Patches

Patches

This page lists patches of Open Source software that were released by the Institute for Internet Security.

TLS-RSA-PSK for OpenSS

Christian J. Dietrich wrote a patch for OpenSSL 1.0.0c to support the TLS-RSA-PSK cipher suites as defined in RFC 4279. This patch adds one of the RSA-PSK variants, namely RSA-PSK-AES256-CBC-SHA (cipher suite code 95). Adding ciphers 92-94 should be easy by editing the definition data structure in s3_lib.c.
We clearly have to state that this patch is EXPERIMENTAL. The patch can be downloaded here.

Procedure to apply the patch

  • download openssl-1.0.0c.tar.gz tar
  • xzf openssl-1.0.0c.tar.gz
  • cd openssl-1.0.0c
  • patch -p1 -i ../openssl-1.0.0c.tls-rsa-psk.patch

Testing TLS-RSA-PSK

You can test locally whether your openssl with TLS-RSA-PSK works as follows. Make sure that you actually call the currently generated openssl binary (in the apps directory). Must have a server.pem and privkey.pem in the current directory.
# launching the server
openssl s_server \
 -psk c033f52671c61c8128f7f8a40be88038bcf2b07a6eb3095c36e3759f0cf40837 \
 -key privkey.pem \
 -cipher RSA-PSK-AES256-CBC-SHA \
 -debug -state
# launch the client
openssl s_client -connect localhost:4433 \
 -psk c033f52671c61c8128f7f8a40be88038bcf2b07a6eb3095c36e3759f0cf40837 \
 -cipher RSA-PSK-AES256-CBC-SHA \
 -debug -state
See also: blog.cj2s.de