PSK Support
Maxim Dounin
mdounin at mdounin.ru
Tue Jun 13 16:54:45 UTC 2017
Hello!
On Fri, Jun 09, 2017 at 03:40:15AM +0000, Karstens, Nate wrote:
> Maxim,
>
> OK, we can skip the patch for turning off the certificate
> warnings (and just use a dummy certificate) and just support a
> single PSK file.
>
> The {HEX} prefix seems OK. I think it would also be good to
> support an {ASC}. It is unlikely that anyone would have an
> ASCII-based PSK that starts with {HEX}, but using {ASC} would
> provide a way to make prevent that case.
If somebody want to use a key which starts with {HEX}, an obvious
solution would be to convert it to hex. Supporting an additional
prefix for plain-text keys might be an option too (in auth_basic
it is called {PLAIN}, see nginx.org/r/auth_basic_user_file), but I
think that it would be good to interpret non-prefixed keys in a
way compatible with stunnel. So there will be 3 options:
identity:key
identity:{PLAIN}key
identity:{HEX}6b6579
> Also, instead of referring to text-based PSKs as ASCII, maybe
> they should be UTF8-encoded and referred to as {TXT}?
I would rather avoid saying anything about character encoding,
much like nginx does in most of the other places. The {PLAIN}
seems to be neutral enough.
--
Maxim Dounin
http://nginx.org/
More information about the nginx-devel
mailing list