PSK Support

Maxim Dounin mdounin at
Tue Jun 13 16:54:45 UTC 2017


On Fri, Jun 09, 2017 at 03:40:15AM +0000, Karstens, Nate wrote:

> Maxim,
> OK, we can skip the patch for turning off the certificate 
> warnings (and just use a dummy certificate) and just support a 
> single PSK file.
> The {HEX} prefix seems OK. I think it would also be good to 
> support an {ASC}. It is unlikely that anyone would have an 
> ASCII-based PSK that starts with {HEX}, but using {ASC} would 
> provide a way to make prevent that case.

If somebody want to use a key which starts with {HEX}, an obvious 
solution would be to convert it to hex.  Supporting an additional 
prefix for plain-text keys might be an option too (in auth_basic 
it is called {PLAIN}, see, but I 
think that it would be good to interpret non-prefixed keys in a 
way compatible with stunnel.  So there will be 3 options:


> Also, instead of referring to text-based PSKs as ASCII, maybe 
> they should be UTF8-encoded and referred to as {TXT}?

I would rather avoid saying anything about character encoding, 
much like nginx does in most of the other places.  The {PLAIN} 
seems to be neutral enough.

Maxim Dounin

More information about the nginx-devel mailing list