-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

Hi Thomas,

Thomas Conté wrote:

In the context of an embedded project, I have developed a lightweight, PolarSSL-based TLS-PSK client running on an Arduino board.

Do you mean Arduino Due?

Now I am looking for a generic server-side solution to connect the TLK-PSK client to a few Web services living in various app servers (Node.JS, IIS, and others). Since PSK support is not widespread, I am thinking about using stunnel as a generic front-end to these services.

I have done a quick-and-dirty POC of adding PSK support to stunnel and it looks like this could be done with minor modifications, e.g. adding a call to SSL_CTX_set_psk_server_callback and the corresponding callback to ctx.c. Right now the psk_key and psk_identity values are hard-coded, so of course those need to be added to the configuration file.

Is the community interested in further work in that area? Or is PSK support already in the stunnel roadmap?

I reviewed your changes. I'm not sure if a similar functionality may be useful to general audience (i.e., interoperable with other popular software). For example OpenSSL examples (s_client/s_server) also take hexadecimal PSK key, but then they use BIGNUM interface to convert it to binary. I'm not sure if this is compatible with your approach. Have you tested it?

I'm open the the idea of adding TLK-PSK support to stunnel. I'd prefer to design a convenient user interface first. Interoperability with any existing solutions is definitely one of the key factors here. It could also be a good idea to use a KDF (e.g. scrypt) and a passphrase rather than just a hexadecimal string.

Mike