|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #79280 Add support for TLS-PSK
Submitted: 2020-02-19 00:35 UTC Modified: 2020-03-13 00:42 UTC
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: php at tudorholton dot com Assigned:
Status: Open Package: OpenSSL related
PHP Version: Next Major Version OS: Irrelevant
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2020-02-19 00:35 UTC] php at tudorholton dot com
According to the current example config of BareOS Backup Management System (

...php does not support TLS-PSK...

Why is this?  Is it possible to add it as a configuration option?


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2020-02-19 00:43 UTC] php at tudorholton dot com
I couldn't find any mention of it in the php documentation (positive or otherwise).
 [2020-02-25 14:34 UTC] rowan dot collins at gmail dot com
It's unclear what PHP support is wanted here, because it's not clear how this tool needs to interact with PHP. TLS connections *into* PHP are the responsibility of whatever web server you put in front of it; TLS connections *from* PHP would generally be the responsibility of either an extension like curl, or a stream wrapper (e.g. used with file_get_contents).

I'd not heard of TLS-PSK before, so I'm not clear how it is used in practice, but my guess would be that you'd need a way to specify the pre-shared key to use for a particular connection. Does this tool come with a PHP client of some sort, which would need this to connect over TLS?
 [2020-02-25 23:19 UTC] php at tudorholton dot com
The request is for a connection from PHP as a client to a server where the connection is encrypted with TLS-PSK.  Yes, a shared key needs to be supplied for the connection to work.  I believe that this is similar to PHP as a TLS client with a client certificate except that there's a shared key in place of two separate certificates (and no third-party verifier).  I've seen TLS-PSK used mainly in networks where a certificate authority is not available.

BareOS comes with a "WebUI" client which is where I got the example from.  The webui client source is here:

There is also a non-PHP (C++) client which successfully uses TLS-PSK here:

Every other part of this system defaults to TLS-PSK.  It's only the PHP part that can't do it, which is why I submit this bug request.  Seems a bit odd to me.
 [2020-03-11 22:40 UTC] rowan dot collins at gmail dot com
OK, looking at that library, it seems what they actually use to make HTTP requests is this library:

That in turn uses either PHP's curl bindings, or raw socket connections (with PHP's socket library providing the TLS encapsulation).

So the PHP support which would be needed would be:

- an option for the tls:// stream type, which is based on openssl:
- an option in the curl bindings:

I don't know what support either openssl or libcurl have for this, so I can't comment further on how easy it would be to add.
 [2020-03-12 02:26 UTC] php at tudorholton dot com
Thanks Rowan, that's a great help.

TSL-PSK support for OpenSSL for libcurl was discussed in 2015 but went stale.  See here:

(Unrelated, but libcurl does support PSK via WolfSSL in their release version, so they're not against PSK itself, it seems.)

I've asked if we can reopen the libcurl PR #394. :-)
 [2020-03-13 00:42 UTC] php at tudorholton dot com
Alternatively, would PHP with libcurl->WolfSSL work?  I haven't spent much time in configuring PHP, and my OS (Ubuntu) doesn't have a libcurl-wolfssl package, but I suppose it's possible to manually compile it.

PHP would still need an option to pass to libcurl, though.  It might be easier to compile a fork of libcurl-OpenSSL with the --tlk-psk switch enabled.
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Thu Oct 29 14:01:44 2020 UTC