@@ -173,6 +173,8 @@ specifying a cipher suite with the `ciphers` option. The list of available
173173ciphers can be retrieved via ` openssl ciphers -v 'PSK' ` . All TLS 1.3
174174ciphers are eligible for PSK and can be retrieved via
175175` openssl ciphers -v -s -tls1_3 -psk ` .
176+ On the client connection, a custom ` checkServerIdentity ` should be passed
177+ because the default one will fail in the absence of a certificate.
176178
177179According to the [ RFC 4279] [ ] , PSK identities up to 128 bytes in length and
178180PSKs up to 64 bytes in length must be supported. As of OpenSSL 1.1.0
@@ -181,6 +183,30 @@ maximum identity size is 128 bytes, and maximum PSK length is 256 bytes.
181183The current implementation doesn't support asynchronous PSK callbacks due to the
182184limitations of the underlying OpenSSL API.
183185
186+ To use TLS-PSK, client and server must specify the ` pskCallback ` option,
187+ a function that returns the PSK to use (which must be compatible with
188+ the selected cipher's digest).
189+
190+ It will be called first on the client:
191+
192+ * hint: {string} optional message sent from the server to help the client
193+ decide which identity to use during negotiation.
194+ Always ` null ` if TLS 1.3 is used.
195+ * Returns: {Object} in the form
196+ ` { psk: <Buffer|TypedArray|DataView>, identity: <string> } ` or ` null ` .
197+
198+ Then on the server:
199+
200+ * socket: {tls.TLSSocket} the server socket instance, equivalent to ` this ` .
201+ * identity: {string} identity parameter sent from the client.
202+ * Returns: {Buffer|TypedArray|DataView} the PSK (or ` null ` ).
203+
204+ A return value of ` null ` stops the negotiation process and sends an
205+ ` unknown_psk_identity ` alert message to the other party.
206+ If the server wishes to hide the fact that the PSK identity was not known,
207+ the callback must provide some random data as ` psk ` to make the connection
208+ fail with ` decrypt_error ` before negotiation is finished.
209+
184210### Client-initiated renegotiation attack mitigation
185211
186212<!-- type=misc -->
@@ -1646,25 +1672,7 @@ changes:
16461672 verified against the list of supplied CAs. An ` 'error' ` event is emitted if
16471673 verification fails; ` err.code ` contains the OpenSSL error code. ** Default:**
16481674 ` true ` .
1649- * ` pskCallback ` {Function}
1650-
1651- * hint: {string} optional message sent from the server to help client
1652- decide which identity to use during negotiation.
1653- Always ` null ` if TLS 1.3 is used.
1654- * Returns: {Object} An object in the form
1655- ` { psk: <Buffer|TypedArray|DataView>, identity: <string> } `
1656- or ` null ` to stop the negotiation process. ` psk ` must be
1657- compatible with the selected cipher's digest.
1658- ` identity ` must use UTF-8 encoding.
1659-
1660- When negotiating TLS-PSK (pre-shared keys), this function is called
1661- with optional identity ` hint ` provided by the server or ` null `
1662- in case of TLS 1.3 where ` hint ` was removed.
1663- It will be necessary to provide a custom ` tls.checkServerIdentity() `
1664- for the connection as the default one will try to check host name/IP
1665- of the server against the certificate but that's not applicable for PSK
1666- because there won't be a certificate present.
1667- More information can be found in the [ RFC 4279] [ ] .
1675+ * ` pskCallback ` {Function} For TLS-PSK negotiation, see [ Pre-shared keys] [ ] .
16681676 * ` ALPNProtocols ` : {string\[ ] |Buffer\[ ] |TypedArray\[ ] |DataView\[ ] |Buffer|
16691677 TypedArray|DataView}
16701678 An array of strings, ` Buffer ` s, ` TypedArray ` s, or ` DataView ` s, or a
@@ -2123,25 +2131,7 @@ changes:
21232131 default callback with high-level API will be used (see below).
21242132 * ` ticketKeys ` : {Buffer} 48-bytes of cryptographically strong pseudorandom
21252133 data. See [ Session Resumption] [ ] for more information.
2126- * ` pskCallback ` {Function}
2127-
2128- * socket: {tls.TLSSocket} the server [ ` tls.TLSSocket ` ] [ ] instance for
2129- this connection.
2130- * identity: {string} identity parameter sent from the client.
2131- * Returns: {Buffer|TypedArray|DataView} pre-shared key that must either be
2132- a buffer or ` null ` to stop the negotiation process. Returned PSK must be
2133- compatible with the selected cipher's digest.
2134-
2135- When negotiating TLS-PSK (pre-shared keys), this function is called
2136- with the identity provided by the client.
2137- If the return value is ` null ` the negotiation process will stop and an
2138- "unknown\_ psk\_ identity" alert message will be sent to the other party.
2139- If the server wishes to hide the fact that the PSK identity was not known,
2140- the callback must provide some random data as ` psk ` to make the connection
2141- fail with "decrypt\_ error" before negotiation is finished.
2142- PSK ciphers are disabled by default, and using TLS-PSK thus
2143- requires explicitly specifying a cipher suite with the ` ciphers ` option.
2144- More information can be found in the [ RFC 4279] [ ] .
2134+ * ` pskCallback ` {Function} For TLS-PSK negotiation, see [ Pre-shared keys] [ ] .
21452135 * ` pskIdentityHint ` {string} optional hint to send to a client to help
21462136 with selecting the identity during TLS-PSK negotiation. Will be ignored
21472137 in TLS 1.3. Upon failing to set pskIdentityHint ` 'tlsClientError' ` will be
@@ -2292,6 +2282,7 @@ added:
22922282[ Mozilla's publicly trusted list of CAs ] : https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt
22932283[ OCSP request ] : https://en.wikipedia.org/wiki/OCSP_stapling
22942284[ OpenSSL Options ] : crypto.md#openssl-options
2285+ [ Pre-shared keys ] : #pre-shared-keys
22952286[ RFC 2246 ] : https://www.ietf.org/rfc/rfc2246.txt
22962287[ RFC 4086 ] : https://tools.ietf.org/html/rfc4086
22972288[ RFC 4279 ] : https://tools.ietf.org/html/rfc4279
0 commit comments