On 18/08/2023 18:01, Manish Patidar wrote:
Hi
I am using OpenSSL 3. 0.8.
Need some info regarding Extended Master Secret extension.
I have notice this extension is used for TLS1.2 connection (TLS1. 2
specific client and Generic server) but this extension is not used for
TLS1. 3 connection (Generic client and Generic server). Confirmed by
using SSL_get_extms_support.
Does TLS1.3 supports Extended Master Secret extension?
The Extended Master Secret extension is not relevant to TLSv1.3 and
therefore a TLSv1.3 connection will not negotiate it.
However, arguably, the behaviour of SSL_get_extms_support is wrong due
to this statement in RFC8446 (TLSv1.3):
Appendix D (Backwards Compatibility)
TLS 1.2 and prior supported an "Extended Master Secret" [RFC7627]
extension which digested large parts of the handshake transcript into
the master secret. Because TLS 1.3 always hashes in the transcript
up to the server Finished, implementations which support both TLS 1.3
and earlier versions SHOULD indicate the use of the Extended Master
Secret extension in their APIs whenever TLS 1.3 is used.
So, SSL_get_extms_support() should perhaps return "true" in TLSv1.3 even
though EMS wasn't actually negotiated. It might be too late to change
this though.
Matt
