beremiz

PYRO PSK: adjusted cipher and key length to be usable with openSSL 1.0.2k.

2018-10-30, Edouard Tisserant
71593d3f880b
Parents 1cf3768ebf85
Children d42ae2877b6e
PYRO PSK: adjusted cipher and key length to be usable with openSSL 1.0.2k.
2 files changed, 5 insertions(+), 5 deletions(-)
  • +1 -1
    connectors/PYRO/PSK_Adapter.py
  • +4 -4
    runtime/Stunnel.py
    • --- a/connectors/PYRO/PSK_Adapter.py Mon Oct 29 11:33:36 2018 +0100
    +++ b/connectors/PYRO/PSK_Adapter.py Tue Oct 30 09:45:47 2018 +0100
    @@ -29,7 +29,7 @@
    _connect_socket(raw_sock, URI.address, URI.port, self.timeout)
    sock = sslpsk.wrap_socket(
    raw_sock, psk=Pyro.config.PYROPSK, server_side=False,
    - ciphers="PSK-AES256-GCM-SHA384:PSK-AES256-CBC-SHA",
    + ciphers="PSK-AES256-CBC-SHA", # available in openssl 1.0.2
    ssl_version=ssl.PROTOCOL_TLSv1)
    # all the rest is the same as in Pyro/protocol.py
    --- a/runtime/Stunnel.py Mon Oct 29 11:33:36 2018 +0100
    +++ b/runtime/Stunnel.py Tue Oct 30 09:45:47 2018 +0100
    @@ -11,11 +11,11 @@
    _PSKpath = None
    def PSKgen(ID, PSKpath):
    - secret = os.urandom(256) # 2048 bits is still safe nowadays
    - # following makes 512 length string, rejected by stunnel
    - # using binascii hexlify loses 50% entropy
    - # secretstring = hexlify(secret)
    + # 236 bytes is empirical maximum when using :
    + # - stunnel 5.36 on server with openssl 1.0.2k
    + # - python-sslpsk 1.0.0 on client with openssl 1.0.2k
    + secret = os.urandom(236)
    secretstring = secret.translate(translator)
    PSKstring = ID+":"+secretstring