[gnutls-devel] GnuTLS | Enable PSK by default (#680)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Wed Jan 23 16:33:19 CET 2019


New Issue was created.

Issue 680: https://gitlab.com/gnutls/gnutls/issues/680
Author:    Nathaniel McCallum
Assignee:  

Currently, setting PSK credential callbacks with GnuTLS results in PSK silently not working. You also have to enable PSK in the priorities. There is no documentation on this problem and the behavior is cryptic.

I propose enabling the PSK family of algorithms by default. This way, setting the PSK callbacks will work by default. If an admin overrides this with "-PSK" (etc), it should forcibly disable PSK regardless of the callbacks.

I realize this raises the question of `PSK` vs `DHE-PSK` vs `ECDHE-PSK`. There are no known weaknesses with `ECDHE-PSK` or `DHE-PSK`. So these should be preferred to `PSK` because they provide PFS. Should a weakness be discovered, they can be demoted. Likewise, should a user feel paranoid about asymmetric cryptography, they can simply override the default.

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/680
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20190123/76759be0/attachment.html>


More information about the Gnutls-devel mailing list