Can OpenSSL handle multiple authentication mechanisms on the same SSL context?

Benjamin Kaduk bkaduk at akamai.com
Tue Jun 22 05:39:23 UTC 2021


On Tue, Jun 22, 2021 at 04:18:25AM +0000, Revestual, Raffy [AUTOSOL/PSS/MNL] wrote:
> Also asked this question in stackoverflow.com
> 
> https://urldefense.com/v3/__https://stackoverflow.com/questions/68077419/can-openssl-handle-multiple-authentication-mechanisms-on-the-same-ssl-context__;!!GjvTz_vk!DeBGhsJS1c6OIusGcUpz3NpRsG2S3kReo2omn1ch1-B6mJ1ZvmGuj5awlkmShw$ 
> 
> We are trying to support a server that would support PSK and SRP authentication mechanisms. However, when we run to try to run callbacks for both on the same context, only the PSK callbacks are being detected:
> 
> SSL_CTX_set_psk_server_callback(m_ctx, psk_out_of_bound_serv_cb);
> 
> SSL_CTX_set_srp_username_callback(m_ctx, srp_server_param_cb);
> 
> SRP and PSK works currently in our code if you only set one callback or the other. I tried to register SRP first but doing this didn't change the fact the only PSK was working. So an alternative would be to set these individually on the SSL context. I have also confirmed that SRP and PSK cipher suites when combined when being set is a non-issue.
> 
> Would multiple callbacks for different mechanisms work simultaneously on the same SSL context?

The situation is somewhat different between TLS 1.3 and prior versions (e.g., TLS 1.2).
Since there isn't currently a defined SRP option for TLS 1.3, I assume you are targeting TLS 1.2

I think you need to say more about your testing -- whether SRP or PSK is being attempted
for TLS 1.2 is at the control of the client, as the ClientKeyExchange protocol message will
have a different structure for using SRP vs using PSK.  If your client is never trying
SRP, then of course your SRP callback will never be called.

So, how are you testing the various scenarios?

-Ben


More information about the openssl-users mailing list