Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Server-side support for TLS-PSK [closed]

We are looking into supporting TLS-PSK for a set of constrained devices that do not have sufficient resources to do the normal TLS handshake using certificates. To that end we are looking for a TLS-PSK component, that we can integrate on our (cloud) servers. This component may be anything, a proxy, module for apache or anything else that scales well.

So far we have found several libraries that support TLS-PSK: GnuTLS, OpenSSL amongst others. Moreover, we can find several HTTPS/TLS client libraries that we can use to send HTTP(S) requests over a TLS-PSK connection. However, what we have not been able to find are server-side solutions that would accept such TLS-PSK connections. Apache modules mod_ssl, and mod_gnutls do not expose the TLS-PSK capabilities of the underlying libraries. F5 Big-IP has TLS-PSK not in its cipher lists. HAProxy does not have TLS-PSK interfaces as well. The node.js TLS library had a pull-request that became stale and hard to apply with all the recent TLS lib refactorings...

So in short: does anyone know of a TLS-PSK capable component that we can integrate in our server backends to accept TLS-PSK connections from a large set of clients?

like image 630
Joost Reuzel Avatar asked Dec 01 '14 15:12

Joost Reuzel


1 Answers

stunnel might be capable of helping here. PSK was added in 5.09

Installation

/etc/stunnel/stunnel.conf:

[PSK server]
accept = 443
connect = 80
ciphers = PSK
PSKsecrets = /path/to/psk.txt
debug = 7

psk.txt (chmod 600):

client1:oaP4EishaeSaishei6rio6xeeph3az

Run with stunnel, or set up a service

like image 189
Reese Avatar answered Oct 10 '22 14:10

Reese