On 14/02/18 23:33, Viktor Dukhovni wrote: > > >> On Feb 14, 2018, at 6:14 PM, Matt Caswell <matt@xxxxxxxxxxx> wrote: >> >> For a PSK to be used in needs to be the correct length for the selected >> ciphersuite. The ciphersuite is selected *first*. Next the available >> PSKs are checked to see if they are usable with that ciphersuite. > > Is that (choosing the cipher first) correct behaviour? If the server > is given a specific certificate it limits its ciphers to those that > are compatible with the certificate's public key. It seems to me that > "-psk" should not be different. If we are doing PSK, we should likely > filter the ciphers to those that work with the supplied PSK first. > As pointed out by Hubert in #5378 this is in accordance with the recommendations in the spec: "Implementor's note: the most straightforward way to implement the PSK/cipher suite matching requirements is to negotiate the cipher suite first and then exclude any incompatible PSKs. Any unknown PSKs (e.g., they are not in the PSK database or are encrypted with an unknown key) SHOULD simply be ignored. If no acceptable PSKs are found, the server SHOULD perform a non-PSK handshake if possible." Matt -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
