PSK Support

Karstens, Nate Nate.Karstens at
Thu Jun 1 17:20:53 UTC 2017


I'm about push 3 patches that add support for PSK TLS cipher suites to nginx and thought it would be good to discuss the feature itself in a separate thread.

First, PSK support is useful in certain environments that are not conducive to a full public key infrastructure. The environment I'm personally working with is the recreational boating market; we are developing a new industry standard that relies on HTTPS, secured by PSK, for much of its underlying security protocol. I think this would also be useful to the IoT market. A quick search shows that some other users have been interested in this feature:,272443,272443

After applying the patches, one can enable PSK support by adding a few directives to their nginx.conf:

1) "ssl_nocert" -- This disables checks for a certificate within nginx. By default these checks are enabled because most users will need a certificate. This is analogous to the "-nocert" option in the OpenSSL s_server.
2) "ssl_psk_path" -- This is a local folder that contains all of the valid PSKs. Each file in the folder is loaded into memory as a PSK, and its file name is used as the PSK identity. When the client connects it specifies the identity of the PSK it is using for the connection. The server looks up the key using hash of the loaded PSKs and if the keys match then the TLS handshake is successful. Note that the identity of the PSK is made available in the variable $ssl_psk_identity.
3) Add some PSK ciphers to the "ssl_ciphers" directive.


Nate Karstens
Garmin International, Inc.


CONFIDENTIALITY NOTICE: This email and any attachments are for the sole use of the intended recipient(s) and contain information that may be Garmin confidential and/or Garmin legally privileged. If you have received this email in error, please notify the sender by reply email and delete the message. Any disclosure, copying, distribution or use of this communication (including attachments) by someone other than the intended recipient is prohibited. Thank you.

More information about the nginx-devel mailing list