Extended Master secret for TLS 1.3

Benjamin Kaduk bkaduk at akamai.com
Fri Aug 18 17:15:36 UTC 2023

On Fri, Aug 18, 2023 at 10:31:54PM +0530, Manish Patidar wrote:
>    Hi
>    I am using OpenSSL 3. 0.8.
>    Need some info regarding Extended Master Secret extension. 
>    I have notice this extension is used for TLS1.2 connection (TLS1. 2 
>    specific client and Generic server) but this extension is not used for
>    TLS1. 3 connection (Generic client and Generic server). Confirmed by using
>    SSL_get_extms_support. 
>    Does TLS1.3 supports Extended Master Secret extension? 

The extended master secret extension is not used for TLS 1.3 because the
corresponding functionality is already integrated in TLS 1.3 by default.
This is why RFC 8446 says:

   TLS 1.2 and prior supported an "Extended Master Secret" [RFC7627]
   extension which digested large parts of the handshake transcript into
   the master secret.  Because TLS 1.3 always hashes in the transcript
   up to the server Finished, implementations which support both TLS 1.3
   and earlier versions SHOULD indicate the use of the Extended Master
   Secret extension in their APIs whenever TLS 1.3 is used.


More information about the openssl-users mailing list