Why can't I force a specific cipher with the openssl app with TLS 1.3?

Viktor Dukhovni openssl-users at dukhovni.org
Fri Nov 15 09:43:26 UTC 2019

> On Nov 15, 2019, at 4:25 AM, Matt Caswell <matt at openssl.org> wrote:
> It might be nice if we added a new option "-pskmd" or similar which
> enabled you to specify the md from the command line without having to
> have a session file first. However that isn't currently possible.

With a saved session there may actually be enough key material to
arrive at non-trivial security.  As it stands, the OP wrote:

> PSK=63ef2024b1
> openssl s_client -tls1_3 -psk $PSK -connect :4433  -ciphersuites TLS_AES_256_GCM_SHA384

That 40-bit PSK does not provide much security.  I would hope that
"in real life" (simple tests aside) the PSKs will have non-trivial


More information about the openssl-users mailing list