[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: TLS-PSK and TLS-SRP support?
|
From: |
Ander Juaristi |
|
Subject: |
Re: TLS-PSK and TLS-SRP support? |
|
Date: |
Wed, 16 Sep 2020 14:31:04 +0200 |
|
User-agent: |
Roundcube Webmail |
El 2020-09-15 19:05, Witold Baryluk escribió:
Hi,
I love wget, but I can't find if it supports PSK or SRP protocols?
Underlying openssl supports them, and it would be nice to use it with
wget when, especially when using TLS v1.2 and TLS v1.3.
I am mostly interested in PSK, but SRP support would be also very
useful. I do have a HTTP server that do use TLS v1.3 (and 1.2), and
uses PSK for mutual authentication and encryption. I verified it is
working using various tools and code, but it can't be easily used
using generic tools like wget. There is work in curl to add support
for PSK too.
Indeed, none of these are supported.
SRP is a legacy protocol nowadays. It pursued interesting goals, such as
being hard to brute-force the password.
However unfortunately nobody cared enough to maintain it and it's not up
to modern-day standards.
AFAIK SHA-1 is the only supported hash function which is insecure, there
is no elliptic-curve equivalent, and hasn't been adapted to TLS 1.3.
PSK is a different issue. I personally wouldn't oppose to supporting it.
I'd rather not let the user to manage PSKs directly, but this is a
matter of taste. What's more, PSKs are the basis of 0-RTT in TLS 1.3 and
IMO that's a good thing wget2 should do implicitly.
If it is supported, (maybe using --ciphers option), it seems not
documented. At least I don't see ways to provide psk or parameters to
srp parts. (as far as I know, this can't be provided via
--private-key). Option to provide a password on the command line, or
via an ASCII, binary or hex file would be the best. (to not leak
password via /proc/*/cmdline).
Thank you!