For the full background to this issue see: https://github.com/openssl/openssl/issues/6490
TL;DR summary: The TLSv1.2 and TLSv1.3 PSK mechanisms are quite different to each other. OpenSSL (along with at least GnuTLS maybe others) has implemented an upgrade path which enables the reuse of a TLSv1.2 PSK in TLSv1.3. This is not prohibited by the spec. David Benjamin has raised concerns about this due to key separation. Everything else in TLSv1.3 is provably secure - but this is not. The spec has been updated to add some words of warning about this. There seems to be two schools of thought on what to do about this: 1) We should seek to avoid this risk. As a fix we should disable TLSv1.3 if TLSv1.2 PSKs have been configured. We expect that at some later time the IETF will come up with a better answer and when that happens we can implement it then. A PR to do the removal is here: https://github.com/openssl/openssl/pull/6836 2) This is a theoretical risk - there might not actually be a problem at all, its just that we can't prove it. OTOH not upgrading to TLSv1.3 is definitely a bad thing, so we should just leave things as they are and accept the theoretical risk. I'll admit that I've been flip-flopping between the two approaches to this and there doesn't seem to be a clear consensus forming. How should we take this forward? Does it require an OMC vote? Matt _______________________________________________ openssl-project mailing list [email protected] https://mta.openssl.org/mailman/listinfo/openssl-project
