[openssl-dev] [openssl.org #2464] TLS-RSA-PSK support

Viktor Dukhovni openssl-users at dukhovni.org
Wed Aug 19 14:02:58 UTC 2015 

On Wed, Aug 19, 2015 at 02:59:59PM +0200, Hubert Kario wrote:

> > > > So what's the final resolution of this?  Should we keep or drop
> > > > 
> > > > the new PSK RC4 and PSK 3DES codepoints:
> > > >     TLS_RSA_PSK_WITH_RC4_128_SHA              RSA-PSK-RC4-SHA
> > > >     TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA         RSA-PSK-3DES-EDE-CBC-SHA
> > 
> > These are brand new cipher suites, never before seen in OpenSSL.
> 
> they are brand new only in OpenSSL, not in general

I'm well aware of that.

> > The argument is that it makes no sense to *add* these, because
> > they're already obsolete.  So I was hoping for 4 or 5.
> 
> If you have a server or a client which needs to interoperate with both very 
> old systems and new systems, you need both obsolete and modern ciphers at the 
> same time.

Yes, but does anyone using OpenSSL need *these*?  Clearly anyone
who's been using OpenSSL with PSK has been doing fine without them.
Are there any likely new users for these?

> as long as OpenSSL ships support for single DES by default, giving those 
> ciphers the treatment 4 is... inconsistent... to put it mildly.

I see no ongoing reason to keep single DES TLS ciphersuites enabled
by default, and in fact export ciphers *and* single DES are both
deprecated with TLS 1.2, and we should make sure that TLS 1.2 never
negotiates either.  But at least with single DES there could well
be existing users of OpenSSL relying on it (at least as a block
cipher in libcrypto if not as an SSL ciphersuite).  So we can move
it to COMPLEMENTOFALL or COMPLEMENTOFDEFAULT.

Here we're discusing whether it is prudent to add *new* obsolete
code points, not retain existing ones.

> > For these, I'd like to suggest at least 2, but is there any need
> > to actually support the underlying static (EC)DH key exchange
> > methods?  Who needs these?  Why work so hard to defeat forward
> > secrecy and enable the KCI attacks?
> > 
> > We can lose a bunch of code and attack surface by not supporting
> > fixed (EC)DH.  Does this code have any users?
> 
> I've heard that there are servers which support those exclusively, so yes, 
> they do have users. But I can't point at an example server as I haven't seen 
> them in Alexa top 1M.

Perhaps the users who need these should make themselves heard.
They'll need to stay with TLS <= 1.2 forever, since IIRC 1.3 is
removing non PFS suites, perhaps they can also stay with older
versions of OpenSSL while they're at it, and we can remove
fixed (EC)DH key exchange in 1.1.0 (aka "master").

-- 
	Viktor.

More information about the openssl-dev mailing list