openssl – Is the ephemeral, authenticated and encrypted TLS-PSK protocol ready for commercial use?

I have a secure way to get a pre-shared key between my server and all the clients.

Is there a standard way readily available (in an OpenSSL version, for example) to use it to configure TLS-PSK with all these cool features?

  • Confidential
  • authenticated
  • Perfect secret before

I see TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA in RFC 5489, which looks as he checks these boxes. Verifying my installation of OpenSSL 1.1.1a (openssl digits -s -psk) I see ECDHE-PSK-AES-256-CBC-SHA.

Is this the correct cipher suite to use? Does it provide the features I need? Ideally, I want to configure OpenSSL at each end to allow only this suite of encryption, then each end provides the same PSK, and then the forwarding secret and authentication are perfect.

Since I've only ever used "traditional" TLS certificates with X509 certificates, I'm a bit out of my element.