexity this way.

Fortunately my case is static like a web server model. Maybe I just wrap
the Opentalk object marshaller into a simple "obfuscation", i.e. a ARC4
stream encryption with a canonically computed key. That would be
sufficient to prevent from sniffing.

>
>> Is SSL also availble for PostgresEXDI connections?
>
> It should be pretty simple to wrap the SSL framework around the socket
> that PostgresEXDI uses to communicate. You can see an example in
> HttpClient which handles both http and https.


That's a good point to start from, thanks!

Andre

Andre Schnoor wrote:
> Interesting points. I didn't see the complexity this way.
>
> Fortunately my case is static like a web server model. Maybe I just wrap
> the Opentalk object marshaller into a simple "obfuscation", i.e. a ARC4
> stream encryption with a canonically computed key. That would be
> sufficient to prevent from sniffing.

Yes that wouldn't be hard. I would suggest subclassing Transport rather
than Marshaler. In the public repository you can find package
Opentalk-HTTPS which extends Opentalk-HTTP in similar manner. I wouldn't
try to come up with some sort of key derivation scheme, especially with
ARC4 which is very sensitive to any sort of key reuse. Take a look at DH
  key agreement, which allows to establish a shared secret over an
unprotected channel. That way you will use different key for each
connection. The most serious weakness left will be that you still won't
have any authentication, so you're still wide open to man in the middle
attack. For that you'd need some sort of public-key authentication, but
now you're getting close to implementing chunk of SSL :-).

HTH,

Martin