diff --git a/docs/driver-only-builds.md b/docs/driver-only-builds.md index 4095d8ee77..5d950b068d 100644 --- a/docs/driver-only-builds.md +++ b/docs/driver-only-builds.md @@ -277,6 +277,11 @@ The same holds for the associated algorithm: `[PSA_WANT|MBEDTLS_PSA_ACCEL]_ALG_FFDH` allow builds accelerating FFDH and removing builtin support (i.e. `MBEDTLS_DHM_C`). +Note that the PSA API only supports FFDH with RFC 7919 groups, whereas the +Mbed TLS legacy API supports custom groups. As a consequence, the TLS layer +of Mbed TLS only supports DHE cipher suites if built-in FFDH +(`MBEDTLS_DHM_C`) is present, even when `MBEDTLS_USE_PSA_CRYPTO` is enabled. + RSA --- diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py index 5b4deb6298..5193a3bd06 100755 --- a/tests/scripts/analyze_outcomes.py +++ b/tests/scripts/analyze_outcomes.py @@ -468,6 +468,12 @@ KNOWN_TASKS = { 'bignum.generated', 'bignum.misc', ], 'ignored_tests': { + 'ssl-opt': [ + # DHE support in TLS 1.2 requires built-in MBEDTLS_DHM_C + # (because it needs custom groups, which PSA does not + # provide), even with MBEDTLS_USE_PSA_CRYPTO. + re.compile(r'PSK callback:.*\bdhe-psk\b.*'), + ], 'test_suite_platform': [ # Incompatible with sanitizers (e.g. ASan). If the driver # component uses a sanitizer but the reference component