tls: Add PSK support
Checklist
-
tests and code linting passes -
a test and/or benchmark is included -
documentation is changed or added -
the commit message follows commit guidelines
Affected core subsystem(s)
tls, crypto
Description of change
This is another attempt at adding support for TLS-PSK, building on earlier work done in https://github.com/nodejs/node-v0.x-archive/pull/1162
The interface is different though, because the node tls interface has also changed some, and then there's also my opinion.
- The default cipher suite is not changed, and still includes
!PSK
. - Unlike the previous PR, this one does not magically enable TLS-PSK if PSK options are specified. So even when
pskCallback
is specified, you'd still have to specifyciphers
explicitly for anything to happen. - The previous PR contained discussion about
rejectUnauthorized
andsocket.authorized
, but these have gotten much more explicit in recent node version it seems. They always pertain to PKI. In scenario's where PSK is used without PKI (most?),rejectUnauthorized: false
must be explicitly set on the client. - The
pskCallback
on client and server have compatible signatures, even though they have slightly different purposes. Applications dealing with both sides should have an easier time this way. - Both JS and C++ check the openssl version and omit the functionality if not supported (like in the previous PR). Builds linked with an older openssl may ignore the new options silently.
- Tests are adapted from the original PR. They used to use
tls.createSecurePair
, but have been rewritten to usetls.connect
andtls.createServer
. - Would personally love to see this in v6.x as well!
Ref: #3553 (closed), https://github.com/nodejs/node-v0.x-archive/pull/1162