Thank you for your question and I apologize for delay in reply.
Your understanding is correct that
mbedtls_ssl_config is a global structure and that
mbedtls_ssl_context is a per connection struct.
As mentioned in the function description:
* \note Currently clients can only register one pre-shared key.
* In other words, the servers' identity hint is ignored.
* Support for setting multiple PSKs on clients and selecting
* one based on the identity hint is not a planned feature but
* feedback is welcomed.
It is probably because the assumption was that a client would register only to one server using PSK.
Note that it is not recommended to modify the configuration while it is in use, as it may result in undefined behavior.
If your device is a server, you can use
mbedtls_ssl_conf_psk_cb() so you can register your own callback for parsing the client identity hint and choose the relevant PSK accordingly.
If your device is a client, and you must absolutely need to support several connections with servers using several PSKs, then the current solution is for you to have a separate
mbedtls_ssl_config structure per connection. This is not optimal obviously, and you may file an enhancement request in our github repository to support server identity hint.
I hope this answers your question, and again, I apologize for delay.
Mbed TLS Team member