configure psk_ke (PSK-only) mode in TLS1.3
Question
I am using openssl 1.1.1 and trying to configure psk_ke (PSK-only) mode only in requests generated through s_client. In my requests, in client hello message, I am not able to suppress psk_dhk_ke mode, which I think is getting added by default.
I have used directive -allow_no_dhe_kex in s_client requests. It is only helping to get the psk_ke mode added in the packet.
Also the options like ec_point format, key share, signature algorithms are added in the client hello message which I think is due to psk_dhk_ke option included in client hello. Please correct my understanding if I am wrong.
Can psk_dhe_ke be suppressed in client hello along with ec_point format, key share, signature algorithms?
TCP dump of TLS1.3 client hello message:
1 answers
solution1
0 ACCPTED 2022-06-06 10:22:54
It is not currently possible to suppress psk_dhe_ke with OpenSSL when using TLSv1.3. The "-allow_no_dhe_kex" option only allows the peer to select the no-dhe version, but doesn't suppress sending the dhe option.
It is possible to suppress the ec_point_formats, signature_algorithms and key_share extensions in OpenSSL under certain circumstances - but not if you plan to do TLSv1.3. If you want to do TLSv1.3 then they will always be sent.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.