Description of problem:

TLS 1.3 was introduced with OpenSSL 1.1.1 and is used by default if the application 


Version-Release number of selected component (if applicable):

openssl-1.1.1-3.fc29.x86_64


How reproducible:

Always


Steps to Reproduce:
1. Start server with a key longer than 512 bits (here: 130 nibbles => 65 bytes => 520 bits)
    openssl s_server -accept 4433 -nocert -psk $(printf '%.sa' {1..130})
2. Try to connect 
    openssl s_client -connect :4433 -psk $(printf '%.sa' {1..130})
3. 


Actual results:

Server side:
Using default temp DH parameters
ACCEPT
ERROR
140164733306688:error:140940F4:SSL routines:ssl3_read_bytes:unexpected message:ssl/record/rec_layer_s3.c:1461:
shutting down SSL
CONNECTION CLOSED

Client side:
CONNECTED(00000004)
139953634740032:error:142120DB:SSL routines:tls_construct_ctos_early_data:bad psk:ssl/statem/extensions_clnt.c:752:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 7 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---


Expected results:

A successfull connection.


Additional info:

The connection can be successfully established by simply reducing the PSK size to 128 hex chars (i.e. 512 bits).
It also works by disabling TLS 1.3 (-no_tls1_3 or -tls1_2) on the client side.

It also works with OpenSSL 1.1.1a (tried on an Arch Linux machine, sorry), so it's probably already fixed upstream, I could not find a matching issue there, though.