Hello,
The message from the test program ssl_server2 is a misleading here. It's
actually displaying the result of certificate verification /if/ there
was a certificate verification. If the connection didn't use a
certificate, that result is always “ok”.
However, this message is not shown at all if you build Mbed TLS
completely without certificate support (MBEDTLS_X509_CRT_PARSE_C
undefined). So you can still reduce the code size for a PSK-only build.
Instead of disabling features from the default configuration, you may
want to start from the sample configuration
configs/config-ccm-psk-tls1_2.h and adjust it to your preferences.
Please note that Mbed TLS 2.16 is no longer supported. It has no known
security issues yet, but this won't last forever, and we will not fix
them anymore. Please upgrade to either the new long-time support version
Mbed TLS 2.28, or to the development version (currently at 3.1.0).
Best regards,
--
Gilles Peskine
Mbed TLS developer
On 22/02/2022 12:14, Subramanian Gopi Krishnan via mbed-tls wrote:
>
> Hi,
>
>
>
> I am evaluating TLS PSK capability on mbedlts-2.16.12 by running
> following command. I modified TLS client to have only PSK and removed
> all private key and certificate related code. However, the servier
> indicated x.509 verification ok. What is it?
>
>
>
> ./a.out
>
> ok
>
> . Performing the SSL/TLS handshake... ok
>
> [ Protocol is TLSv1.2 ]
>
> [ Ciphersuite is TLS-PSK-WITH-AES-128-GCM-SHA256 ]
>
> [ Record expansion is 29 ]
>
> . Closing the connection... done
>
>
>
> ./ssl_server2
> psk="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
> psk_list="Client_identity","AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
> force_ciphersuite=TLS-PSK-WITH-AES-128-GCM-SHA256
>
>
>
> . Seeding the random number generator... ok
>
> . Loading the CA root certificate ... ok (0 skipped)
>
> . Loading the server cert. and key... ok
>
> . Bind on tcp://*:4433/ ... ok
>
> . Setting up the SSL/TLS structure... ok
>
> . Waiting for a remote connection ... ok
>
> . Performing the SSL/TLS handshake... ok
>
> [ Protocol is TLSv1.2 ]
>
> [ Ciphersuite is TLS-PSK-WITH-AES-128-GCM-SHA256 ]
>
> [ Record expansion is 29 ]
>
> [ Maximum fragment length is 16384 ]
>
> . Verifying peer X.509 certificate... ok
>
> < Read from client: 34 bytes read
>
>
>
> GET / HTTP/1.0
>
> Extra-header:
>
>
>
>
>
> > Write to client: 144 bytes written in 1 fragments
>
>
>
> HTTP/1.0 200 OK
>
> Content-Type: text/html
>
>
>
> <h2>mbed TLS Test Server</h2>
>
> <p>Successful connection using: TLS-PSK-WITH-AES-128-GCM-SHA256</p>
>
>
>
> . Closing the connection... done
>
> . Waiting for a remote connection ...
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> Thanks,
>
> Gopi Krishnan
>
>
