--- a/connectors/PYRO/PSK_Adapter.py	Mon Oct 29 11:33:36 2018 +0100
+++ b/connectors/PYRO/PSK_Adapter.py	Tue Oct 30 09:45:47 2018 +0100
@@ -29,7 +29,7 @@
                 _connect_socket(raw_sock, URI.address, URI.port, self.timeout)
                 sock = sslpsk.wrap_socket(
                     raw_sock, psk=Pyro.config.PYROPSK, server_side=False,
-                    ciphers="PSK-AES256-GCM-SHA384:PSK-AES256-CBC-SHA",
+                    ciphers="PSK-AES256-CBC-SHA", # available in openssl 1.0.2 
                     ssl_version=ssl.PROTOCOL_TLSv1)
                 # all the rest is the same as in Pyro/protocol.py 
 

--- a/runtime/Stunnel.py	Mon Oct 29 11:33:36 2018 +0100
+++ b/runtime/Stunnel.py	Tue Oct 30 09:45:47 2018 +0100
@@ -11,11 +11,11 @@
 _PSKpath = None
 
 def PSKgen(ID, PSKpath):
-    secret = os.urandom(256) # 2048 bits is still safe nowadays
 
-    # following makes 512 length string, rejected by stunnel
-    # using binascii hexlify loses 50% entropy
-    # secretstring = hexlify(secret)
+    # 236 bytes is empirical maximum when using :
+    #  - stunnel 5.36 on server with openssl 1.0.2k
+    #  - python-sslpsk 1.0.0 on client with openssl 1.0.2k
+    secret = os.urandom(236) 
 
     secretstring = secret.translate(translator)
     PSKstring = ID+":"+secretstring