EldoS | Feel safer!

Software components for data protection, secure storage and transfer

TLS Server and Client with PSK

Also by EldoS: Solid File System
A virtual file system that offers a feature-rich storage for application documents and data with built-in compression and encryption.
#34115
Posted: 07/27/2015 18:16:15
by Mat  (Basic support level)
Joined: 07/27/2015
Posts: 1

I am having difficulty getting a TLS Server / Client solution to work with a PSK. I have read your documentation regarding enabling the cipher suites using the CipherSuites property and implementing a handler for the OnKeyNeeded event. Do you have an example you could share or more detailed instructions on how to implement this?

We are currently evaluating your product for use with our project. Any help would be greatly appreciated!
#34118
Posted: 07/28/2015 02:01:16
by Ken Ivanov (EldoS Corp.)

Hi Mat,

Thank you for contacting us.

Support for PSK cipher suites is turned off in the components by default. You should enable them explicitly if you wish the components to talk PSK. The cipher suites can be enabled in the following way:

Code
// Delphi
Client.CipherSuites[SB_SUITE_PSK_AES256_SHA] := true;
Client.CipherSuites[SB_SUITE_PSK_AES128_GCM_SHA256] := true;
// please add all cipher suites you wish to be supported
// ...

// C#
Client.set_CipherSuites(SB_SUITE_PSK_AES256_SHA, true);
Client.set_CipherSuites(SB_SUITE_PSK_AES128_GCM_SHA256, true);
// please add all cipher suites you wish to be supported
// ...


The same routine should be performed for the server component. Please note that the client and server components should have at least one cipher suite in common to be able to communicate.

If you wish the components to only talk PSK (and no other cipher suites), it is a good idea to disable all the rest (non-PSK) of the cipher suites.

Please note that if you choose to stick to authenticated PSK cipher suites (e.g. SB_SUITE_RSA_PSK_xxx), you would need a certificate to be available on the server side.

Besides adjusting the cipher suites, you should handle the OnKeyNeeded event on both sides and use the handlers to pass the value of the pre-shared key back to the components.

That's everything you should do about the configuration to set up a PSK environment (no further adjustments are required). As you've apparently done that, let's try to pinpoint the connectivity problem you are coming across. First of all, please place a breakpoint in the OnKeyNeeded handlers and check if they are invoked at all. If they are, it is also a good chance to check that the values of the pre-shared key returned on both client and server sides are the same.

If both events are invoked and the keys are the same, could you please check if any error is reported via the OnError event (normally it is). It would help much if you share that error code with us so that we had an idea what is going wrong.

Ken

Reply

Statistics

Topic viewed 989 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!