We are looking into supporting TLS-PSK for a set of constrained devices that do not have sufficient resources to do the normal TLS handshake using certificates. To that end we are looking for a TLS-PSK component, that we can integrate on our (cloud) servers. This component may be anything, a proxy, module for apache or anything else that scales well.
So far we have found several libraries that support TLS-PSK: GnuTLS, OpenSSL amongst others. Moreover, we can find several HTTPS/TLS client libraries that we can use to send HTTP(S) requests over a TLS-PSK connection. However, what we have not been able to find are server-side solutions that would accept such TLS-PSK connections. Apache modules mod_ssl, and mod_gnutls do not expose the TLS-PSK capabilities of the underlying libraries. F5 Big-IP has TLS-PSK not in its cipher lists. HAProxy does not have TLS-PSK interfaces as well. The node.js TLS library had a pull-request that became stale and hard to apply with all the recent TLS lib refactorings...
So in short: does anyone know of a TLS-PSK capable component that we can integrate in our server backends to accept TLS-PSK connections from a large set of clients?
stunnel might be capable of helping here. PSK was added in 5.09
Installation
/etc/stunnel/stunnel.conf:
psk.txt (chmod 600):
Run with
stunnel
, or set up a service