On Mon, Jul 14, 2014 at 12:54 PM, Manuel Pégourié-Gonnard <[email protected]> wrote: > Hi, > I recently noticed that PolarSSL and GnuTLS fail to interop when using RSA-PSK > ciphersuites with SSLv3. The reason is, PolarSSL uses EncryptPreMasterSecret > without initial length bytes, as was done in SSLv3, but GnuTLS wants the > length > bytes (as in TLS 1.x). > RFC 4279 says: > > The EncryptedPreMasterSecret field sent from the client to the server > contains a 2-byte version number and a 46-byte random value, > encrypted using the server's RSA public key as described in Section > 7.4.7.1 of [RFC2246] > So it refers to RFC 2246 which defines TLS 1.0, which was current when RFC > 4279 > was published, but doesn't say anything about previous versions. There are (at > least) two ways to interpret this silence: > 1. Do as in TLS 1.0 even with older version. > 2. Encode EncryptedPreMasterSecret as is usually done in the active version. > GnuTLS does (1) and PolarSSL does (2), hence the interop issue. Of course a > third way to interpret this silence might be to limit RSA-PSK suites to TLS > 1.x > where there is no possible ambiguity. > Before taking any action, I wanted to check with you. What's your opinion on > this matter?
I think that limiting RSA-PSK to TLS 1.0 or later is the best option, and I'll do that in 3.3.x. > PS: according to Wikipedia's comparison of TLS implementations, we'd be the > only > libraries implementing RSA-PSK. I don't particularly like the properties of the RSA-PSK key exchange. It is only in gnutls because it was contributed. If I had a choice I'd prefer something that used signing over DHE-PSK. regards, Nikos _______________________________________________ Gnutls-help mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnutls-help
