Back to bug 2157951
| Who | When | What | Removed | Added |
|---|---|---|---|---|
| Red Hat Bugzilla | 2023-01-03 17:03:40 UTC | Pool ID | sst_security_crypto_rhel_9 | |
| Red Hat One Jira (issues.redhat.com) | 2023-01-03 17:05:03 UTC | Link ID | Red Hat Issue Tracker RHELPLAN-143562 | |
| Hubert Kario | 2023-01-03 17:24:10 UTC | Summary | Allow requiring EMS in TLS 1.2, default to it when in FIPS mode | Support requiring EMS in TLS 1.2, default to it when in FIPS mode |
| Dmitry Belyavskiy | 2023-01-13 17:07:59 UTC | Keywords | Triaged | |
| Priority | unspecified | medium | ||
| Severity | unspecified | medium | ||
| Red Hat One Jira (issues.redhat.com) | 2023-01-13 17:08:55 UTC | Link ID | Red Hat Issue Tracker CRYPTO-9271 | |
| Dmitry Belyavskiy | 2023-02-14 17:14:20 UTC | Link ID | Github openssl/openssl/pull/20241 | |
| Hubert Kario | 2023-03-02 16:57:55 UTC | QA Contact | qe-baseos-security | hkario |
| Clemens Lang | 2023-03-06 16:58:52 UTC | Flags | needinfo?(ssorce) | |
| CC | ssorce | |||
| Simo Sorce | 2023-03-06 17:46:14 UTC | Flags | needinfo?(ssorce) | |
| Dmitry Belyavskiy | 2023-04-17 11:34:52 UTC | Status | NEW | MODIFIED |
| errata-xmlrpc | 2023-04-18 14:54:21 UTC | Fixed In Version | openssl-3.0.7-13.el9_2 | |
| Status | MODIFIED | ON_QA | ||
| RHEL Program Management Team | 2023-04-19 15:09:37 UTC | Blocks | 2188046 | |
| RHEL Program Management Team | 2023-04-19 15:09:39 UTC | Keywords | ZStream | |
| Hubert Kario | 2023-05-11 18:40:40 UTC | Fixed In Version | openssl-3.0.7-13.el9_2 | openssl-3.0.7-16.el9 |
| Status | ON_QA | VERIFIED | ||
| Filip Hanzelka | 2023-06-19 12:19:17 UTC | CC | fhanzelk | |
| Doc Text | .The `Extended Master Secret` TLS Extension is now enforced on FIPS-enabled systems With this update, the TLS `Extended Master Secret` extension (EMS - RFC7627) extension is mandatory for TLS 1.2 connections on FIPS enabled RHEL 9.2 systems. This is in accordance with the upcoming FIPS-140-3 requirements. TLS 1.3 is not affected. Legacy clients that do not support EMS or TLS 1.3 now cannot connect to FIPS servers running on RHEL 9.2. Similarly, RHEL 9.2 clients in FIPS mode cannot connect to servers that only support TLS 1.2 without EMS. This in practice means that these clients cannot connect to servers on RHEL 6, RHEL 7 and non-RHEL legacy operating systems. This is because the legacy 1.0.x versions of OpenSSL do not support EMS or TLS 1.3. For more information, see link:https://access.redhat.com/solutions/7018256[TLS Extension "Extended Master Secret" enforced with Red Hat Enterprise Linux 9.2]. |
|||
| Filip Hanzelka | 2023-06-21 14:45:25 UTC | Doc Text | .The `Extended Master Secret` TLS Extension is now enforced on FIPS-enabled systems With this update, the TLS `Extended Master Secret` extension (EMS - RFC7627) extension is mandatory for TLS 1.2 connections on FIPS enabled RHEL 9.2 systems. This is in accordance with the upcoming FIPS-140-3 requirements. TLS 1.3 is not affected. Legacy clients that do not support EMS or TLS 1.3 now cannot connect to FIPS servers running on RHEL 9.2. Similarly, RHEL 9.2 clients in FIPS mode cannot connect to servers that only support TLS 1.2 without EMS. This in practice means that these clients cannot connect to servers on RHEL 6, RHEL 7 and non-RHEL legacy operating systems. This is because the legacy 1.0.x versions of OpenSSL do not support EMS or TLS 1.3. For more information, see link:https://access.redhat.com/solutions/7018256[TLS Extension "Extended Master Secret" enforced with Red Hat Enterprise Linux 9.2]. | .The `Extended Master Secret` TLS Extension is now enforced on FIPS-enabled systems With this update, the TLS `Extended Master Secret` extension (EMS - RFC7627) extension is mandatory for TLS 1.2 connections on FIPS-enabled RHEL 9 systems. This is in accordance with the upcoming FIPS-140-3 requirements. TLS 1.3 is not affected. Legacy clients that do not support EMS or TLS 1.3 now cannot connect to FIPS servers running on RHEL 9. Similarly, RHEL 9 clients in FIPS mode cannot connect to servers that only support TLS 1.2 without EMS. This in practice means that these clients cannot connect to servers on RHEL 6, RHEL 7 and non-RHEL legacy operating systems. This is because the legacy 1.0.x versions of OpenSSL do not support EMS or TLS 1.3. For more information, see link:https://access.redhat.com/solutions/7018256[TLS Extension "Extended Master Secret" enforced with Red Hat Enterprise Linux 9.2]. |
| Mirek Jahoda | 2023-06-22 07:17:48 UTC | Docs Contact | fhanzelk | |
| CC | mjahoda | |||
| Richard W.M. Jones | 2023-06-30 07:51:59 UTC | Blocks | 2218721 | |
| Richard W.M. Jones | 2023-06-30 07:54:34 UTC | CC | rjones | |
| Mirek Jahoda | 2023-07-04 09:28:51 UTC | Doc Text | .The `Extended Master Secret` TLS Extension is now enforced on FIPS-enabled systems With this update, the TLS `Extended Master Secret` extension (EMS - RFC7627) extension is mandatory for TLS 1.2 connections on FIPS-enabled RHEL 9 systems. This is in accordance with the upcoming FIPS-140-3 requirements. TLS 1.3 is not affected. Legacy clients that do not support EMS or TLS 1.3 now cannot connect to FIPS servers running on RHEL 9. Similarly, RHEL 9 clients in FIPS mode cannot connect to servers that only support TLS 1.2 without EMS. This in practice means that these clients cannot connect to servers on RHEL 6, RHEL 7 and non-RHEL legacy operating systems. This is because the legacy 1.0.x versions of OpenSSL do not support EMS or TLS 1.3. For more information, see link:https://access.redhat.com/solutions/7018256[TLS Extension "Extended Master Secret" enforced with Red Hat Enterprise Linux 9.2]. | .The `Extended Master Secret` TLS Extension is now enforced on FIPS-enabled systems With the release of the link:https://access.redhat.com/errata/RHSA-2023:3722[RHSA-2023:3722] advisory, the TLS `Extended Master Secret` (EMS) extension (RFC 7627) is mandatory for TLS 1.2 connections on FIPS-enabled RHEL 9 systems. This is in accordance with FIPS-140-3 requirements. TLS 1.3 is not affected. Legacy clients that do not support EMS or TLS 1.3 now cannot connect to FIPS servers running on RHEL 9. Similarly, RHEL 9 clients in FIPS mode cannot connect to servers that only support TLS 1.2 without EMS. This in practice means that these clients cannot connect to servers on RHEL 6, RHEL 7 and non-RHEL legacy operating systems. This is because the legacy 1.0.x versions of OpenSSL do not support EMS or TLS 1.3. For more information, see link:https://access.redhat.com/solutions/7018256[TLS Extension "Extended Master Secret" enforced with Red Hat Enterprise Linux 9.2]. |
| Arik | 2023-07-23 12:03:24 UTC | CC | ahadas | |
| Arik | 2023-07-23 14:53:00 UTC | Flags | needinfo?(joschrod) | |
| CC | joschrod | |||
| Arik | 2023-07-24 10:18:39 UTC | Flags | needinfo?(cllang) | |
| Clemens Lang | 2023-07-24 11:04:32 UTC | Flags | needinfo?(cllang) | |
| Arik | 2023-07-24 11:48:17 UTC | Flags | needinfo?(joschrod) | |
| Arik | 2023-07-25 07:32:06 UTC | Flags | needinfo?(anarnold) | |
| CC | anarnold | |||
| Arik | 2023-07-25 07:32:18 UTC | Flags | needinfo?(anarnold) |
Back to bug 2157951