[openssl-users] TLS 1.3 PSK test server setup
matt at openssl.org
Thu Feb 15 14:57:20 UTC 2018
On 14/02/18 23:33, Viktor Dukhovni wrote:
>> On Feb 14, 2018, at 6:14 PM, Matt Caswell <matt at openssl.org> wrote:
>> For a PSK to be used in needs to be the correct length for the selected
>> ciphersuite. The ciphersuite is selected *first*. Next the available
>> PSKs are checked to see if they are usable with that ciphersuite.
> Is that (choosing the cipher first) correct behaviour? If the server
> is given a specific certificate it limits its ciphers to those that
> are compatible with the certificate's public key. It seems to me that
> "-psk" should not be different. If we are doing PSK, we should likely
> filter the ciphers to those that work with the supplied PSK first.
As pointed out by Hubert in #5378 this is in accordance with the
recommendations in the spec:
"Implementor's note: the most straightforward way to implement the
PSK/cipher suite matching requirements is to negotiate the cipher
suite first and then exclude any incompatible PSKs. Any unknown PSKs
(e.g., they are not in the PSK database or are encrypted with an
unknown key) SHOULD simply be ignored. If no acceptable PSKs are
found, the server SHOULD perform a non-PSK handshake if possible."
More information about the openssl-users