[openssl-dev] [openssl.org #2464] TLS-RSA-PSK support
Viktor Dukhovni
openssl-users at dukhovni.org
Thu Jul 30 15:09:18 UTC 2015
On Sun, Jun 21, 2015 at 07:00:55PM +0000, Giuseppe D'Angelo via RT wrote:
> diff --git a/doc/apps/ciphers.pod b/doc/apps/ciphers.pod
> index c2d40ac..7fbe3a4 100644
> --- a/doc/apps/ciphers.pod
> +++ b/doc/apps/ciphers.pod
> @@ -585,10 +585,22 @@ Note: these ciphers can also be used in SSL v3.
>
> =head2 Pre shared keying (PSK) ciphersuites
>
> + TLS_RSA_PSK_WITH_RC4_128_SHA RSA-PSK-RC4-SHA
> + TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA RSA-PSK-3DES-EDE-CBC-SHA
> + TLS_RSA_PSK_WITH_AES_128_CBC_SHA RSA-PSK-AES128-CBC-SHA
> + TLS_RSA_PSK_WITH_AES_256_CBC_SHA RSA-PSK-AES256-CBC-SHA
> + TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 RSA-PSK-AES128-CBC-SHA256
> + TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 RSA-PSK-AES256-CBC-SHA384
> + TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 RSA-PSK-AES128-GCM-SHA256
> + TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 RSA-PSK-AES256-GCM-SHA384
> TLS_PSK_WITH_RC4_128_SHA PSK-RC4-SHA
> TLS_PSK_WITH_3DES_EDE_CBC_SHA PSK-3DES-EDE-CBC-SHA
> TLS_PSK_WITH_AES_128_CBC_SHA PSK-AES128-CBC-SHA
> TLS_PSK_WITH_AES_256_CBC_SHA PSK-AES256-CBC-SHA
> + TLS_PSK_WITH_AES_128_CBC_SHA256 PSK-AES128-CBC-SHA256
> + TLS_PSK_WITH_AES_256_CBC_SHA384 PSK-AES256-CBC-SHA384
> + TLS_PSK_WITH_AES_128_GCM_SHA256 PSK-AES128-GCM-SHA256
> + TLS_PSK_WITH_AES_256_GCM_SHA384 PSK-AES256-GCM-SHA384
Question, should we really be adding new RC4 or new 3DES ciphersuites?
Both ciphers are rather obsolete now. And we even have an RFC that
"bans" RC4. While I have been known to resist potentially premature
removal of *existing* RC4 support, I am certainly not a fan of RC4
and see no reason to add more RC4 to OpenSSL.
And while 3DES seems to be holding up moderately well for its age,
I see no reason to add more 3DES ciphersuites.
Therefore, I would to propose that the 3DES and RC4 PSK ciphersuites
not be included.
I am not even sure that adding Camellia is a net win, ideally AES
and (soonish) ChaCha20 are enough.
One might similarly question the longevity of the new CBC suites,
TLS 1.3 is moving to AEAD only (the PSK AEAD ciphers will IIRC be
used for session resumption in 1.3).
How many of the new ciphersuites are used/needed in practice? Which
are MTI for PSK? I think that when adding ciphersuites, we have
the opportunity/responsibility to exercise good judgement and enable
only the essential ones, and try to keep a lid on needless ciphersuite
proliferation.
--
Viktor.
More information about the openssl-dev
mailing list