Extended Master secret for TLS 1.3

Manish Patidar mann.patidar at gmail.com
Mon Aug 21 13:16:50 UTC 2023

Thanks Matt and Ben for clarifications on EMS.

I have further question on EMS.
1. For OpenSSL 3.0.8(in FIPS mode), which is FIPS140-2 certified, does EMS
is mandatory extension for TLS1.2 client/server.

As per my testing, it is not a mandatory extension.

2. For OpenSSL 3.1.x, which going for FIPS140-3 certification,  does EMS
will become mandatory extension in FIPS mode ?

Why above question :

RHEL 9.2 have following warning for FIPS mode:

A RHEL 9.2 and later system running in FIPS mode enforces that any TLS 1.2
connection must use the Extended Master Secret (EMS) extension (RFC 7627)
as requires the FIPS 140-3 standard. Thus, legacy clients not supporting
EMS or TLS 1.3 cannot connect to RHEL 9 servers running in FIPS mode, RHEL
9 clients in FIPS mode cannot connect to servers that support only TLS 1.2
without EMS. See TLS Extension "Extended Master Secret" enforced with Red
Hat Enterprise Linux 9.2 <https://access.redhat.com/solutions/7018256>

For TLSv1. 2 client/server, Does EMS is mandatory for FIPS140-3 certified
crypto module?
Please find the below link for your reference :
RHEL 9.2


On Mon, 21 Aug 2023, 2:58 pm Matt Caswell, <matt at openssl.org> wrote:

> On 18/08/2023 18:01, Manish Patidar wrote:
> > Hi
> > I am using OpenSSL 3. 0.8.
> > Need some info regarding Extended Master Secret extension.
> > I have notice this extension is used for TLS1.2 connection (TLS1. 2
> > specific client and Generic server) but this extension is not used for
> > TLS1. 3 connection (Generic client and Generic server). Confirmed by
> > using SSL_get_extms_support.
> >
> > Does TLS1.3 supports Extended Master Secret extension?
> The Extended Master Secret extension is not relevant to TLSv1.3 and
> therefore a TLSv1.3 connection will not negotiate it.
> However, arguably, the behaviour of SSL_get_extms_support is wrong due
> to this statement in RFC8446 (TLSv1.3):
> Appendix D (Backwards Compatibility)
>     TLS 1.2 and prior supported an "Extended Master Secret" [RFC7627]
>     extension which digested large parts of the handshake transcript into
>     the master secret.  Because TLS 1.3 always hashes in the transcript
>     up to the server Finished, implementations which support both TLS 1.3
>     and earlier versions SHOULD indicate the use of the Extended Master
>     Secret extension in their APIs whenever TLS 1.3 is used.
> So, SSL_get_extms_support() should perhaps return "true" in TLSv1.3 even
> though EMS wasn't actually negotiated. It might be too late to change
> this though.
> Matt
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20230821/1a1f196a/attachment.htm>

More information about the openssl-users mailing list