diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c index 1adfe3e5f6..5fa5643225 100644 --- a/library/ssl_tls12_server.c +++ b/library/ssl_tls12_server.c @@ -4083,12 +4083,6 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl ) return( ret ); } -#if defined(MBEDTLS_USE_PSA_CRYPTO) - /* Opaque PSKs are currently only supported for PSK-only. */ - if( ssl_use_opaque_psk( ssl ) == 1 ) - return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); -#endif - if( p != end ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) ); diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index bc2aa68807..46c6b76010 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -2207,21 +2207,6 @@ int main( int argc, char *argv[] ) #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) if( opt.psk_opaque != 0 || opt.psk_list_opaque != 0 ) { - /* Ensure that the chosen ciphersuite is PSK-only; we must know - * the ciphersuite in advance to set the correct policy for the - * PSK key slot. This limitation might go away in the future. */ - if( ( ciphersuite_info->key_exchange != MBEDTLS_KEY_EXCHANGE_PSK && - ciphersuite_info->key_exchange != MBEDTLS_KEY_EXCHANGE_RSA_PSK && - ciphersuite_info->key_exchange != MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ) || - opt.min_version != MBEDTLS_SSL_MINOR_VERSION_3 ) - { - mbedtls_printf( "opaque PSKs are only supported in conjunction \ - with forcing TLS 1.2 and a PSK-only, RSA-PSK, ECDHE-PSK \ - ciphersuites through the 'force_ciphersuite' option.\n" ); - ret = 2; - goto usage; - } - /* Determine KDF algorithm the opaque PSK will be used in. */ #if defined(MBEDTLS_SHA384_C) if( ciphersuite_info->mac == MBEDTLS_MD_SHA384 )