Closed gesslerpd closed 6 years ago
gesslerpd
commented
7 years ago Not sure if this is the correct channel for feature requests. Could someone please point me to resources to help get started working on this functionality. This feature will likely require merge requests to both the cryptography and pyOpenSSL libraries and any preliminary guidance would be appreciated.
Thanks in advance for any help!
alex
commented
7 years ago Use of PSK is incredibly rare in my experience; I'm disinclined to expand the API for it. Can you describe your use case in more detail, is this is a pre-existing protocol?
gesslerpd
commented
7 years ago Yes, it is very rare from what I've seen as well. We are trying to implement support in a Python module for the TLS_ECDHE_PSK_WITH_NULL_SHA256 and TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 cipher suites because they are called out as required ciphers for use with the Common Industrial Protocol. We have been using pyOpenSSL to setup socket wrappings for the other required RSA/ECDSA cipher suites so far.
gesslerpd
commented
7 years ago The Common Industrial Protocol (CIP) specification lists the following reasons for requiring PSK support, the text below is taken directly from the CIP specification.
Advantages to using PSK include:
gesslerpd
commented
7 years ago It may also seem odd that a few NULL cipher suites are required, but users of this protocol often times are concerned only about authentication and data integrity. Am I correct in stating that we would need to build our own version of the cryptography module bindings to enable these various eNULL cipher suites?
Is there any intention of supporting PSK cipher suites in the future by adding a
SSL_CTX_set_psk_client_callbackfunction wrapping to the pyOpenSSLSSL.Contextobject?More info on the OpenSSL function can be found here: https://wiki.openssl.org/index.php/Manual:SSL_CTX_set_psk_client_callback(3)
Thanks!