I am evaluating TLS PSK capability on mbedlts-2.16.12 by running following command. I modified TLS client to have only PSK and removed all private key and certificate related code. However, the servier indicated x.509 verification ok. What is it?
./a.out ok . Performing the SSL/TLS handshake... ok [ Protocol is TLSv1.2 ] [ Ciphersuite is TLS-PSK-WITH-AES-128-GCM-SHA256 ] [ Record expansion is 29 ] . Closing the connection... done
./ssl_server2 psk="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" psk_list="Client_identity","AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" force_ciphersuite=TLS-PSK-WITH-AES-128-GCM-SHA256
. Seeding the random number generator... ok . Loading the CA root certificate ... ok (0 skipped) . Loading the server cert. and key... ok . Bind on tcp://*:4433/ ... ok . Setting up the SSL/TLS structure... ok . Waiting for a remote connection ... ok . Performing the SSL/TLS handshake... ok [ Protocol is TLSv1.2 ] [ Ciphersuite is TLS-PSK-WITH-AES-128-GCM-SHA256 ] [ Record expansion is 29 ] [ Maximum fragment length is 16384 ] . Verifying peer X.509 certificate... ok < Read from client: 34 bytes read
GET / HTTP/1.0 Extra-header:
Write to client: 144 bytes written in 1 fragments
HTTP/1.0 200 OK Content-Type: text/html
<h2>mbed TLS Test Server</h2> <p>Successful connection using: TLS-PSK-WITH-AES-128-GCM-SHA256</p>
. Closing the connection... done . Waiting for a remote connection ...
Thanks, Gopi Krishnan
The message from the test program ssl_server2 is a misleading here. It's actually displaying the result of certificate verification /if/ there was a certificate verification. If the connection didn't use a certificate, that result is always “ok”.
However, this message is not shown at all if you build Mbed TLS completely without certificate support (MBEDTLS_X509_CRT_PARSE_C undefined). So you can still reduce the code size for a PSK-only build. Instead of disabling features from the default configuration, you may want to start from the sample configuration configs/config-ccm-psk-tls1_2.h and adjust it to your preferences.
Please note that Mbed TLS 2.16 is no longer supported. It has no known security issues yet, but this won't last forever, and we will not fix them anymore. Please upgrade to either the new long-time support version Mbed TLS 2.28, or to the development version (currently at 3.1.0).