On Wed, 2018-05-16 at 11:30 +0200, Ander Juaristi wrote:
> El 2018-05-11 09:05, Nikos Mavrogiannopoulos escribió:
> > On Thu, 2018-05-10 at 11:46 -0400, Viktor Dukhovni wrote:
> > >
> > > Good to know. Does any implementation other than OpenSSL support
> > > external PSKs? How do you distinguish between external PSKs and
> > > resumption PSKs?
> > gnutls does. For external PSKs It checks for ticket age being zero
> > and
> > the username/identity within acceptable bounds.
> Hey Nikos,
> I remember we had this discussion, but wanted to transfer it to the
> as even though I believe that approach
> will work almost always, by reading the current draft my
> is that being the ticket age zero is no more than a hint
> that it *might* be a PSK.
> What's wrong with trying to decrypt it first and then if decryption
> fails treat it as an external PSK and look up
> its identity in the database? GnuTLS encrypts the tickets with EtA
> with "decrypt" I mean checking the MAC first,
> and then decrypting. Isn't this a stronger check?
Decrypting a ticket may not always be possible. For example, server
keys may get rotated, or a server may receive key which were destined
for another server in the pool.
> Another option to remove some ambiguity out of here would just be to
> change the draft to say that externally set PSKs
> MUST have a ticket age of zero (rather than SHOULD). This way a
> can instantly recognize an external PSK. A real
> ticket can never have an obfuscated ticket age of zero, right? Or it
I think that ticket age could be zero even for non-preshared keys (not
very likely though).
A field which could potentially be used to distinguish tickets is the
key_name of an rfc5077 formatted ticket.
TLS mailing list