TLS 1.3 PSK succeeds even if the pre-shared key is wrong

brandon.murphy1996 brandon.murphy1996 at protonmail.com
Mon Apr 20 15:42:02 UTC 2020


Hi Matt

Thanks for the reply.

Yes! the handshake completes even when the PSK does not match between the ones provided in Client and Server. However, if there is a mismatch in the provided identity inside the callbacks, I see the above-mentioned error(the bad extension one).

Unless I am missing something, if the code was not trying to perform a PSK verification, I would have received a complete handshake even if there was identity value mismatch between find_session_cb and use_session_cb.

Moreover, I am using SSL_CTX_set_verify() with option SSL_VERIFY_PEER. Also, I am not providing the client Hello with any certificates. So I see no reason for handshake to complete without verification.

Thanks
Bran


‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Monday, April 20, 2020 5:35 PM, Matt Caswell <matt at openssl.org> wrote:

> On 20/04/2020 12:59, brandon.murphy1996 via openssl-users wrote:
>
> > From what I noticed, the handshake completes successfully, regardless
> > of the value of "psk_key" (as long as PSK length is even). However,
> > if the identity value is mismatched between psk_find_session_cb and
> > use_session_cb, the handshake fails with the message:
>
> It's not clear from your question what you expected to happen. The
> length of the PSK key doesn't actually matter from a TLS perspective
> (obviously in practice it is best if the length is consistent with the
> ciphersuite key length).
>
> Or did you mean that that the value doesn't matter - even if it is
> mismatched with the client's value? That would be unexpected (and
> probably indicates you are not actually using the PSK at all and doing a
> full handshake).
>
> Matt




More information about the openssl-users mailing list