[gnutls-help] RSA-PSK SSLv3 interop issues

Manuel Pégourié-Gonnard mpg at polarssl.org
Mon Jul 14 12:54:37 CEST 2014


Hi,

I recently noticed that PolarSSL and GnuTLS fail to interop when using RSA-PSK
ciphersuites with SSLv3. The reason is, PolarSSL uses EncryptPreMasterSecret
without initial length bytes, as was done in SSLv3, but GnuTLS wants the length
bytes (as in TLS 1.x).

RFC 4279 says:

   The EncryptedPreMasterSecret field sent from the client to the server
   contains a 2-byte version number and a 46-byte random value,
   encrypted using the server's RSA public key as described in Section
   7.4.7.1 of [RFC2246]

So it refers to RFC 2246 which defines TLS 1.0, which was current when RFC 4279
was published, but doesn't say anything about previous versions. There are (at
least) two ways to interpret this silence:

1. Do as in TLS 1.0 even with older version.
2. Encode EncryptedPreMasterSecret as is usually done in the active version.

GnuTLS does (1) and PolarSSL does (2), hence the interop issue. Of course a
third way to interpret this silence might be to limit RSA-PSK suites to TLS 1.x
where there is no possible ambiguity.

Before taking any action, I wanted to check with you. What's your opinion on
this matter?

Manuel.

PS: according to Wikipedia's comparison of TLS implementations, we'd be the only
libraries implementing RSA-PSK.



More information about the Gnutls-help mailing list