Unfortunately that's not an option for our use case

On Thu, Oct 29, 2015 at 4:00 AM <stunnel-users-request@stunnel.org> wrote:
Send stunnel-users mailing list submissions to
        stunnel-users@stunnel.org

To subscribe or unsubscribe via the World Wide Web, visit
        https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
or, via email, send a message with subject or body 'help' to
        stunnel-users-request@stunnel.org

You can reach the person managing the list at
        stunnel-users-owner@stunnel.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of stunnel-users digest..."


Today's Topics:

   1. hex key support for psk (Reese Wilson)
   2. Re: hex key support for psk (Michal Trojnara)


----------------------------------------------------------------------

Message: 1
Date: Wed, 28 Oct 2015 23:12:01 +0000
From: Reese Wilson <reesew@tzmedical.com>
To: stunnel-users@stunnel.org
Subject: [stunnel-users] hex key support for psk
Message-ID:
        <CAJU_q421ksnS8mCtkc6tApdTwUXJrNBZ+69Zt_HxJMpJLGBoiA@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"

I ran into an issue with PSK reading the key as ascii instead of hex. I had
a gnutls-serv and gnutls-cli set up with a hex key, and I switched the
server for one wrapped using stunnel, but using the same key in psk.txt was
failing. I eventually got it working by converting the hex characters to
binary and placing that in the contents of the file specified by PSKsecrets
(psk.txt), but this won't work for certain scenarios. For example, what if
the key contains ascii newline characters?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20151028/8f10a972/attachment-0001.html>

------------------------------

Message: 2
Date: Thu, 29 Oct 2015 09:55:48 +0100
From: Michal Trojnara <Michal.Trojnara@mirt.net>
To: stunnel-users@stunnel.org
Subject: Re: [stunnel-users] hex key support for psk
Message-ID: <5631DF14.90003@mirt.net>
Content-Type: text/plain; charset=utf-8

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 29.10.2015 00:12, Reese Wilson wrote:
> I ran into an issue with PSK reading the key as ascii instead of
> hex. I had a gnutls-serv and gnutls-cli set up with a hex key, and
> I switched the server for one wrapped using stunnel, but using the
> same key in psk.txt was failing. I eventually got it working by
> converting the hex characters to binary and placing that in the
> contents of the file specified by PSKsecrets (psk.txt), but this
> won't work for certain scenarios. For example, what if the key
> contains ascii newline characters?

Do it the other way around: generate sufficiently long printable ASCII
pre-shared keys, and then hex-encode them for applications that
require hex-encoded pre-shared keys.  The same applies to any other
encoding (base64, rot13, etc.).

Yes, the interface of stunnel restricts the subset of bytes that may
be used for pre-shared keys (but not the length of those keys).  Yes,
this may require generating new pre-shared keys when you migrate to
stunnel from another product.  Yes, I consider this to be a feature.
You can use passphrases or your favourite password generator to
generate pre-shared keys for stunnel.  Changing the pre-shared key
when you migrate to stunnel is also *good* for your security.

Mike
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJWMd8UAAoJEC78f/DUFuAUoOAQAJkSO2uIulKQWJSZ5HnAViK+
a+qoVkIIpnmAzp9YUQPZ59/BPQcRfNo0sc3cIvLtr25pLylyF8Tofjrm17bvmYqI
ptyNDWbKOnQmcNiU+mz2oMDFbV9SU6srfGb8RR1dkvGItXU8BNjk5Gg1KIljf7vH
vTEU3RSnzO5TG97KtWAQVOc94rN/VgSW3EMH0VE9UcYn4seXiWM3dTwt0xT1R9UT
G1iU0nl9AMvpLih02Ax7JEg+8S5OYsq3N01qfhmGB2H/lWWGRHUEWOtaDUcv4bBd
lJ+EjZIXpMXl2PMnHz6K4T1WjvQojIrAKeIE3HGSKdanytLNVguqkc6ZXn5PMZR3
1yngV2CcF4YOV0MAmtSQWrlbM+vHRNHP+osen5fufaDKBOQPvpF6a7GDM7WcDLbw
y3xkQ7QVPuP6oaePszz/Vc+39NuNhQ5qWdwMthAaOqmuHtzOm84SqdY6bGaMy7vk
JwpQ7ecsARkfufoXJso0NTN1lWYQUjw5CJmK+wgymLv8Z5V1F+hW5RLbrL7CocB+
uIn71hdLFkWddXNEAbKwRznH9IEla25eGuXuHmRMWkNNgS+E2G6vYqQDrsF5kpYv
LIuPMGn5xZN5Nzx2y4JiWMWu8qHYFEx8Pa6+fB7LWzmtQHWVB8blHUKyBat/OMtV
LrLXUnCMKNv2eHSsgn5D
=vg8c
-----END PGP SIGNATURE-----


------------------------------

Subject: Digest Footer

_______________________________________________
stunnel-users mailing list
stunnel-users@stunnel.org
https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users


------------------------------

End of stunnel-users Digest, Vol 135, Issue 19
**********************************************