Enable PSK by default
Currently, setting PSK credential callbacks with GnuTLS results in PSK silently not working. You also have to enable PSK in the priorities. There is no documentation on this problem and the behavior is cryptic.
I propose enabling the PSK family of algorithms by default. This way, setting the PSK callbacks will work by default. If an admin overrides this with "-PSK" (etc), it should forcibly disable PSK regardless of the callbacks.
I realize this raises the question of PSK
vs DHE-PSK
vs ECDHE-PSK
. There are no known weaknesses with ECDHE-PSK
or DHE-PSK
. So these should be preferred to PSK
because they provide PFS. Should a weakness be discovered, they can be demoted. Likewise, should a user feel paranoid about asymmetric cryptography, they can simply override the default.