Hi there, I'm currently trying to implement TLS 1.3 pre shared keys (PSK) with out-of-band agreed keys (not session resumption). But I'm a bit confused how to do this correctly. Please correct any of my assumptions below, if I got it wrong. My goal is to provide a very simple way to establish a mutually authenticated connection (even without exchanging self-signed certificates; just a key) The admins will have to agree on a key and a hash algorithm (or use SHA256 by default). I've implemented psk_use_session_cb() and psk_find_session_cb() to provide the PSK, set a cipher with selected hash (as described in the manpage), and set the sessions TLS version to 1.3. I also disable verification (SSL_VERIFY_NONE). If I leave everything else as default and select SHA256, the connection will fail with `no suitable signature algorithm`. >From browsing the source code a bit, it seems that on the client side, the cipher list (to be sent to the server) has already been assembled before psk_use_session_cb() is called (so the settings made to the session are irrelevant), and equally on the server side, the preferred cipher is selected before psk_find_session_cb() is called. As an additional complication, if a server supports TLS1.2 PSK too (psk_server_callback() is set as in s_server), now all SHA256 ciphers are preferred and if the admins agreed on SHA384, it would break. How am I supposed to set up the SSL context and session for this to work correctly? (what setting is required so the agreed hash algorithm is properly negotiated/selected?) Thanks and best regards, Fabian
