[openssl-users] Authentication over ECDHE

Viktor Dukhovni openssl-users at dukhovni.org
Mon Dec 24 19:52:38 UTC 2018

> On Dec 24, 2018, at 2:44 PM, Salz, Rich via openssl-users <openssl-users at openssl.org> wrote:
> Pre-shared keys (PSK) don't require certs, maybe that meets the need.  A thing to know about PSK is that each side is fully trusted, and if one side gets the key stolen, then the thief can pretend to be either side.

PSK only makes sense for svelte SSL libraries that either run
on devices with too little CPU to do public key crypto, or don't
want to the pay the code footprint of X.509 certificate processing.

For OpenSSL on a typical computer, PSK deployment and application
support is more complex than just going with self-signed certs.

The OP is IMHO better off avoiding PSKs.


More information about the openssl-users mailing list