ssl_client2: Enable support for TLS 1.2 RSA-PSK opaque ciphersuite
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c
index cd60986..66cf622 100644
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@@ -1406,13 +1406,16 @@
#if defined (MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
if( opt.psk_opaque != 0 )
{
- /* Ensure that the chosen ciphersuite is PSK-only; we must know
+ /* Ensure that the chosen ciphersuite is PSK-only or rsa-psk; we must know
* the ciphersuite in advance to set the correct policy for the
* PSK key slot. This limitation might go away in the future. */
- if( ciphersuite_info->key_exchange != MBEDTLS_KEY_EXCHANGE_PSK ||
- opt.min_version != MBEDTLS_SSL_VERSION_TLS1_2 )
+ if( ( ciphersuite_info->key_exchange != MBEDTLS_KEY_EXCHANGE_PSK &&
+ ciphersuite_info->key_exchange != MBEDTLS_KEY_EXCHANGE_RSA_PSK ) ||
+ opt.min_version != MBEDTLS_SSL_MINOR_VERSION_3 )
{
- mbedtls_printf( "opaque PSKs are only supported in conjunction with forcing TLS 1.2 and a PSK-only ciphersuite through the 'force_ciphersuite' option.\n" );
+ mbedtls_printf( "opaque PSKs are only supported in conjunction \
+ with forcing TLS 1.2 and a PSK-only, RSA-PSK \
+ ciphersuites through the 'force_ciphersuite' option.\n" );
ret = 2;
goto usage;
}