Extended Master secret for TLS 1.3
Manish Patidar
mann.patidar at gmail.com
Mon Aug 21 13:16:50 UTC 2023
Thanks Matt and Ben for clarifications on EMS.
I have further question on EMS.
1. For OpenSSL 3.0.8(in FIPS mode), which is FIPS140-2 certified, does EMS
is mandatory extension for TLS1.2 client/server.
As per my testing, it is not a mandatory extension.
2. For OpenSSL 3.1.x, which going for FIPS140-3 certification, does EMS
will become mandatory extension in FIPS mode ?
Why above question :
RHEL 9.2 have following warning for FIPS mode:
Warning
A RHEL 9.2 and later system running in FIPS mode enforces that any TLS 1.2
connection must use the Extended Master Secret (EMS) extension (RFC 7627)
as requires the FIPS 140-3 standard. Thus, legacy clients not supporting
EMS or TLS 1.3 cannot connect to RHEL 9 servers running in FIPS mode, RHEL
9 clients in FIPS mode cannot connect to servers that support only TLS 1.2
without EMS. See TLS Extension "Extended Master Secret" enforced with Red
Hat Enterprise Linux 9.2 <https://access.redhat.com/solutions/7018256>
For TLSv1. 2 client/server, Does EMS is mandatory for FIPS140-3 certified
crypto module?
Please find the below link for your reference :
https://access.redhat.com/solutions/7018256
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/security_hardening/index
RHEL 9.2
Regards
Manish
On Mon, 21 Aug 2023, 2:58 pm Matt Caswell, <matt at openssl.org> wrote:
>
>
> On 18/08/2023 18:01, Manish Patidar wrote:
> > Hi
> > I am using OpenSSL 3. 0.8.
> > Need some info regarding Extended Master Secret extension.
> > I have notice this extension is used for TLS1.2 connection (TLS1. 2
> > specific client and Generic server) but this extension is not used for
> > TLS1. 3 connection (Generic client and Generic server). Confirmed by
> > using SSL_get_extms_support.
> >
> > Does TLS1.3 supports Extended Master Secret extension?
>
> The Extended Master Secret extension is not relevant to TLSv1.3 and
> therefore a TLSv1.3 connection will not negotiate it.
>
> However, arguably, the behaviour of SSL_get_extms_support is wrong due
> to this statement in RFC8446 (TLSv1.3):
>
> Appendix D (Backwards Compatibility)
>
> TLS 1.2 and prior supported an "Extended Master Secret" [RFC7627]
> extension which digested large parts of the handshake transcript into
> the master secret. Because TLS 1.3 always hashes in the transcript
> up to the server Finished, implementations which support both TLS 1.3
> and earlier versions SHOULD indicate the use of the Extended Master
> Secret extension in their APIs whenever TLS 1.3 is used.
>
>
> So, SSL_get_extms_support() should perhaps return "true" in TLSv1.3 even
> though EMS wasn't actually negotiated. It might be too late to change
> this though.
>
> Matt
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20230821/1a1f196a/attachment.htm>
More information about the openssl-users
mailing list