Add support for pre-shared keys

[thomdev]

Client and server should have the option to use out-of-band pre-shared keys rather than certificates.

https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html#Pre-shared-keys

[normanmaurer]

Yes! I will add support for it.

[normanmaurer]

As it turns out this is only for TLS1.2 and so not what we need... currently investigating how to add support for TLS1.3 which is used for QUIC.

[normanmaurer]

We may need to wait for BoringSSL to add support /cc @davidben

[normanmaurer]

@davidben is this something you support yet ? It's not clear to me atm

[davidben]

We don't currently support it in TLS 1.3. The problem is the original TLS 1.3 PSK mechanism was, IMO, defined wrong. It does this hash-matching thing, but that ties together your PSK configuration (managed by the caller), and TLS parameter selection (in many cases, library behavior).

Imported PSKs resolves this. My motivation there was, in fact, "someone is going to want PSKs someday and I want this specified before I need to implement it". 😄 But all the folks who wanted PSKs have since fizzled, so we never ended up implementing it. It's just sitting there as the plan of record, should we ever want to add it.

[normanmaurer]

@davidben got it... So I guess there is not much we can do here really.

[aozmen121]

@davidben & @normanmaurer Any Updates on PSKs being supported by Netty? We currently have requirements to handle PSK with TLS 1.2 min.

[aozmen121]

@davidben Any update on this?