Extended Master secret for TLS 1.3
mann.patidar at gmail.com
Mon Aug 21 13:16:50 UTC 2023
Thanks Matt and Ben for clarifications on EMS.
I have further question on EMS.
1. For OpenSSL 3.0.8(in FIPS mode), which is FIPS140-2 certified, does EMS
is mandatory extension for TLS1.2 client/server.
As per my testing, it is not a mandatory extension.
2. For OpenSSL 3.1.x, which going for FIPS140-3 certification, does EMS
will become mandatory extension in FIPS mode ?
Why above question :
RHEL 9.2 have following warning for FIPS mode:
A RHEL 9.2 and later system running in FIPS mode enforces that any TLS 1.2
connection must use the Extended Master Secret (EMS) extension (RFC 7627)
as requires the FIPS 140-3 standard. Thus, legacy clients not supporting
EMS or TLS 1.3 cannot connect to RHEL 9 servers running in FIPS mode, RHEL
9 clients in FIPS mode cannot connect to servers that support only TLS 1.2
without EMS. See TLS Extension "Extended Master Secret" enforced with Red
Hat Enterprise Linux 9.2 <https://access.redhat.com/solutions/7018256>
For TLSv1. 2 client/server, Does EMS is mandatory for FIPS140-3 certified
Please find the below link for your reference :
On Mon, 21 Aug 2023, 2:58 pm Matt Caswell, <matt at openssl.org> wrote:
> On 18/08/2023 18:01, Manish Patidar wrote:
> > Hi
> > I am using OpenSSL 3. 0.8.
> > Need some info regarding Extended Master Secret extension.
> > I have notice this extension is used for TLS1.2 connection (TLS1. 2
> > specific client and Generic server) but this extension is not used for
> > TLS1. 3 connection (Generic client and Generic server). Confirmed by
> > using SSL_get_extms_support.
> > Does TLS1.3 supports Extended Master Secret extension?
> The Extended Master Secret extension is not relevant to TLSv1.3 and
> therefore a TLSv1.3 connection will not negotiate it.
> However, arguably, the behaviour of SSL_get_extms_support is wrong due
> to this statement in RFC8446 (TLSv1.3):
> Appendix D (Backwards Compatibility)
> TLS 1.2 and prior supported an "Extended Master Secret" [RFC7627]
> extension which digested large parts of the handshake transcript into
> the master secret. Because TLS 1.3 always hashes in the transcript
> up to the server Finished, implementations which support both TLS 1.3
> and earlier versions SHOULD indicate the use of the Extended Master
> Secret extension in their APIs whenever TLS 1.3 is used.
> So, SSL_get_extms_support() should perhaps return "true" in TLSv1.3 even
> though EMS wasn't actually negotiated. It might be too late to change
> this though.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the openssl-users