[stunnel-users] Support for PSK
Michal Trojnara
Michal.Trojnara at mirt.net
Sun Sep 21 20:28:25 CEST 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Thomas,
Thomas Conté wrote:
> In the context of an embedded project, I have developed a
> lightweight, PolarSSL-based TLS-PSK client running on an Arduino
> board.
Do you mean Arduino Due?
> Now I am looking for a generic server-side solution to connect the
> TLK-PSK client to a few Web services living in various app servers
> (Node.JS, IIS, and others). Since PSK support is not widespread, I
> am thinking about using stunnel as a generic front-end to these
> services.
>
> I have done a quick-and-dirty POC of adding PSK support to stunnel
> and it looks like this could be done with minor modifications, e.g.
> adding a call to SSL_CTX_set_psk_server_callback and the
> corresponding callback to ctx.c. Right now the psk_key and
> psk_identity values are hard-coded, so of course those need to be
> added to the configuration file.
>
> Is the community interested in further work in that area? Or is
> PSK support already in the stunnel roadmap?
I reviewed your changes. I'm not sure if a similar functionality may
be useful to general audience (i.e., interoperable with other popular
software). For example OpenSSL examples (s_client/s_server) also take
hexadecimal PSK key, but then they use BIGNUM interface to convert it
to binary. I'm not sure if this is compatible with your approach.
Have you tested it?
I'm open the the idea of adding TLK-PSK support to stunnel. I'd
prefer to design a convenient user interface first. Interoperability
with any existing solutions is definitely one of the key factors here.
It could also be a good idea to use a KDF (e.g. scrypt) and a
passphrase rather than just a hexadecimal string.
Mike
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iEYEARECAAYFAlQfGMgACgkQ/NU+nXTHMtFsEgCfSW6O2xjvhkSI5BLicvaXIdc+
8AMAnjvKJ7+u5fymp4Jlgw8/H3bngGbY
=C04W
-----END PGP SIGNATURE-----
More information about the stunnel-users
mailing list