-
Notifications
You must be signed in to change notification settings - Fork 144
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
support for TLS_PSK_WITH_NULL_SHA256 #288
Comments
Hi @lomer2! Thank you for reaching out. This is not on the roadmap right now. I am not a hardcore TLS guy so I am not sure how complicated implementation would be. I will discuss this with the team and come back to you. |
Hi @lomer2. I appreciate your patience. The core team discussed your request last week. Unless we are mistaken, it appears you want to use NetX Secure TLS 1.2 with a PSK and zero encryption to achieve some authentication and integrity checking only on TLS messages, leaving payloads unencrypted in plaintext. This use case resembles IPSec AH mode. Based on industry practices, NIST, and other authoritative sources, it should be avoided. It is completely eliminated in TLS 1.3. So, our initial reaction would be to decline your request. We have trouble justifying why we would add such a weak security profile to the code base. That said, feel free to share more information about your use case and requirements. This could lead us to reconsider. I will leave the issue open for now as we have this conversation. Best Regards, Frédéric |
Thanks @fdesbiens, |
Thank you for those details, @lomer2. I will bring this information back to the team for further discussion. From a long-term support perspective, I wonder if there could be better alternatives to fulfil your requirements given the cipher suite is removed in TLS 1.3. |
Hi,
I would like to add support to TLS_PSK_WITH_NULL_SHA256 cipher suite.
Is this a planned feature?
is it more to it than to add an appropriate line in the _nx_crypto_ciphersuite_lookup_table table?
Thanks!
The text was updated successfully, but these errors were encountered: