[openssl-project] Reuse of PSKs between TLSv1.2 and TLSv1.3

Matt Caswell matt at openssl.org
Wed Aug 8 10:28:11 UTC 2018

For the full background to this issue see:


TL;DR summary:

The TLSv1.2 and TLSv1.3 PSK mechanisms are quite different to each
other. OpenSSL (along with at least GnuTLS maybe others) has implemented
an upgrade path which enables the reuse of a TLSv1.2 PSK in TLSv1.3.
This is not prohibited by the spec. David Benjamin has raised concerns
about this due to key separation. Everything else in TLSv1.3 is provably
secure - but this is not. The spec has been updated to add some words of
warning about this.

There seems to be two schools of thought on what to do about this:

1) We should seek to avoid this risk. As a fix we should disable TLSv1.3
if TLSv1.2 PSKs have been configured. We expect that at some later time
the IETF will come up with a better answer and when that happens we can
implement it then. A PR to do the removal is here:

2) This is a theoretical risk - there might not actually be a problem at
all, its just that we can't prove it. OTOH not upgrading to TLSv1.3 is
definitely a bad thing, so we should just leave things as they are and
accept the theoretical risk.

I'll admit that I've been flip-flopping between the two approaches to
this and there doesn't seem to be a clear consensus forming. How should
we take this forward? Does it require an OMC vote?


More information about the openssl-project mailing list