Hi Gopi,

 

When you say “I modified TLS client to have only PSK and removed all private key and certificate related code.” did you set the C processor directives in the include/mbedtls/mbedtls_config.h file?

 

To me it seems that you didn’t do this and hence you still use the default configuration settings, which means that all PKI-related code is compiled into your binary.

 

Ciao

Hannes

 

From: Subramanian Gopi Krishnan via mbed-tls <mbed-tls@lists.trustedfirmware.org>
Sent: Tuesday, February 22, 2022 12:15 PM
To: mbed-tls@lists.trustedfirmware.org
Subject: [mbed-tls] TLS PSK display X.509 verified

 

Hi,

 

I am evaluating TLS PSK capability on mbedlts-2.16.12 by running following command. I modified TLS client to have only PSK and removed all private key and certificate related code. However, the servier indicated x.509 verification ok. What is it?

 

./a.out

ok

  . Performing the SSL/TLS handshake... ok

    [ Protocol is TLSv1.2 ]

    [ Ciphersuite is TLS-PSK-WITH-AES-128-GCM-SHA256 ]

    [ Record expansion is 29 ]

  . Closing the connection... done

 

./ssl_server2 psk="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" psk_list="Client_identity","AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" force_ciphersuite=TLS-PSK-WITH-AES-128-GCM-SHA256

 

  . Seeding the random number generator... ok

  . Loading the CA root certificate ... ok (0 skipped)

  . Loading the server cert. and key... ok

  . Bind on tcp://*:4433/ ... ok

  . Setting up the SSL/TLS structure... ok

  . Waiting for a remote connection ... ok

  . Performing the SSL/TLS handshake... ok

    [ Protocol is TLSv1.2 ]

    [ Ciphersuite is TLS-PSK-WITH-AES-128-GCM-SHA256 ]

    [ Record expansion is 29 ]

    [ Maximum fragment length is 16384 ]

  . Verifying peer X.509 certificate... ok

  < Read from client: 34 bytes read

 

GET / HTTP/1.0

Extra-header:

 

 

  > Write to client: 144 bytes written in 1 fragments

 

HTTP/1.0 200 OK

Content-Type: text/html

 

<h2>mbed TLS Test Server</h2>

<p>Successful connection using: TLS-PSK-WITH-AES-128-GCM-SHA256</p>

 

 . Closing the connection... done

  . Waiting for a remote connection ...

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Thanks,

Gopi Krishnan