[openssl-users] PSK generation for TLS 1.3

Matt Caswell matt at openssl.org
Mon Jul 3 09:11:52 UTC 2017



On 30/06/17 22:18, Neetish Pathak wrote:
> Hi All,
> Can anyone provide me pointers on how can we generate external PSK to be
> used inTLS 1.3.
> 
> When I save a a session using SSL_CTX_sess_set_new_cb(), it provides an
> in-band PSK for next resumption connection. 
> I use PEM_write_bio_SSL_SESSION to save the session.
> 
> 
> How do we use PSK externally. Can I use the same session file which was
> saved during in-band connection. I believe in case of an external PSK,
> both client and server should have a copy in advance.

Yes, you can do if you want - like you said you just need to make sure
that the session file is used on both the client and the server.
Alternatively you can "create" a new session file, e.g.
s_server/s_client do it like this:

        usesess = SSL_SESSION_new();
        if (usesess == NULL
                || !SSL_SESSION_set1_master_key(usesess, key, key_len)
                || !SSL_SESSION_set_cipher(usesess, cipher)
                || !SSL_SESSION_set_protocol_version(usesess,
TLS1_3_VERSION)) {
            OPENSSL_free(key);
            goto err;
        }


Matt




More information about the openssl-users mailing list