On 21/08/2023 14:16, Manish Patidar wrote:
Thanks Matt and Ben for clarifications on EMS.
I have further question on EMS.
1. For OpenSSL 3.0.8(in FIPS mode), which is FIPS140-2 certified, does
EMS is mandatory extension for TLS1.2 client/server.
As per my testing, it is not a mandatory extension.
2. For OpenSSL 3.1.x, which going for FIPS140-3 certification, does EMS
will become mandatory extension in FIPS mode ?
Why above question :
RHEL 9.2 have following warning for FIPS mode:
Warning
A RHEL 9.2 and later system running in FIPS mode enforces that any TLS
1.2 connection must use the Extended Master Secret (EMS) extension (RFC
7627) as requires the FIPS 140-3 standard. Thus, legacy clients not
supporting EMS or TLS 1.3 cannot connect to RHEL 9 servers running in
FIPS mode, RHEL 9 clients in FIPS mode cannot connect to servers that
support only TLS 1.2 without EMS. See TLS Extension "Extended Master
Secret" enforced with Red Hat Enterprise Linux 9.2
<https://access.redhat.com/solutions/7018256>
For TLSv1. 2 client/server, Does EMS is mandatory for FIPS140-3
certified crypto module?
In OpenSSL 3.1 there is a configuration option available to enforce EMS
in TLSv1.2 with the 3.1 FIPS module. See the -ems_check option on the
man page for fipsinstall here:
https://www.openssl.org/docs/man3.1/man1/openssl-fipsinstall.html
Also see this issue for further information on this:
https://github.com/openssl/openssl/issues/19989
Matt
Regards
Manish
On Mon, 21 Aug 2023, 2:58 pm Matt Caswell, <matt@xxxxxxxxxxx
<mailto:matt@xxxxxxxxxxx>> wrote:
On 18/08/2023 18:01, Manish Patidar wrote:
> Hi
> I am using OpenSSL 3. 0.8.
> Need some info regarding Extended Master Secret extension.
> I have notice this extension is used for TLS1.2 connection (TLS1. 2
> specific client and Generic server) but this extension is not
used for
> TLS1. 3 connection (Generic client and Generic server). Confirmed by
> using SSL_get_extms_support.
>
> Does TLS1.3 supports Extended Master Secret extension?
The Extended Master Secret extension is not relevant to TLSv1.3 and
therefore a TLSv1.3 connection will not negotiate it.
However, arguably, the behaviour of SSL_get_extms_support is wrong due
to this statement in RFC8446 (TLSv1.3):
Appendix D (Backwards Compatibility)
TLS 1.2 and prior supported an "Extended Master Secret" [RFC7627]
extension which digested large parts of the handshake
transcript into
the master secret. Because TLS 1.3 always hashes in the transcript
up to the server Finished, implementations which support both
TLS 1.3
and earlier versions SHOULD indicate the use of the Extended Master
Secret extension in their APIs whenever TLS 1.3 is used.
So, SSL_get_extms_support() should perhaps return "true" in TLSv1.3
even
though EMS wasn't actually negotiated. It might be too late to change
this though.
Matt
