Patches
This page lists patches of Open Source software that were released by the Institute for Internet Security.
TLS-RSA-PSK for OpenSS
Christian J. Dietrich wrote a patch for OpenSSL 1.0.0c to support the TLS-RSA-PSK cipher suites as defined in RFC 4279. This patch adds one of the RSA-PSK variants, namely RSA-PSK-AES256-CBC-SHA (cipher suite code 95). Adding ciphers 92-94 should be easy by editing the definition data structure in s3_lib.c.
We clearly have to state that this patch is EXPERIMENTAL. The patch can be downloaded here.
Procedure to apply the patch
- download openssl-1.0.0c.tar.gz tar
- xzf openssl-1.0.0c.tar.gz
- cd openssl-1.0.0c
- patch -p1 -i ../openssl-1.0.0c.tls-rsa-psk.patch
Testing TLS-RSA-PSK
You can test locally whether your openssl with TLS-RSA-PSK works as follows. Make sure that you actually call the currently generated openssl binary (in the apps directory). Must have a server.pem and privkey.pem in the current directory.
# launching the server
openssl s_server \
-psk c033f52671c61c8128f7f8a40be88038bcf2b07a6eb3095c36e3759f0cf40837 \
-key privkey.pem \
-cipher RSA-PSK-AES256-CBC-SHA \
-debug -state
# launch the client
openssl s_client -connect localhost:4433 \
-psk c033f52671c61c8128f7f8a40be88038bcf2b07a6eb3095c36e3759f0cf40837 \
-cipher RSA-PSK-AES256-CBC-SHA \
-debug -state
See also: blog.cj2s.de