Extended Master secret for TLS 1.3

Mon Aug 21 14:01:20 UTC 2023

On 21/08/2023 14:16, Manish Patidar wrote:
> Thanks Matt and Ben for clarifications on EMS.
> 
> I have further question on EMS.
> 1. For OpenSSL 3.0.8(in FIPS mode), which is FIPS140-2 certified, does 
> EMS is mandatory extension for TLS1.2 client/server.
> As per my testing, it is not a mandatory extension.
> 
> 2. For OpenSSL 3.1.x, which going for FIPS140-3 certification,  does EMS 
> will become mandatory extension in FIPS mode ?
> 
> Why above question :
> 
> RHEL 9.2 have following warning for FIPS mode:
> Warning
> 
> A RHEL 9.2 and later system running in FIPS mode enforces that any TLS 
> 1.2 connection must use the Extended Master Secret (EMS) extension (RFC 
> 7627) as requires the FIPS 140-3 standard. Thus, legacy clients not 
> supporting EMS or TLS 1.3 cannot connect to RHEL 9 servers running in 
> FIPS mode, RHEL 9 clients in FIPS mode cannot connect to servers that 
> support only TLS 1.2 without EMS. See TLS Extension "Extended Master 
> Secret" enforced with Red Hat Enterprise Linux 9.2 
> <https://access.redhat.com/solutions/7018256>
> 
> For TLSv1. 2 client/server, Does EMS is mandatory for FIPS140-3 
> certified crypto module?

In OpenSSL 3.1 there is a configuration option available to enforce EMS 
in TLSv1.2 with the 3.1 FIPS module. See the -ems_check option on the 
man page for fipsinstall here:

https://www.openssl.org/docs/man3.1/man1/openssl-fipsinstall.html

Also see this issue for further information on this:

https://github.com/openssl/openssl/issues/19989

Matt

> 
> Regards
> Manish
> 
> 
> 
> On Mon, 21 Aug 2023, 2:58 pm Matt Caswell, <matt at openssl.org 
> <mailto:matt at openssl.org>> wrote:
> 
> 
> 
>     On 18/08/2023 18:01, Manish Patidar wrote:
>      > Hi
>      > I am using OpenSSL 3. 0.8.
>      > Need some info regarding Extended Master Secret extension.
>      > I have notice this extension is used for TLS1.2 connection (TLS1. 2
>      > specific client and Generic server) but this extension is not
>     used for
>      > TLS1. 3 connection (Generic client and Generic server). Confirmed by
>      > using SSL_get_extms_support.
>      >
>      > Does TLS1.3 supports Extended Master Secret extension?
> 
>     The Extended Master Secret extension is not relevant to TLSv1.3 and
>     therefore a TLSv1.3 connection will not negotiate it.
> 
>     However, arguably, the behaviour of SSL_get_extms_support is wrong due
>     to this statement in RFC8446 (TLSv1.3):
> 
>     Appendix D (Backwards Compatibility)
> 
>          TLS 1.2 and prior supported an "Extended Master Secret" [RFC7627]
>          extension which digested large parts of the handshake
>     transcript into
>          the master secret.  Because TLS 1.3 always hashes in the transcript
>          up to the server Finished, implementations which support both
>     TLS 1.3
>          and earlier versions SHOULD indicate the use of the Extended Master
>          Secret extension in their APIs whenever TLS 1.3 is used.
> 
> 
>     So, SSL_get_extms_support() should perhaps return "true" in TLSv1.3
>     even
>     though EMS wasn't actually negotiated. It might be too late to change
>     this though.
> 
>     Matt
> 
> 