Extended Master secret for TLS 1.3
Matt Caswell
matt at openssl.org
Mon Aug 21 09:28:19 UTC 2023
On 18/08/2023 18:01, Manish Patidar wrote:
> Hi
> I am using OpenSSL 3. 0.8.
> Need some info regarding Extended Master Secret extension.
> I have notice this extension is used for TLS1.2 connection (TLS1. 2
> specific client and Generic server) but this extension is not used for
> TLS1. 3 connection (Generic client and Generic server). Confirmed by
> using SSL_get_extms_support.
>
> Does TLS1.3 supports Extended Master Secret extension?
The Extended Master Secret extension is not relevant to TLSv1.3 and
therefore a TLSv1.3 connection will not negotiate it.
However, arguably, the behaviour of SSL_get_extms_support is wrong due
to this statement in RFC8446 (TLSv1.3):
Appendix D (Backwards Compatibility)
TLS 1.2 and prior supported an "Extended Master Secret" [RFC7627]
extension which digested large parts of the handshake transcript into
the master secret. Because TLS 1.3 always hashes in the transcript
up to the server Finished, implementations which support both TLS 1.3
and earlier versions SHOULD indicate the use of the Extended Master
Secret extension in their APIs whenever TLS 1.3 is used.
So, SSL_get_extms_support() should perhaps return "true" in TLSv1.3 even
though EMS wasn't actually negotiated. It might be too late to change
this though.
Matt
More information about the openssl-users
mailing list