Hi Gopi,
When you say "I modified TLS client to have only PSK and removed all private key and certificate related code." did you set the C processor directives in the include/mbedtls/mbedtls_config.h file?
To me it seems that you didn't do this and hence you still use the default configuration settings, which means that all PKI-related code is compiled into your binary.
Ciao Hannes
From: Subramanian Gopi Krishnan via mbed-tls <mbed-tls@lists.trustedfirmware.orgmailto:mbed-tls@lists.trustedfirmware.org> Sent: Tuesday, February 22, 2022 12:15 PM To: mbed-tls@lists.trustedfirmware.orgmailto:mbed-tls@lists.trustedfirmware.org Subject: [mbed-tls] TLS PSK display X.509 verified
Hi,
I am evaluating TLS PSK capability on mbedlts-2.16.12 by running following command. I modified TLS client to have only PSK and removed all private key and certificate related code. However, the servier indicated x.509 verification ok. What is it?
./a.out ok . Performing the SSL/TLS handshake... ok [ Protocol is TLSv1.2 ] [ Ciphersuite is TLS-PSK-WITH-AES-128-GCM-SHA256 ] [ Record expansion is 29 ] . Closing the connection... done
./ssl_server2 psk="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" psk_list="Client_identity","AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" force_ciphersuite=TLS-PSK-WITH-AES-128-GCM-SHA256
. Seeding the random number generator... ok . Loading the CA root certificate ... ok (0 skipped) . Loading the server cert. and key... ok . Bind on tcp://*:4433/ ... ok . Setting up the SSL/TLS structure... ok . Waiting for a remote connection ... ok . Performing the SSL/TLS handshake... ok [ Protocol is TLSv1.2 ] [ Ciphersuite is TLS-PSK-WITH-AES-128-GCM-SHA256 ] [ Record expansion is 29 ] [ Maximum fragment length is 16384 ] . Verifying peer X.509 certificate... ok < Read from client: 34 bytes read
GET / HTTP/1.0 Extra-header:
Write to client: 144 bytes written in 1 fragments
HTTP/1.0 200 OK Content-Type: text/html
<h2>mbed TLS Test Server</h2> <p>Successful connection using: TLS-PSK-WITH-AES-128-GCM-SHA256</p>
. Closing the connection... done . Waiting for a remote connection ...
Thanks, Gopi Krishnan