NetX TLS 1.3 server PSK

Question

Hello

I am working to evaluate NetX for our product. My task is to set up a TLS server using NetX secure and test it using openssl.

For this test, I am evaluating PSK. As mention in the documentation, I compiled netx_secure with

• PSK
• TLS 1.3
• AED ciphers

I set up the server using the exemple provided in https://learn.microsoft.com/en-us/azure/rtos/netx-duo/netx-secure-tls/chapter2#small-example-system-tls-web-server, adapting socket behavior to my needs.

And I add a PSK key using nx_secure_tls_psk_add (with psk_identity = "psk_id" and psk_hint = "psk_hint")

--

For the test, I use openssl s_client

• TLS 1.2 : openssl s_client -port PORT -psk 010203040506 -psk_identity psk_hint -tls1_2 IP : works fine
  • But weird behavior as in the field psk_identity, I can provide something different and still be able to connect !
    Is it an expected behavior ?
• TLS 1.3 : openssl s_client -port PORT -psk 010203040506 -psk_identity psk_hint -tls1_3 IP : fails with error code 0x126 (NX_SECURE_TLS_NO_MATCHING_PSK)
  • Am I missing a step ?

Answer 1

Hi @AGROFOGLIO Louis-Andre (SAFRAN) ,

For TLS 1.2, the server only supports one PSK. The server ignores the psk_identity and uses that one PSK directly. So it is an expected behavior.

For TLS 1.3, the current implementation has a bug that prevents the PSK from working when no server certificate is configured. A workaround is to add a fake ECDSA certificate to the server. We will fix this bug in the next release.