https://github.com/asimihsan/tls-psk

stunnel-lite clone demonstrating TLS 1.3 PSK with rotating PSKs
https://github.com/asimihsan/tls-psk

Last synced: 3 months ago
JSON representation

stunnel-lite clone demonstrating TLS 1.3 PSK with rotating PSKs

• Host: GitHub
• URL: https://github.com/asimihsan/tls-psk
• Owner: asimihsan
• License: apache-2.0
• Created: 2020-09-30T00:04:42.000Z (over 4 years ago)
• Default Branch: master
• Last Pushed: 2023-11-28T21:24:45.000Z (over 1 year ago)
• Last Synced: 2025-01-29T04:38:38.750Z (5 months ago)
• Language: Rust
• Size: 46.9 KB
• Stars: 0
• Watchers: 3
• Forks: 0
• Open Issues: 1
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

        
## TODO

- One out of four Tokio tasks stay running forward every each request.

## This project's proxy

Pre-requisites

```

brew install openssl

```

First tab

```

python -m http.server 8081 --bind 127.0.0.1

```

Second

```

cd tls-psk-tunnel

RUST_BACKTRACE=full cargo run --bin tls-psk-server

```

Third tab

```

cd tls-psk-tunnel

RUST_BACKTRACE=full cargo run --bin tls-psk-client

```

This sets up the exact same scenario as the stunnel scenario below.

Access `127.0.0.1:1133`, e.g. `curl 127.0.0.1:1133`, then you'll reach the Python server.

## stunnel TLS 1.3 external PSK proxy

### Background

This sets up:

```

Browser --> stunnel client (127.0.0.1:1133) --> stunnel server (127.0.0.1:4433) --> Python server (127.0.0.1:8081)

```

The stunnel client would in reality be running on the client, but here we run everything locally.

For example in the real world if server A is 10.0.1.1 on host A, and server B is 10.0.2.2 on host B, it would be:

```

Host A application --> stunnel client on host A (10.0.1.1:1133) --> stunnel server on host B (10.0.2.2:4433) --> Host B server (127.0.0.1:8081)

```

### Prerequisites

```

brew install stunnel

```

Then put following files in same directory:

```

psks-client.txt

psks-server.txt

stunnel-client.conf

stunnel-server.conf

```

### Steps

Three tabs. Tab 1 is Python server listening on 8001:

```

python -m http.server 8001 --bind 127.0.0.1

```

Tab 2 is stunnel server:

```

stunnel stunnel-server.conf

```

Tab 3 is stunnel client:

```

stunnel stunnel-client.conf

```

Now browse to `http://localhost:1133`.

References

-   https://www.stunnel.org/auth.html

## Using Openssl to test PSK mode

With all the debug logging you get a good view into how TLS PSK mode works. Also once you start playing around

with the TLS PSK proxy, using these commands is a way of verifying the proxy works.

Configure server:

```

$(brew --prefix openssl)/bin/openssl s_server -accept 4433 -tls1_3 -ciphersuites TLS_AES_128_GCM_SHA256 -psk 1a2b3c4d -psk_identity "Client #1" -nocert -msg -debug -security_debug_verbose -keylogfile /private/tmp/openssl-keylog-server

```

Connect using client:

```

$(brew --prefix openssl)/bin/openssl s_client -connect 127.0.0.1:4433 -tls1_3 -ciphersuites TLS_AES_128_GCM_SHA256 -psk 1a2b3c4d -psk_identity "Client #1" -msg -debug -security_debug_verbose -keylogfile /private/tmp/openssl-keylog-client

```

You can now type text in either the server or client, press ENTER, and it appears on the other side.

References:

-   General idea: https://github.com/openssl/openssl/issues/7433

-   "No suitable signature algorithm" error: https://github.com/openssl/openssl/issues/6197

-   https://www.openssl.org/docs/man1.1.1/man1/s_server.html

-   https://www.openssl.org/docs/man1.1.1/man1/s_client.html

-   PSK hints are only used in TLS 1.2: https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_use_psk_identity_hint.html