1

I want to set up and run SSL client and server with TLS 1.2 using openSSL 1.1.1 for my project.

I have a few doubts and/or requirements with openSSL:

  1. what is the right way to select TLS 1.2 as version? Currently I am using TLS_client_method(). the other methods seem to be deprecated. Is there a specific API for choosing particular version?

  2. I need to run an SSL clinet with following handshake extensions.

    • ec_point_formats with "uncompressed" as value
    • supported_groups with list of "secp521r","secp384r1","secp256r1","secp224r1","secp192r1","secp160r1","ffdhe2048"
    • encrypt_then_mac with value 0
    • server_name
    • extended_master_secret without any value and length set to 0

  3. I need to run an SSL server with following handshake extensions

    • encrypt_then_mac with value 0
    • extended_master_secret without any value and length set to 0

  4. Apart from above header extension fields I want to disable everything else. How to accomplish that?

  5. From client I want to provide only "TLS_PSK_WITH_AES_128_CBC_SHA256" cipher suite as option.

  6. Is client certificate and key files (pem) necessary for successful connection establishment and communication when PSK cipher is used?

  7. Is there any example or open source client-server implementation with PSK authentication?

karthik_p
  • 13
  • 2

1 Answers1

1

what is the right way to select TLS 1.2 as version? Currently I am using TLS_client_method(). the other methods seem to be deprecated. Is there a specific API for choosing particular version?

TLS_client_method() is the correct method to use. To specify that no version below TLSv1.2 is used you should do this:

SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION);

Where ctx is your SSL_CTX object.

If you also want to prevent anything higher than TLSv1.2 from being used then do this:

SSL_CTX_set_max_proto_version(ctx, TLS1_2_VERSION);

See this page for information on these calls: https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_min_proto_version.html

I need to run an SSL clinet with following handshake extensions.

  • ec_point_formats with "uncompressed" as value
  • supported_groups with list of "secp521r","secp384r1","secp256r1","secp224r1","secp192r1","secp160r1","ffdhe2048"

These extensions aren't used if you specify the PSK ciphersuite that you've selected so OpenSSL won't send them (assuming you've restricted the max TLS protocol version as described above, and have configured only that ciphersuite). Doing so would be pointless. Even if it did, OpenSSL 1.1.1 does not support "ffdhe2048". It does support all the others.

  • encrypt_then_mac with value 0

Not sure what you mean by "with value 0" since this extension is always empty and has no value. I assume you mean with length 0. This extension is sent by default so you don't need to do anything.

  • server_name

You should call:

SSL_set_tlsext_host_name(ssl, "hostname of the server");

Where ssl is your SSL object, and replacing "hostname of the server" with the server's real hostname.

See this page for information on this call: https://www.openssl.org/docs/man1.1.1/man3/SSL_set_tlsext_host_name.html

  • extended_master_secret without any value and length set to 0

This extension is sent by default so you don't need to do anything.

I need to run an SSL server with following handshake extensions

  • encrypt_then_mac with value 0
  • extended_master_secret without any value and length set to 0

If the client sent them, then the server will echo them back by default. You don't need to do anything.

Apart from above header extension fields I want to disable everything else. How to accomplish that?

An OpenSSL client will additionally send the session_ticket extension. Its harmless, but if you really want to disable it you can do this:

SSL_CTX_set_options(ctx, SSL_OP_NO_TICKET);

See this page for further information: https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_options.html

An OpenSSL server will additionally send the "renegotiate" extension. You must not disable this (in fact you cannot). Ignore it. Its harmless.

From client I want to provide only "TLS_PSK_WITH_AES_128_CBC_SHA256" cipher suite as option.

That is the official IANA name for the ciphersuite. OpenSSL knows it as "PSK-AES128-CBC-SHA256".

Configure it on both the client and the server like this:

SSL_CTX_set_cipher_list(ctx, "PSK-AES128-CBC-SHA256");

See this page for further information: https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_cipher_list.html

In addition you will need to provide PSK callbacks to tell OpenSSL what the PSK is that you want to use.

On the client you need to call SSL_CTX_set_psk_client_callback(). On the server you must call SSL_CTX_set_psk_server_callback().

See these pages for further information: https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_psk_client_callback.html https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_psk_server_callback.html

TLSv1.3 ciphersuites will still automatically be sent unless you have additionally restricted the max TLS protocol version to TLSv1.2 as described above. Finally you will also see a ciphersuite called "TLS_EMPTY_RENEGOTIATION_INFO_SCSV" being sent. This isn't actually a real ciphersuite at all. It is always sent and cannot be suppressed. It will never be negotiated and is harmless. Ignore it.

Is client certificate and key files (pem) necessary for successful connection establishment and communication when PSK cipher is used?

No.

Is there any example or open source client-server implementation with PSK authentication?

You can look at how s_client and s_server do it:

https://github.com/openssl/openssl/blob/OpenSSL_1_1_1-stable/apps/s_client.c https://github.com/openssl/openssl/blob/OpenSSL_1_1_1-stable/apps/s_server.c

Matt Caswell
  • 8,167
  • 25
  • 28
  • Do you mean supported groups and ec_point_formats don't take effect when PSK cipher suite is used? I have reference logs with PSK cipher suites these header extensions – karthik_p Jun 15 '21 at 07:30
  • I am trying to set the cipher list using the following code: - SSL_CTX_set_cipher_list(ctx,"PSK-AES128-CBC-SHA256") I am able to see this cipher suite. But, along with this I could see the following suites as well: TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256,TLS_AES_128_GCM_SHA256,TLS_PSK_WITH_AES_128_CBC_SHA256,TLS_EMPTY_RENEGOTIATION_INFO_SCSC What should I do to get only TLS_PSK_WITH_AES_128_CBC_SHA256 – karthik_p Jun 15 '21 at 07:31
  • in s_client and s_server I could see the implementation is not complete for PSK cipher. Let me know if I am wrong – karthik_p Jun 15 '21 at 07:31
  • supported_groups/ec_point_formats aren't used with the PSK ciphersuite you want. If you have correctly configured only that ciphersuite, and have also restricted the max TLS protocol version to TLSv1.2 then they won't be sent by OpenSSL. If you haven't prevented TLSv1.3 then they will still be sent. I've clarified my answer above in this area. – Matt Caswell Jun 15 '21 at 07:56
  • "along with this I could see the following suites as well": most of these are TLSv1.3 ciphersuites. These are configured separately using different API functions and are added automatically by default. If you restrict the maximum TLS protocol version to TLSv1.2 as described in my answer above then they aren't sent. The exception is "TLS_EMPTY_RENEGOTIATION_INFO_SCSC". This isn't really a ciphersuite at all and has a special meaning. You can't suppress it, but it will never be negotiated. It is harmless. Ignore it. I've clarified my answer above for these points too. – Matt Caswell Jun 15 '21 at 07:58
  • " Let me know if I am wrong". You are wrong s_client/s_server have a full PSK implementation. For example try this in one terminal window "openssl s_server -psk 01020304", then from another window type "openssl s_client -cipher PSK-AES128-CBC-SHA256 -psk 01020304 -no_tls1_3". You should see s_client and s_server connect using the PSK ciphersuite. – Matt Caswell Jun 15 '21 at 08:00