[erlang-questions] Enabling TLS-PSK issue, Erlang is missing Ciphers? How would I add new ones?

Andreas Schultz aschultz@REDACTED
Fri Jul 7 17:55:11 CEST 2017


----- On Jul 7, 2017, at 4:39 PM, asdf asdf codewiget95@REDACTED wrote:

> Hello everyone,

> I am currently working on adding PSK functionality to EMQTT and/or RabbitMQ, and
> my first goal is to get it working in standard Erlang. I have a client that
> will connect with public-keys, and I am attempting to modify it to suit my
> needs.

You are aware that PSK (pre-shared keys) and client certificates are two different beasts? Your "public-keys" reference sounds a lot like client certificates! 

> A problem I have just encountered though is that Erlang does not seem to have
> any psk-ciphers , when I run rp(ssl:cipher_suites(erlang)) . in the erlang
> terminal, I get a long list of ciphers but none of them are psk ciphers.

That's because ssl:cipher_suites(erlang) only lists the default suites, you need to use ssl:cipher_suites(all) to really see all suites. 

> For example, a cipher I am looking for is {psk, aes_256, sha512}, but none are
> psk:

There is no cipher suite that has "sha512" in its name. However, in TLS 1.2 the server and client are free to negotiate sha512 as hash for the verification of handshake. 

Some possible candidates are: 
 * {dhe_psk, aes_256_gcm, null, sha384} 
 * {dhe_psk, aes_256_cbc, sha384} 
 * {rsa_psk, aes_256_gcm, null, sha384} 
 * {rsa_psk, aes_256_cbc, sha384}

I would strongly recommend the DHE ciphers!

> - I know/think that I also need to use a lookup_fun on my server in ssl:listen to go and match the psk_identity presented by the client to a profile ,
> I received this link: [ https://github.com/erlang/otp/blob/32a1dca92c0f949ef6ce2c751b23aff82f9d998f/lib/ssl/test/ssl_test_lib.erl#L404 | from another thread, pointing me to example implementation of the lookup_fun (sort of, not really). IF anyone can shed more light on this, I would greatly appreciate it. This is the next step once my server begins to recognize the cipher suite. 

For PSK, you need a lookup function that gets the User Hint from the TLS Client Hello and returns the {ok, PSK} for that user. The PSK needs to be a binary.
A very simple version with the same PSK for every user would be:

    user_lookup(psk, _Username, UserState) ->
        {ok, UserState}.

And then you add this to your ssl options:

   {user_lookup_fun, {fun user_lookup/3, <<"secret">>}},


PS: please do not send HTML formated mails. Other might be fine with them, but I won't respond to them.

More information about the erlang-questions mailing list