[openssl-users] No TLS Extended Master Secret Extension (RFC7627) support yet?

Igor Sverkos igor.sverkos at gmail.com
Wed Nov 11 21:53:46 UTC 2015


today I read [1] that Microsoft finally added support for TLS Extended
Master Secret Extension to their SSL implementation (SChannel).

The author was so kind to provide a test script [2] to check if your
own servers support TLS Extended Master Secret extension yet.

Looks like my servers don't support TLS Extended Master Secret
extension yet. This lead me to the question when OpenSSL will add
support for this extensions or if it is my fault. I am using

  nginx/1.9.6 build against OpenSSL 1.0.2d 9 Jul 2015

from source.

Looks like there was already a contribution [3] which was already
reviewed in some ways [4].

Any status update would be nice.

[1] http://www.tripwire.com/state-of-security/security-data-protection/security-hardening/tls-extended-master-secret-extension-fixing-a-hole-in-tls/

[2] https://github.com/Tripwire-VERT/TLS_Extended_Master_Checker

[3] https://github.com/alfredopironti/openssl/commit/5339db9ec81727456f7edb86aab186e7deefe819

[4] http://openssl.6102.n7.nabble.com/PATCH-Fix-for-Triple-Handshake-attacks-via-extended-master-secret-td50058.html


More information about the openssl-users mailing list