Welcome! Log In Create A New Profile

Re: PSK Support

Forum List Message List New Topic Print View

Maxim Dounin

June 05, 2017 09:10AM

Hello!

On Thu, Jun 01, 2017 at 05:20:53PM +0000, Karstens, Nate wrote:

> Greetings,
>
> I'm about push 3 patches that add support for PSK TLS cipher
> suites to nginx and thought it would be good to discuss the
> feature itself in a separate thread.
>
> First, PSK support is useful in certain environments that are
> not conducive to a full public key infrastructure. The
> environment I'm personally working with is the recreational
> boating market; we are developing a new industry standard that
> relies on HTTPS, secured by PSK, for much of its underlying
> security protocol. I think this would also be useful to the IoT
> market. A quick search shows that some other users have been
> interested in this feature:
>
> https://forum.nginx.org/read.php?2,272443,272443
> https://stackoverflow.com/questions/22513641/pre-shared-keys-tls-psk-nginx-configuration

I have mixed feelings about PSK. On the one hand, it is expected
to be better for constrained devices and also may have various
performance benefits for internal connections. On the other hand,
using a shared key is a big step backwards compared to public-key
cryptography.

> After applying the patches, one can enable PSK support by adding
> a few directives to their nginx.conf:
>
> 1) "ssl_nocert" -- This disables checks for a certificate within
> nginx. By default these checks are enabled because most users
> will need a certificate. This is analogous to the "-nocert"
> option in the OpenSSL s_server.
> 2) "ssl_psk_path" -- This is a local folder that contains all of
> the valid PSKs. Each file in the folder is loaded into memory as
> a PSK, and its file name is used as the PSK identity. When the
> client connects it specifies the identity of the PSK it is using
> for the connection. The server looks up the key using hash of
> the loaded PSKs and if the keys match then the TLS handshake is
> successful. Note that the identity of the PSK is made available
> in the variable $ssl_psk_identity.
> 3) Add some PSK ciphers to the "ssl_ciphers" directive.

Some comments, in no particular order:

- the "ssl_nocert" directive looks strange / unneeded, there
should be a better way to do this (ssl_certificate with a
special value "off"? just assume a certificate is not needed if
there are PSK secrets? always require a certificate, and let
users who don't need specify a dummy one?);

- "ssl_psk_path" seems to be overcomplicated, and yet non-flexible
as any change to keys requires configuration reloads;

- the only server software with PSK support seems to be stunnel,
it might be good to be compatible with the form it uses for PSK
secrets (a file with "IDENTITY:KEY" lines);

- probably eventually there should be a proxy_ssl_* counterpart,
though it is perfectly ok to don't have it for now.

--
Maxim Dounin
http://nginx.org/
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Reply Quote

RSS

Subject	Author	Views	Posted
PSK Support	Karstens, Nate	1361	June 01, 2017 01:22PM
Re: PSK Support	Maxim Dounin	446	June 05, 2017 09:10AM
RE: PSK Support	Karstens, Nate	1474	June 05, 2017 10:10AM
Re: PSK Support	Maxim Dounin	427	June 05, 2017 02:40PM
RE: PSK Support	Karstens, Nate	431	June 07, 2017 01:04AM
Re: PSK Support	Maxim Dounin	316	June 07, 2017 02:14PM
RE: PSK Support	Karstens, Nate	353	June 08, 2017 11:42PM
Re: PSK Support	Maxim Dounin	312	June 13, 2017 12:56PM
RE: PSK Support	Karstens, Nate	480	June 13, 2017 09:12PM
Re: PSK Support	Maxim Dounin	576	June 14, 2017 03:18PM

Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 313

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018