MBEDTLS TLS1_3 AES_256_GCM_SHA384 PSK hash algo mismatch

Hello all,

I have a Problem with establishing a client server connection with mbedTls.
With the cipher suite MBEDTLS_TLS1_3_AES_128_GCM_SHA256 a 16 byte long PSK it works fine!
The code is running on an STM32

When I change the suite to MBEDTLS_TLS1_3_AES_256_GCM_SHA384 the ssl_tls13_select_ciphersuite_for_psk function returns an error: No matched ciphersuite


static int ssl_tls13_select_ciphersuite_for_psk(
mbedtls_ssl_context *ssl,
const unsigned char *cipher_suites,
const unsigned char *cipher_suites_end,
uint16_t *selected_ciphersuite,
const mbedtls_ssl_ciphersuite_t **selected_ciphersuite_info )
psa_algorithm_t psk_hash_alg = PSA_ALG_SHA_256;

*selected_ciphersuite = 0;
*selected_ciphersuite_info = NULL;

/* RFC 8446, page 55.
 * For externally established PSKs, the Hash algorithm MUST be set when the
 * PSK is established or default to SHA-256 if no such algorithm is defined.

 * Search for a matching ciphersuite
for ( const unsigned char *p = cipher_suites;
      p < cipher_suites_end; p += 2 )
    uint16_t cipher_suite;
    const mbedtls_ssl_ciphersuite_t *ciphersuite_info;

    cipher_suite = MBEDTLS_GET_UINT16_BE( p, 0 );
    ciphersuite_info = ssl_tls13_validate_peer_ciphersuite( ssl,
                                                            cipher_suite );
    if( ciphersuite_info == NULL )

    /* MAC of selected ciphersuite MUST be same with PSK binder if exist.
     * Otherwise, client should reject.
    if( psk_hash_alg == mbedtls_psa_translate_md( ciphersuite_info->mac ) )
        *selected_ciphersuite = cipher_suite;
        *selected_ciphersuite_info = ciphersuite_info;
        return( 0 );
MBEDTLS_SSL_DEBUG_MSG( 2, ( "No matched ciphersuite" ) );


at the start psk_hash_alg is set to PSA_ALG_SHA_256, but now i am using 384, so in the if statement it is mismatching…
Am I allowed to change this PSA_ALG_SHA_256 to PSA_ALG_SHA_384?

If no, how can I make this work?