Using PSK between an openssl server and client

Question

I'm trying to create a connection between an openssl server and client on my machine using ECDHE-PSK-AES256-CBC-SHA384 What am I doing wrong with these commands?

openssl s_server -cipher ECDHE-PSK-AES256-CBC-SHA384 -nocert -psk 123456
openssl s_client -psk 123456

It seems to use psk in some way, as the connection fails if I change the psk, but the cipher used seems to be TLS_CHACHA20_POLY1305_SHA256.

I don't have an openssl.cfg

openssl version
OpenSSL 1.1.1b  26 Feb 2019

How can I force all off ECDHE-PSK-AES256-CBC-SHA384?

Command Output:

Server:

Using default temp DH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS-----
MHICAQECAgMEBAITAwQgKuMf6Bz5frh9+uN7JI5Qyl2YoKEo6uGuV1Y8dUaaSloE
INlX56n2KnN8C7rn66QBKE8WiqBvrSO1cEXn7C1zOaZCoQYCBFyH+vKiBAICATCk
BgQEAQAAAKUDAgEBrgYCBDAZSN4=
-----END SSL SESSION PARAMETERS-----
Shared ciphers:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-PSK-AES256-CBC-SHA384
Supported Elliptic Groups: X25519:P-256:X448:P-521:P-384
Shared Elliptic groups: X25519:P-256:X448:P-521:P-384
---
No server certificate CA names sent
CIPHER is TLS_CHACHA20_POLY1305_SHA256
Reused session-id
Secure Renegotiation IS supported
This is sent from the Server
This is sent from the Client

Client:

CONNECTED(00000003)
---
no peer certificate available
---
No client certificate CA names sent
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 225 bytes and written 489 bytes
Verification: OK
---
Reused, TLSv1.3, Cipher is TLS_CHACHA20_POLY1305_SHA256
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_CHACHA20_POLY1305_SHA256
    Session-ID: 662DFBB9E634EB0C371A8E1008AAE4981EF131A80AF9DDCDC4B7B316FD07FD75
    Session-ID-ctx:
    Resumption PSK: D957E7A9F62A737C0BBAE7EBA401284F168AA06FAD23B57045E7EC2D7339A642
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 304 (seconds)
    TLS session ticket:
    0000 - 77 7c eb 5d 32 ce c7 df-33 82 a5 16 53 b7 8a 2c   w|.]2...3...S..,
    0010 - 38 d1 d7 7f 81 ba f0 bf-59 38 82 a3 76 ea dd 26   8.......Y8..v..&
    0020 - b5 6f ce c2 2a e4 65 8f-5a fe 59 33 ca 20 ee 62   .o..*.e.Z.Y3. .b
    0030 - d9 ce c7 0a d8 13 47 2b-b3 b4 fb 2b 46 90 93 bd   ......G+...+F...
    0040 - 8d cb f7 1e 80 3a 30 8b-ce 34 30 0d 35 ce de dc   .....:0..40.5...
    0050 - 50 2a f1 a6 4c 94 ed 1a-fa d4 fa 89 66 e0 10 b6   P*..L.......f...
    0060 - 32 4a 70 52 4b 19 e7 ba-65 c0 44 44 5f cb 29 ed   2JpRK...e.DD_.).
    0070 - 4e 4c 06 50 0d 8f 05 b3-a1 67 68 d1 db 19 04 4c   NL.P.....gh....L
    0080 - 84 ff c6 e9 53 ed 56 b8-b5 ef e7 8a a5 48 54 50   ....S.V......HTP
    0090 - 47 44 53 ce 8e 37 6b fe-ae 26 c4 fe cd b1 84 40   GDS..7k..&.....@
    00a0 - 91 6c 41 83 6d 95 8a 1d-34 bb 00 3e e3 1c 76 9c   .lA.m...4..>..v.
    00b0 - 1b 8b eb df 02 27 55 50-8d f2 cb c0 27 b3 98 3e   .....'UP....'..>

    Start Time: 1552415474
    Timeout   : 304 (sec)
    Verify return code: 1 (unspecified certificate verification error)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
This is sent from the Server
This is sent from the Client

Can you post the output from the commands? When I try this I get "CIPHER is ECDHE-PSK-AES256-CBC-SHA384". Have you looked for an `openssl.cfg` file, to see if PSK is disabled? — Polynomial, Mar 12 '19 at 18:26
@Polynomial: you need openssl 1.1.1 to reproduce the problem since it is using TLS 1.3. — Steffen Ullrich, Mar 12 '19 at 19:16
If you post 'force the usage of TLS 1.2' I'll accept it. . That fixed it — Philippe, Mar 12 '19 at 20:15
@Philippe: no, PSK was made even more important. It is used as the mechanism for session reuse now. See [here](https://security.stackexchange.com/a/187352/37315) on how you can use PSK with TLS 1.3 - you have to make sure that the PSK is actually having the expected length. — Steffen Ullrich, Mar 12 '19 at 20:24
What exactly does it do in TLS 1.3 mode? It seems to do some kind of TLS but not the kind I want — Philippe, Mar 12 '19 at 22:57
In TLS1.3 keyexchange and authentication are no longer part of the ciphersuite. If the server has no cert and both ends have PSK, OpenSSL uses psk_dhe_ke mode (see rfc8446 section 4.2.9) which depending on the selected group is equivalent to DHE_PSK or ECHDE_PSK keyexchange in TLS1.2 and below; which group was used can be seen in the `s_client` log line `Server Temp Key:` and it defaults to X25519 which is ECDHE_PSK as you want. However, TLS1.3 does not support any CBC cipher including AES256-CBC; the closest you can come is AES256-GCM. — dave_thompson_085, Mar 13 '19 at 07:29

score 1 · Answer 1 · edited Nov 02 '21 at 08:48

1

You should use -tls1_2 to specify the use of tls1.2，like

openssl s_client -port 5804 -cipher PSK-AES128-GCM-SHA256 -psk 123456 -tls1_2

edited Nov 02 '21 at 08:48

schroeder

123,438
55
284
319

answered Nov 02 '21 at 08:41

dennis

11
1

Using PSK between an openssl server and client

1 Answers1