2

I am new to security domain,

In case of PSK why openssl s_server is expecting certificate and key. If I don't give then it gives error like below.

$ openssl s_server -psk fcc56e7668194a4775e5b36e2735551a -accept 1440 -cipher PSK-AES128-CBC-SHA Error opening server certificate private key file server.pem 139623549462168:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('server.pem','r') 139623549462168:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400: unable to load server certificate private key file

If I provide certificate then openssl s_server starts . 

$ openssl s_server -psk fcc56e7668194a4775e5b36e2735551a -key key.pem -accept 1440 -cipher PSK-AES128-CBC-SHA -psk_hint Client_identity

openssl s_client doesn't need ceritificate

$ openssl s_client -connect localhost:1440 -psk fcc56e7668194a4775e5b36e2735551a

I have following questions ?

  1. certificate and key is not going to be used in client, only PSK will be used then why s_server need certificate ?
  2. Is this right approach to test PSK using openssl server and client.
  3. I am using RSA key in case of openssl server to verify PSK-AES128-CBC-SHA cipher, is this right key format for this cipher to verify.
Improve this question

1 Answer 1

Reset to default
2

You have to explicitly use the -nocert option so that it will not try to load the default certificate:

$ openssl s_server -psk fcc56e7668194a4775e5b36e2735551a -accept 1440 \ -cipher PSK-AES128-CBC-SHA \ -nocert Using default temp DH parameters ACCEPT
  1. certificate and key is not going to be used in client, only PSK will be used then why s_server need certificate ?

A TLS server is usually used with a certificate and therefore s_server expects one by default (and has a default path where it expects it). A TLS client is usually used without a certificate and therefore s_client does not expect one.

  1. Is this right approach to test PSK using openssl server and client.

Apart from adding the -nocert option and omitting the certificate, yes.

  1. I am using RSA key in case of openssl server to verify PSK-AES128-CBC-SHA cipher, is this right key format for this cipher to verify.

No certificate is used when using PSK which means no RSA key is used too.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.