[gnutls-help] RSA-PSK SSLv3 interop issues
Nikos Mavrogiannopoulos
nmav at gnutls.org
Tue Jul 22 13:27:23 CEST 2014
On Mon, Jul 14, 2014 at 12:54 PM, Manuel Pégourié-Gonnard
<mpg at polarssl.org> wrote:
> Hi,
> I recently noticed that PolarSSL and GnuTLS fail to interop when using RSA-PSK
> ciphersuites with SSLv3. The reason is, PolarSSL uses EncryptPreMasterSecret
> without initial length bytes, as was done in SSLv3, but GnuTLS wants the length
> bytes (as in TLS 1.x).
> RFC 4279 says:
>
> The EncryptedPreMasterSecret field sent from the client to the server
> contains a 2-byte version number and a 46-byte random value,
> encrypted using the server's RSA public key as described in Section
> 7.4.7.1 of [RFC2246]
> So it refers to RFC 2246 which defines TLS 1.0, which was current when RFC 4279
> was published, but doesn't say anything about previous versions. There are (at
> least) two ways to interpret this silence:
> 1. Do as in TLS 1.0 even with older version.
> 2. Encode EncryptedPreMasterSecret as is usually done in the active version.
> GnuTLS does (1) and PolarSSL does (2), hence the interop issue. Of course a
> third way to interpret this silence might be to limit RSA-PSK suites to TLS 1.x
> where there is no possible ambiguity.
> Before taking any action, I wanted to check with you. What's your opinion on
> this matter?
I think that limiting RSA-PSK to TLS 1.0 or later is the best option,
and I'll do that in 3.3.x.
> PS: according to Wikipedia's comparison of TLS implementations, we'd be the only
> libraries implementing RSA-PSK.
I don't particularly like the properties of the RSA-PSK key exchange.
It is only in gnutls because it was contributed. If I had a choice I'd
prefer something that used signing over DHE-PSK.
regards,
Nikos
More information about the Gnutls-help
mailing list