There are two exist test cases for HRR in ssl-opt.sh, with both peers ssl_client and ssl_server. Both of them can pass the test cases even we change the cipher suite.
But when we change the server peer from ssl_server to openssl s_server, it can pass with cipher suite TLS_AES_128_GCM_SHA256, but failes with the cipher suite TLS_AES_256_GCM_SHA384.
There are two exist test cases for HRR in ssl-opt.sh, with both peers ssl_client and ssl_server. Both of them can pass the test cases even we change the cipher suite. But when we change the server peer from ssl_server to openssl s_server, it can pass with cipher suite TLS_AES_128_GCM_SHA256, but failes with the cipher suite TLS_AES_256_GCM_SHA384.
System information:
Latest code from branch: tls13-prototype
Steps to reproduce
Add the following commands into the ssl-opt.sh.
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C run_test "TLS 1.3 O-M, TLS1-3-AES-256-GCM-SHA384 with ECDHE-ECDSA, SRV auth, HRR enforcing group" \ "$O_SRV -msg -tls1_3 -ciphersuites TLS_AES_256_GCM_SHA384 -groups P-256 -num_tickets 0 -no_resume_ephemeral -no_cache" \ "$P_CLI debug_level=4 force_version=tls1_3 server_name=localhost force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 tls13_kex_modes=ephemeral" \ 0 \ -c "received HelloRetryRequest message" \ -c "Protocol is TLSv1.3" \ -c "Ciphersuite is TLS1-3-AES-256-GCM-SHA384" \ -c "Verifying peer X.509 certificate... ok"