Re: [openssl-dev] [openssl.org #2464] TLS-RSA-PSK support

2015-08-19 Thread Salz, Rich
> as long as OpenSSL ships support for single DES by default, giving those > ciphers the treatment 4 is... inconsistent... to put it mildly. It depends on how you look at it. We have to move very slowly (more slowly than I would like!!) to removing things that are in the shipped software. But w

Re: [openssl-dev] [openssl.org #2464] TLS-RSA-PSK support

2015-08-19 Thread Viktor Dukhovni
On Wed, Aug 19, 2015 at 02:59:59PM +0200, Hubert Kario wrote: > > > > So what's the final resolution of this? Should we keep or drop > > > > > > > > the new PSK RC4 and PSK 3DES codepoints: > > > > TLS_RSA_PSK_WITH_RC4_128_SHA RSA-PSK-RC4-SHA > > > > TLS_RSA_PSK_WITH_3DES_ED

Re: [openssl-dev] [openssl.org #2464] TLS-RSA-PSK support

2015-08-19 Thread Hubert Kario
On Tuesday 18 August 2015 17:02:24 Viktor Dukhovni wrote: > On Tue, Aug 18, 2015 at 06:48:25PM +0200, Hubert Kario wrote: > > > So what's the final resolution of this? Should we keep or drop > > > > > > the new PSK RC4 and PSK 3DES codepoints: > > > TLS_RSA_PSK_WITH_RC4_128_SHA R

Re: [openssl-dev] [openssl.org #2464] TLS-RSA-PSK support

2015-08-18 Thread Salz, Rich
> These are brand new cipher suites, never before seen in OpenSSL. > The argument is that it makes no sense to *add* these, because they're > already obsolete. So I was hoping for 4 or 5. Strongly agree. > We can lose a bunch of code and attack surface by not supporting fixed > (EC)DH. Does thi

Re: [openssl-dev] [openssl.org #2464] TLS-RSA-PSK support

2015-08-18 Thread Viktor Dukhovni
On Tue, Aug 18, 2015 at 06:48:25PM +0200, Hubert Kario wrote: > > So what's the final resolution of this? Should we keep or drop > > the new PSK RC4 and PSK 3DES codepoints: > > > > TLS_RSA_PSK_WITH_RC4_128_SHA RSA-PSK-RC4-SHA > > TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA RS

Re: [openssl-dev] [openssl.org #2464] TLS-RSA-PSK support

2015-08-18 Thread Hubert Kario
On Monday 17 August 2015 15:54:03 Viktor Dukhovni wrote: > On Fri, Jul 31, 2015 at 05:37:20PM +, Viktor Dukhovni wrote: > > Which ciphers are actually needed by PSK users? My hope is that > > at this point RC4 and 3DES are not. It is highly likely that CBC > > AES-CBC is needed, perhaps also

Re: [openssl-dev] [openssl.org #2464] TLS-RSA-PSK support

2015-08-17 Thread Salz, Rich
> TLS_RSA_PSK_WITH_RC4_128_SHA RSA-PSK-RC4-SHA > TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA RSA-PSK-3DES-EDE-CBC- > SHA Remove. > On a related note (for those also reading the TLS WG list), any thoughts on > deprecating any or all of the kDHr, kDHd, kECDHr, kECDHe ciphers? R

Re: [openssl-dev] [openssl.org #2464] TLS-RSA-PSK support

2015-08-17 Thread Viktor Dukhovni
On Fri, Jul 31, 2015 at 05:37:20PM +, Viktor Dukhovni wrote: > Which ciphers are actually needed by PSK users? My hope is that > at this point RC4 and 3DES are not. It is highly likely that CBC > AES-CBC is needed, perhaps also Camellia, but the question is I > think worth asking. So what's

Re: [openssl-dev] [openssl.org #2464] TLS-RSA-PSK support

2015-07-31 Thread Viktor Dukhovni
On Fri, Jul 31, 2015 at 07:24:15PM +0200, Hubert Kario wrote: > > Question, should we really be adding new RC4 or new 3DES ciphersuites? > > Both ciphers are rather obsolete now. And we even have an RFC that > > "bans" RC4. While I have been known to resist potentially premature > > removal of *

Re: [openssl-dev] [openssl.org #2464] TLS-RSA-PSK support

2015-07-31 Thread Hubert Kario
On Thursday 30 July 2015 15:09:18 Viktor Dukhovni wrote: > On Sun, Jun 21, 2015 at 07:00:55PM +, Giuseppe D'Angelo via RT wrote: > > diff --git a/doc/apps/ciphers.pod b/doc/apps/ciphers.pod > > index c2d40ac..7fbe3a4 100644 > > --- a/doc/apps/ciphers.pod > > +++ b/doc/apps/ciphers.pod > > @@ -5

Re: [openssl-dev] [openssl.org #2464] TLS-RSA-PSK support

2015-07-30 Thread Salz, Rich
> Therefore, I would to propose that the 3DES and RC4 PSK ciphersuites not be > included. > > I am not even sure that adding Camellia is a net win, ideally AES and > (soonish) > ChaCha20 are enough. > > One might similarly question the longevity of the new CBC suites, TLS 1.3 is > moving to AEA

Re: [openssl-dev] [openssl.org #2464] TLS-RSA-PSK support

2015-07-30 Thread Viktor Dukhovni
On Sun, Jun 21, 2015 at 07:00:55PM +, Giuseppe D'Angelo via RT wrote: > diff --git a/doc/apps/ciphers.pod b/doc/apps/ciphers.pod > index c2d40ac..7fbe3a4 100644 > --- a/doc/apps/ciphers.pod > +++ b/doc/apps/ciphers.pod > @@ -585,10 +585,22 @@ Note: these ciphers can also be used in SSL v3. >

[openssl-dev] [openssl.org #2464] TLS-RSA-PSK support

2015-06-21 Thread Giuseppe D'Angelo via RT
Yet another version after some refactorings that landed in master. Please, pretty please, with sugar on top, could anyone review this code so that it can get merged? It's becoming a difficult exercise to keep track of upstream changes and adapt the patch every single time... Cheers, -- Giusep

[openssl-dev] [openssl.org #2464] TLS-RSA-PSK support

2015-01-30 Thread Giuseppe D'Angelo via RT
New version of the patch, targeting master. It's basically style changes after the massive OpenSSL refactoring. Thanks, -- Giuseppe D'Angelo | giuseppe.dang...@kdab.com | Software Engineer KDAB (UK) Ltd., a KDAB Group company Tel. UK +44-1738-450410, Sweden (HQ) +46-563-540090 KDAB - Qt Experts