Looks like I need to add a feature-define to allow the PSK cipher suites to be enabled only on platforms that configure mbedtls appropriately.

Thanks for the contribution.

The main things to discuss would be:

1. is it a useful (and secure?) feature to have for general purpose use?
2. how the API looks, whether it belongs to the ssl module or somewhere else (eg a new module like sslpsk).

Some background/prior art:

• an old request for this feature in CPython: https://bugs.python.org/issue19084
• implementation of PSK for CPython as a separate library: https://github.com/drbild/sslpsk

Thanks for reviewing!

is it a useful (and secure?) feature to have for general purpose use?

"Useful" depends on the point of view. "Secure" depends on the usage. The reason I implemented this is that I'm sick of insecure IoT and I find the whole cert thing a PITA to use, which is why I believe very few people actually use it. In comparison PSK is much easier.

Looking at MicroPython specifically I would argue that it is insecure by default. Examples for this are the unencrypted webrepl, no checking of TLS certs on ESP32, and the pyboard tool using telnet. I'm trying to get to ta point where users can opt for encryption with no more overhead than assigning a name and password to each device (or group of devices).

Ease of use is why I like the PSK cipher suites: they are super-simple to manage at small scale, specifically with Mosquitto. All that's needed is a ident:key file and the keys are trivial to generate (feed anything random into md5sum). The result is two-way auth (both server auths client and client auths server), which means it's as secure as TLS with verified server cert and verified client cert.

I'm working on an MQTT repl (see https://forum.micropython.org/viewtopic.php?f=2&t=7596) which would allow me to fully interact with devices over a single secure authenticated network connection (that moreover is outbound from the device, so no "open ports" on the device).
If we extended the functionality to also support server sockets the webrepl could be made to use PSK and from a user perspective it would be no more difficult to set-up than today, e.g. setting up a password on first use. I don't think the in-browser client would work with TLS-PSK, however :-(.

The big downside to the PSK stuff is that not enough software supports it. Basically a chicken and egg problem. Also, the attitude evident in https://bugs.python.org/issue19084 which is that outside of HTTPS nothing matters ("it is not a priority for protocols such as HTTPS"). (Incidentally, that's the same issue encountered in getting PSK into Go.)

In terms of cryptographic security, TLS-PSK uses the same crypto as the PK stuff, just that the key exchange is different. I'm not a cryptographer, but from all I can tell if you use equivalent ciphers it comes out to a wash. The weakest point in both cases is key management, whether we're talking about PSK or certs/pk's.

Also worth noting is that the PSK crypto is supposedly a lot faster than PK (I say "supposedly" because I haven't measured myself). I wonder how it would change the usability of TLS on an esp8266 (dunno whether the SDK supports the PSK ciphers).

how the API looks, whether it belongs to the ssl module or somewhere else (eg a new module like sslpsk).

In favor of keeping it separate in MP are that there is no CPython API to emulate and that it keeps this "concern" separate. Against is that it's probably quite a bit of duplicated code and that it makes the use of the PSK stuff harder 'cause one can't just pass in the ssl_params into existing libraries. E.g., to use Peter's mqtt_as library I'd have to clone it and modify it to use a different module for its wrap_socket. This is also the issue I'm facing with paho-mqtt in CPython: I have to either clone and hack or subclass and copy-override the connect and reconnect methods to use sslpsk.

Hey, if I'm the only one in the community who wants this then I should just continue to use my fork and not bother you... I'm also happy to commit to writing a MicroPython-focused tutorial on how to set PSK up and use it with Mosquitto.

@tve Going by forum posts there is considerable interest in easily used, reliable, fast crypto. I would certainly wish to support it in mqtt_as.

Personally, when I needed basic crypto for one of my IoT projects, it took me little to get sick of trying to use TLS, so I "downgraded" my crypto to AES-CTR + SHA256 HMAC with a pre-shared key (used over MQTT).

Being able to use the same scheme, over MQTT/HTTP, without adding extra code - that will be great!

@Jongy Thanks for taking the time to review! This needs more work, I'm currently focusing on tools and background data (e.g. performance) so the whole concept becomes more attractive to others so they can chime in and say "hey, I'd like this feature merged".

I did a first round of quick tests. This was on an esp32 with a tiny test pgm opening an MQTT connection to a mosquitto server running on an ODroid XU4 (rPi-4 type of performance):

• mqtt unencrypted: 18ms
• mqtt TLS-PSK: 101ms using TLS_PSK_WITH_AES_256_GCM_SHA384 (no PFS)
• mqtt TLS-PKI: 1236ms using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (has PFS), server uses a 2048 bit key

The code being timed is essentially:

s.connect((addr, port))
s = ssl.wrap_socket(s, <appropriate params>)
s.write(b"\x10\x10\x00\x04MQTT\x04\x02\x00\x3c\x00\x04hack")
ok = s.read(4) == b'\x20\x02\x00\x00'

I ran 10 iterations and took the median. The 10x improvement is noteworthy! However, I don't understand why a cipher without PFS (perfect forward secrecy) is selected in the TLS-PSK case, especially because I checked and both server and client announce that they do support appropriate ciphers. Note that in both cases the symmetric crypto is identical (AES_256_GCM_SHA384).

I then disabled the non-PFS ciphers for TLS-PSK and here's what I got:

• mqtt TLS-PSK: 974ms using TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 (has PFS)

So now the timing is comparable to the RSA cipher. Interesting...

I should add that the PSK versions include mutual auth, while the PKI test doesn't even include cert verification, never mind mutual auth (although I think in most cases auth would use a password exchange not client certs).

More tests to be done...

I just ran the same performance test on the esp8266, for grins, using the ready-made v1.12 download image. Note that the esp8266 uses axTLS, not mbedTLS.

• mqtt unencrypted: 282ms
• mqtt TLS-PKI: 622ms using cipher suite TLS_RSA_WITH_AES_256_CBC_SHA256 (no PFS)
  "interesting..."
  maybe I should try TLS-PKI on the esp32 with the PFS cipher suites disabled to see how that compares.

I'm closing this PR for a couple of reasons:

• using PSK ciphers is an uphill battle because so little software supports it; every step of the way it's a PITA to find some obscure patch somewhere
• if one picks a cipher suite with PFS there is no performance advantage to the PSK ciphers, without PFS it's probably possible to find a low-security PKI cipher suite that takes less time, but that's probably a poor decision
• it's less work to get a cipher from let's encrypt (or to use self-signed certs) than to battle getting PSK into software, using the DNS challenge with acme-dns allows even devices without internet exposure to renew certs
• CPython doesn't support PSK ciphers, the unix port of micropython uses axtls: more hassles

So the bottom line is that I decided to throw in the towel, go with PKI and focus my energy elsewhere :-). If someone else is interested in picking up the PR, it's still all in github...