[openssl-dev] [openssl.org #2464] TLS-RSA-PSK support

Hubert Kario hkario at redhat.com
Wed Aug 19 12:59:59 UTC 2015 

On Tuesday 18 August 2015 17:02:24 Viktor Dukhovni wrote:
> On Tue, Aug 18, 2015 at 06:48:25PM +0200, Hubert Kario wrote:
> > > So what's the final resolution of this?  Should we keep or drop
> > > 
> > > the new PSK RC4 and PSK 3DES codepoints:
> > >     TLS_RSA_PSK_WITH_RC4_128_SHA              RSA-PSK-RC4-SHA
> > >     TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA         RSA-PSK-3DES-EDE-CBC-SHA
> > 
> > how do you define "remove"?
> > 
> >  1. not part of DEFAULT, part of ALL?
> >  2. part of COMPLEMENTOFALL
> >  3. behind compile time option
> >  4. behind #if 0
> >  5. actually removed from source
> > 
> > 1-3 are fine by me, 4 I wouldn't like, I'm against 5
> 
> These are brand new cipher suites, never before seen in OpenSSL.

they are brand new only in OpenSSL, not in general

> The argument is that it makes no sense to *add* these, because
> they're already obsolete.  So I was hoping for 4 or 5.

If you have a server or a client which needs to interoperate with both very 
old systems and new systems, you need both obsolete and modern ciphers at the 
same time.

as long as OpenSSL ships support for single DES by default, giving those 
ciphers the treatment 4 is... inconsistent... to put it mildly.

> > > On a related note (for those also reading the TLS WG list), any
> > > thoughts on deprecating any or all of the kDHr, kDHd, kECDHr, kECDHe
> > > ciphers?
> > 
> > if "deprecate" means 1) or 2), I'm all for it
> 
> For these, I'd like to suggest at least 2, but is there any need
> to actually support the underlying static (EC)DH key exchange
> methods?  Who needs these?  Why work so hard to defeat forward
> secrecy and enable the KCI attacks?
> 
> We can lose a bunch of code and attack surface by not supporting
> fixed (EC)DH.  Does this code have any users?

I've heard that there are servers which support those exclusively, so yes, 
they do have users. But I can't point at an example server as I haven't seen 
them in Alexa top 1M.

-- 
Regards,
Hubert Kario
Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150819/becf9d67/attachment.sig>

More information about the openssl-dev mailing list