TLS 1.3 PSK howto

[Fabian Mauchle]

Hi there,

I'm currently trying to implement TLS 1.3 pre shared keys (PSK) with out-of-band agreed keys (not session resumption). But I'm a bit confused how to do this correctly. Please correct any of my assumptions below, if I got it wrong.
My goal is to provide a very simple way to establish a mutually authenticated connection (even without exchanging self-signed certificates; just a key)

The admins will have to agree on a key and a hash algorithm (or use SHA256 by default).

I've implemented psk_use_session_cb() and psk_find_session_cb() to provide the PSK, set a cipher with selected hash (as described in the manpage), and set the sessions TLS version to 1.3. I also disable verification (SSL_VERIFY_NONE).
If I leave everything else as default and select SHA256, the connection will fail with `no suitable signature algorithm`.

From browsing the source code a bit, it seems that on the client side, the cipher list (to be sent to the server) has already been assembled before psk_use_session_cb() is called (so the settings made to the session are irrelevant), and equally on the server side, the preferred cipher is selected before psk_find_session_cb() is called.

As an additional complication, if a server supports TLS1.2 PSK too (psk_server_callback() is set as in s_server), now all SHA256 ciphers are preferred and if the admins agreed on SHA384, it would break.

How am I supposed to set up the SSL context and session for this to work correctly? (what setting is required so the agreed hash algorithm is properly negotiated/selected?)

Thanks and best regards,
Fabian