New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Introduce option allowing TLS 1.3 server to prefer psk_ke over psk_dhe_ke #22794
Conversation
46c15ee
to
65e805b
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good work. Could you please add CHANGES.md entry?
…non-dhe psk key exchange over psk with dhe (config file option `PreferNoDHEKEX`, server option `prefer_no_dhe_kex`).
65e805b
to
09ef585
Compare
@t8m Thank you! Improved as suggested. As the doc build complained about docs missing in Btw, the CLA is on its way. |
I would keep it at the client docs. However you also need to add the description for the new command line option in SSL_CONF_cmd.pod around line 98 and mention there that it is ignored on client. |
09ef585
to
216f2a6
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
@t8m I closed and reopened the PR to get rid of the 'CLA missing' tag. I've added the changelog in anticipation of version 3.3. Anything else missing from my side? |
Nope, this is good as is. |
24 hours has passed since 'approval: done' was set, but as this PR has been updated in that time the label 'approval: ready to merge' is not being automatically set. Please review the updates and set the label manually. |
Pushed. Thanks! |
…non-dhe psk key exchange over psk with dhe (config file option `PreferNoDHEKEX`, server option `prefer_no_dhe_kex`). Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from #22794)
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from #22794)
…L version 3.3. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from #22794)
…non-dhe psk key exchange over psk with dhe (config file option `PreferNoDHEKEX`, server option `prefer_no_dhe_kex`). Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from openssl/openssl#22794) Signed-off-by: fly2x <fly2x@hitls.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from openssl/openssl#22794) Signed-off-by: fly2x <fly2x@hitls.org>
…L version 3.3. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from openssl/openssl#22794) Signed-off-by: fly2x <fly2x@hitls.org>
…non-dhe psk key exchange over psk with dhe (config file option `PreferNoDHEKEX`, server option `prefer_no_dhe_kex`). Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from openssl#22794)
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from openssl#22794)
…L version 3.3. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from openssl#22794)
Introduce option
SSL_OP_PREFER_NO_DHE_KEX
, which allows configuring a TLS1.3 server to prefer session resumption using PSK-only key exchange over PSK with DHE, if both are available. The option is ignored unless PSK-only is explicitly allowed viaSSL_OP_ALLOW_NO_DHE_KEX
.PreferNoDHEKEX
prefer_no_dhe_kex
This PR addresses #22783.
Checklist
ToDo
SSL_CONF_cmd.pod
.