Hi stunnel-users,
Is there a way to force PSK Authentication?
Current behavior is that if the client has no PSK Authentication configured, no authentication is performed and the connection proceeds even when the server has this configured:
ciphers = PSK PSKsecrets = mypsk.txt
Is this expected behavior? Is there a way to enforce PSK, in other words block clients without PSK Authentication?
Thanks
W dniu 16.04.2022 o 00:09, gerhard@ats.hacktic.nl pisze:
Is there a way to force PSK Authentication?
Current behavior is that if the client has no PSK Authentication configured, no authentication is performed and the connection proceeds even when the server has this configured:
ciphers = PSK PSKsecrets = mypsk.txt
Is this expected behavior? Is there a way to enforce PSK, in other words block clients without PSK Authentication?
Hello Gerhard, Ether the PSK secret or the server certificate is used for authentication.
I suspect that the `cert` option in your server configuration is the reason the server and a client negotiate the encryption algorithm and cryptographic keys to use.
In TLSv1.2 you needed to use special PSK ciphersuites. In TLSv1.3 that is no longer the case. Ciphersuites work quite differently and there is no concept of having special PSK ciphersuites and option `ciphers = PSK` is no use. You just use normal ciphersuites.
Regards, Małgorzata Olszówka