So, do I get this right?
OpenVPN built with mbedTLS will print the TLS PSK cipher suites (openvpn
--show-tls), despite OpenVPN not supporting these?
Kind regards,
SaAtomic
18. Feb 2017 13:05 by [email protected]:
> Date: Fri, 17 Feb 2017 15:16:37 +0100
> From: Steffan Karger <> [email protected]> >
> Subject: Re: [Openvpn-users] Security/Usage of tls-cipher with PSK KEX
> To: > [email protected]
> Message-ID: <> [email protected]> >
> Content-Type: text/plain; charset=windows-1252
>
> Hi,
>
> On 15-02-17 08:09, > [email protected]> wrote:
>> I'm looking into the security of the offered tls-ciphers, with both
>> OpenSSL and mbedTLS.
>>
>> Now I've first encountered key exchanges with the use of a pre shared
>> key, offered by mbedTLS.
>> The PSK appears to be used either on its own or in combination with DHE,
>> ECDHE or RSA.
>> See the list of relevant cipher suites at the bottom of the mail:
>>
>> A couple of questions there:
>> How is this PSK generated and correctly deployed?
>> Can someone give me a resource, explaining how this works?
>> What is the security impact of the use of the PSK?
>> In the cases, where only PSK is used, no additional key exchange, is the
>> PSK used for the TLS encryption?
>
> OpenVPN does not support TLS PSK. Compared to the asymmetric key
> exchanges we support, it doesn't really bring us anything, but it does
> incur extra development time and maintenance cost.
>
> The other questions you ask are quite generic TLS PSK questions, which
> are probably best explained by the RFC that introduces PSK:
> https://tools.ietf.org/html/rfc4279
>
> It's just 10 pages of actual text, so should be quite digestible.
>
> -Steffan
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-users
