El 2018-05-11 09:05, Nikos Mavrogiannopoulos escribió:
On Thu, 2018-05-10 at 11:46 -0400, Viktor Dukhovni wrote:
Good to know. Does any implementation other than OpenSSL support
external PSKs? How do you distinguish between external PSKs and
resumption PSKs?
gnutls does. For external PSKs It checks for ticket age being zero and
the username/identity within acceptable bounds.
Hey Nikos,
I remember we had this discussion, but wanted to transfer it to the list
as even though I believe that approach
will work almost always, by reading the current draft my understanding
is that being the ticket age zero is no more than a hint
that it *might* be a PSK.
What's wrong with trying to decrypt it first and then if decryption
fails treat it as an external PSK and look up
its identity in the database? GnuTLS encrypts the tickets with EtA so
with "decrypt" I mean checking the MAC first,
and then decrypting. Isn't this a stronger check?
These and all the other mentioned checks are not mutually exclusive. You
could check the ticket key name first before
even trying to verify the MAC to discard malformed tickets very early in
the game.
Another option to remove some ambiguity out of here would just be to
change the draft to say that externally set PSKs
MUST have a ticket age of zero (rather than SHOULD). This way a server
can instantly recognize an external PSK. A real
ticket can never have an obfuscated ticket age of zero, right? Or it
can?
I'm curious to hear what folks here think is wrong with either approach.
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
