Why is Openssl s_server expecting key & certificate in the case of PSK cipher test?
I am new to security domain,
In the case of PSK why openssl s_server is expecting a certificate and key. If I don't give then it gives errors like below.
$ openssl s_server -psk fcc56e7668194a4775e5b36e2735551a -accept 1440 -cipher PSK-AES128-CBC-SHA Error opening server certificate private key file server.pem 139623549462168:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('server.pem','r')
139623549462168:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400: unable to load server certificate private key file
If I provide a certificate then openssl s_server starts .
$ openssl s_server -psk fcc56e7668194a4775e5b36e2735551a -key key.pem
-accept 1440 -cipher PSK-AES128-CBC-SHA -psk_hint Client_identity
openssl s_client doesn't need certificate
$ openssl s_client -connect localhost:1440 -psk fcc56e7668194a4775e5b36e2735551a
I have the following questions:
certificate and key is not going to be used in client, only PSK will be used then why does s_server need certificate ?
Is this the right approach to test PSK using openssl server and client.
I am using the RSA key in case of an openssl server to verify the PSK-AES128-CBC-SHA cipher, is this the right key format for this cipher to verify?
You have to explicitly use the -nocert option so that it will not try to load the default certificate:
$ openssl s_server -psk fcc56e7668194a4775e5b36e2735551a -accept 1440
-cipher PSK-AES128-CBC-SHA
-nocert
Using default temp DH parameters
ACCEPT
- certificate and key is not going to be used in client, only PSK will be used then why does s_server need certificate ?
- A TLS server is usually used with a certificate and therefore s_server expects one by default (and has a default path where it expects it). A TLS client is usually used without a certificate and therefore s_client does not expect one.
- Is this the right approach to test PSK using openssl server and client.
- Apart from adding the -nocert option and omitting the certificate, yes.
- I am using the RSA key in case of an openssl server to verify the PSK-AES128-CBC-SHA cipher, is this the right key format for this cipher to verify?
- No certificate is used when using PSK which means no RSA key is used too.