[gnutls-devel] GnuTLS | Enable PSK by default (#680)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Tue Feb 5 11:44:03 CET 2019


I'm trying to think if we can do this at all without breaking ABI expectations. Previously a client would set the PSK credentials (e.g., a callback), with `gnutls_psk_set_client_credentials_function(psk_cred, psk_callback)` and will be called only if `PSK` is listed as priority string, and PSK is negotiated (under TLS1.2), or during client hello sending (under TLS1.3).

If we enable the PSK ciphersuites explicitly we can have an application getting to the callback when previously it wouldn't get there if the `PSK` were not listed as priority strings. `gnutls-cli` itself works that way, and if we enable PSK unconditionally it asks for username when connecting to any site.

Breaking `gnutls-cli` is not a big deal (we can fix it), but I worry if there are applications which rely on that behavior too (i.e., the PSK credentials are set but do not indicate the intention to use PSK). I'm open to suggestions here. An approach may be to mark the application as a PSK application via a `gnutls_init` flag, but that would be yet another way to specify PSK.

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/680#note_138319341
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20190205/e3123ab0/attachment.html>


More information about the Gnutls-devel mailing list