normanmaurer
commented
3 years ago Yes! I will add support for it.
Open thomdev opened 3 years ago
normanmaurer
commented
3 years ago Yes! I will add support for it.
normanmaurer
commented
3 years ago As it turns out this is only for TLS1.2 and so not what we need... currently investigating how to add support for TLS1.3 which is used for QUIC.
normanmaurer
commented
3 years ago We may need to wait for BoringSSL to add support /cc @davidben
normanmaurer
commented
1 year ago @davidben is this something you support yet ? It's not clear to me atm
davidben
commented
1 year ago We don't currently support it in TLS 1.3. The problem is the original TLS 1.3 PSK mechanism was, IMO, defined wrong. It does this hash-matching thing, but that ties together your PSK configuration (managed by the caller), and TLS parameter selection (in many cases, library behavior).
Imported PSKs resolves this. My motivation there was, in fact, "someone is going to want PSKs someday and I want this specified before I need to implement it". 😄 But all the folks who wanted PSKs have since fizzled, so we never ended up implementing it. It's just sitting there as the plan of record, should we ever want to add it.
normanmaurer
commented
1 year ago @davidben got it... So I guess there is not much we can do here really.
aozmen121
commented
10 months ago @davidben & @normanmaurer Any Updates on PSKs being supported by Netty? We currently have requirements to handle PSK with TLS 1.2 min.
aozmen121
commented
3 weeks ago @davidben Any update on this?
Client and server should have the option to use out-of-band pre-shared keys rather than certificates.
https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html#Pre-shared-keys