Extended Master secret for TLS 1.3

Matt Caswell matt at openssl.org
Mon Aug 21 09:28:19 UTC 2023

On 18/08/2023 18:01, Manish Patidar wrote:
> Hi
> I am using OpenSSL 3. 0.8.
> Need some info regarding Extended Master Secret extension.
> I have notice this extension is used for TLS1.2 connection (TLS1. 2  
> specific client and Generic server) but this extension is not used for 
> TLS1. 3 connection (Generic client and Generic server). Confirmed by 
> using SSL_get_extms_support.
> Does TLS1.3 supports Extended Master Secret extension?

The Extended Master Secret extension is not relevant to TLSv1.3 and 
therefore a TLSv1.3 connection will not negotiate it.

However, arguably, the behaviour of SSL_get_extms_support is wrong due 
to this statement in RFC8446 (TLSv1.3):

Appendix D (Backwards Compatibility)

    TLS 1.2 and prior supported an "Extended Master Secret" [RFC7627]
    extension which digested large parts of the handshake transcript into
    the master secret.  Because TLS 1.3 always hashes in the transcript
    up to the server Finished, implementations which support both TLS 1.3
    and earlier versions SHOULD indicate the use of the Extended Master
    Secret extension in their APIs whenever TLS 1.3 is used.

So, SSL_get_extms_support() should perhaps return "true" in TLSv1.3 even 
though EMS wasn't actually negotiated. It might be too late to change 
this though.


More information about the openssl-users mailing list