Hi Gopi,
When you say “I modified TLS client to have only PSK and removed all private key and certificate related code.” did you set the C processor directives in the include/mbedtls/mbedtls_config.h file?
To me it seems that you didn’t do this and hence you still use the default configuration settings, which means that all PKI-related code is compiled into your binary.
Ciao
Hannes
From: Subramanian Gopi Krishnan via mbed-tls <mbed-tls@lists.trustedfirmware.org>
Sent: Tuesday, February 22, 2022 12:15 PM
To: mbed-tls@lists.trustedfirmware.org
Subject: [mbed-tls] TLS PSK display X.509 verified
Hi,
I am evaluating TLS PSK capability on mbedlts-2.16.12 by running following command. I modified TLS client to have only PSK and removed all private key and certificate related code. However, the servier indicated x.509 verification ok. What
is it?
./a.out
ok
. Performing the SSL/TLS handshake... ok
[ Protocol is TLSv1.2 ]
[ Ciphersuite is TLS-PSK-WITH-AES-128-GCM-SHA256 ]
[ Record expansion is 29 ]
. Closing the connection... done
./ssl_server2 psk="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" psk_list="Client_identity","AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" force_ciphersuite=TLS-PSK-WITH-AES-128-GCM-SHA256
. Seeding the random number generator... ok
. Loading the CA root certificate ... ok (0 skipped)
. Loading the server cert. and key... ok
. Bind on tcp://*:4433/ ... ok
. Setting up the SSL/TLS structure... ok
. Waiting for a remote connection ... ok
. Performing the SSL/TLS handshake... ok
[ Protocol is TLSv1.2 ]
[ Ciphersuite is TLS-PSK-WITH-AES-128-GCM-SHA256 ]
[ Record expansion is 29 ]
[ Maximum fragment length is 16384 ]
. Verifying peer X.509 certificate... ok
< Read from client: 34 bytes read
GET / HTTP/1.0
Extra-header:
> Write to client: 144 bytes written in 1 fragments
HTTP/1.0 200 OK
Content-Type: text/html
<h2>mbed TLS Test Server</h2>
<p>Successful connection using: TLS-PSK-WITH-AES-128-GCM-SHA256</p>
. Closing the connection... done
. Waiting for a remote connection ...
Thanks,
Gopi Krishnan