[stunnel-users] hex key support for psk

Michal Trojnara Michal.Trojnara at mirt.net
Thu Oct 29 09:55:48 CET 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 29.10.2015 00:12, Reese Wilson wrote:
> I ran into an issue with PSK reading the key as ascii instead of
> hex. I had a gnutls-serv and gnutls-cli set up with a hex key, and
> I switched the server for one wrapped using stunnel, but using the
> same key in psk.txt was failing. I eventually got it working by
> converting the hex characters to binary and placing that in the
> contents of the file specified by PSKsecrets (psk.txt), but this
> won't work for certain scenarios. For example, what if the key
> contains ascii newline characters?

Do it the other way around: generate sufficiently long printable ASCII
pre-shared keys, and then hex-encode them for applications that
require hex-encoded pre-shared keys.  The same applies to any other
encoding (base64, rot13, etc.).

Yes, the interface of stunnel restricts the subset of bytes that may
be used for pre-shared keys (but not the length of those keys).  Yes,
this may require generating new pre-shared keys when you migrate to
stunnel from another product.  Yes, I consider this to be a feature.
You can use passphrases or your favourite password generator to
generate pre-shared keys for stunnel.  Changing the pre-shared key
when you migrate to stunnel is also *good* for your security.

Mike
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJWMd8UAAoJEC78f/DUFuAUoOAQAJkSO2uIulKQWJSZ5HnAViK+
a+qoVkIIpnmAzp9YUQPZ59/BPQcRfNo0sc3cIvLtr25pLylyF8Tofjrm17bvmYqI
ptyNDWbKOnQmcNiU+mz2oMDFbV9SU6srfGb8RR1dkvGItXU8BNjk5Gg1KIljf7vH
vTEU3RSnzO5TG97KtWAQVOc94rN/VgSW3EMH0VE9UcYn4seXiWM3dTwt0xT1R9UT
G1iU0nl9AMvpLih02Ax7JEg+8S5OYsq3N01qfhmGB2H/lWWGRHUEWOtaDUcv4bBd
lJ+EjZIXpMXl2PMnHz6K4T1WjvQojIrAKeIE3HGSKdanytLNVguqkc6ZXn5PMZR3
1yngV2CcF4YOV0MAmtSQWrlbM+vHRNHP+osen5fufaDKBOQPvpF6a7GDM7WcDLbw
y3xkQ7QVPuP6oaePszz/Vc+39NuNhQ5qWdwMthAaOqmuHtzOm84SqdY6bGaMy7vk
JwpQ7ecsARkfufoXJso0NTN1lWYQUjw5CJmK+wgymLv8Z5V1F+hW5RLbrL7CocB+
uIn71hdLFkWddXNEAbKwRznH9IEla25eGuXuHmRMWkNNgS+E2G6vYqQDrsF5kpYv
LIuPMGn5xZN5Nzx2y4JiWMWu8qHYFEx8Pa6+fB7LWzmtQHWVB8blHUKyBat/OMtV
LrLXUnCMKNv2eHSsgn5D
=vg8c
-----END PGP SIGNATURE-----


More information about the stunnel-users mailing list