Back to bug 2188046
| Who | When | What | Removed | Added |
|---|---|---|---|---|
| Red Hat Bugzilla | 2023-04-19 15:09:37 UTC | Pool ID | sst_security_crypto_rhel_9 | |
| Red Hat One Jira (issues.redhat.com) | 2023-04-19 15:10:10 UTC | Link ID | Red Hat Issue Tracker CRYPTO-10363 | |
| Red Hat One Jira (issues.redhat.com) | 2023-04-19 15:10:20 UTC | Link ID | Red Hat Issue Tracker RHELPLAN-155221 | |
| Dmitry Belyavskiy | 2023-04-19 15:11:41 UTC | Status | NEW | ON_QA |
| Hubert Kario | 2023-04-19 15:35:31 UTC | QA Contact | qe-baseos-security | hkario |
| CC | hkario | |||
| Hubert Kario | 2023-05-05 10:17:47 UTC | Status | ON_QA | ASSIGNED |
| Hubert Kario | 2023-05-23 18:06:48 UTC | Status | ASSIGNED | ON_QA |
| Hubert Kario | 2023-05-26 12:41:12 UTC | Status | ON_QA | VERIFIED |
| Filip Hanzelka | 2023-06-19 12:17:56 UTC | Doc Text | .The `Extended Master Secret` TLS Extension is now enforced on FIPS-enabled systems With this update, the TLS `Extended Master Secret` extension (EMS - RFC7627) extension is mandatory for TLS 1.2 connections on FIPS enabled RHEL 9.2 systems. This is in accordance with the upcoming FIPS-140-3 requirements. TLS 1.3 is not affected. Legacy clients that do not support EMS or TLS 1.3 now cannot connect to FIPS servers running on RHEL 9.2. Similarly, RHEL 9.2 clients in FIPS mode cannot connect to servers that only support TLS 1.2 without EMS. This in practice means that these clients cannot connect to servers on RHEL 6, RHEL 7 and non-RHEL legacy operating systems. This is because the legacy 1.0.x versions of OpenSSL do not support EMS or TLS 1.3. For more information, see link:https://access.redhat.com/solutions/7018256[TLS Extension "Extended Master Secret" enforced with Red Hat Enterprise Linux 9.2]. | |
| Doc Type | If docs needed, set a value | Enhancement | ||
| CC | fhanzelk | |||
| Filip Hanzelka | 2023-06-19 14:15:08 UTC | Doc Text | .The `Extended Master Secret` TLS Extension is now enforced on FIPS-enabled systems With this update, the TLS `Extended Master Secret` extension (EMS - RFC7627) extension is mandatory for TLS 1.2 connections on FIPS enabled RHEL 9.2 systems. This is in accordance with the upcoming FIPS-140-3 requirements. TLS 1.3 is not affected. Legacy clients that do not support EMS or TLS 1.3 now cannot connect to FIPS servers running on RHEL 9.2. Similarly, RHEL 9.2 clients in FIPS mode cannot connect to servers that only support TLS 1.2 without EMS. This in practice means that these clients cannot connect to servers on RHEL 6, RHEL 7 and non-RHEL legacy operating systems. This is because the legacy 1.0.x versions of OpenSSL do not support EMS or TLS 1.3. For more information, see link:https://access.redhat.com/solutions/7018256[TLS Extension "Extended Master Secret" enforced with Red Hat Enterprise Linux 9.2]. | .The `Extended Master Secret` TLS Extension is now enforced on FIPS-enabled systems With this update, the TLS `Extended Master Secret` extension (EMS - RFC7627) extension is mandatory for TLS 1.2 connections on FIPS-enabled RHEL 9.2 systems. This is in accordance with the upcoming FIPS-140-3 requirements. TLS 1.3 is not affected. Legacy clients that do not support EMS or TLS 1.3 now cannot connect to FIPS servers running on RHEL 9.2. Similarly, RHEL 9.2 clients in FIPS mode cannot connect to servers that only support TLS 1.2 without EMS. This in practice means that these clients cannot connect to servers on RHEL 6, RHEL 7 and non-RHEL legacy operating systems. This is because the legacy 1.0.x versions of OpenSSL do not support EMS or TLS 1.3. For more information, see link:https://access.redhat.com/solutions/7018256[TLS Extension "Extended Master Secret" enforced with Red Hat Enterprise Linux 9.2]. |
| errata-xmlrpc | 2023-06-21 00:08:17 UTC | Status | VERIFIED | RELEASE_PENDING |
| Filip Hanzelka | 2023-06-21 14:17:17 UTC | Doc Text | .The `Extended Master Secret` TLS Extension is now enforced on FIPS-enabled systems With this update, the TLS `Extended Master Secret` extension (EMS - RFC7627) extension is mandatory for TLS 1.2 connections on FIPS-enabled RHEL 9.2 systems. This is in accordance with the upcoming FIPS-140-3 requirements. TLS 1.3 is not affected. Legacy clients that do not support EMS or TLS 1.3 now cannot connect to FIPS servers running on RHEL 9.2. Similarly, RHEL 9.2 clients in FIPS mode cannot connect to servers that only support TLS 1.2 without EMS. This in practice means that these clients cannot connect to servers on RHEL 6, RHEL 7 and non-RHEL legacy operating systems. This is because the legacy 1.0.x versions of OpenSSL do not support EMS or TLS 1.3. For more information, see link:https://access.redhat.com/solutions/7018256[TLS Extension "Extended Master Secret" enforced with Red Hat Enterprise Linux 9.2]. | .The `Extended Master Secret` TLS Extension is now enforced on FIPS-enabled systems With the release of the link:https://access.redhat.com/errata/RHSA-2023:3722[RHSA-2023:3722] advisory, the TLS `Extended Master Secret` extension (EMS - RFC7627) extension is mandatory for TLS 1.2 connections on FIPS-enabled RHEL 9 systems. This is in accordance with the upcoming FIPS-140-3 requirements. TLS 1.3 is not affected. Legacy clients that do not support EMS or TLS 1.3 now cannot connect to FIPS servers running on RHEL 9. Similarly, RHEL 9 clients in FIPS mode cannot connect to servers that only support TLS 1.2 without EMS. This in practice means that these clients cannot connect to servers on RHEL 6, RHEL 7 and non-RHEL legacy operating systems. This is because the legacy 1.0.x versions of OpenSSL do not support EMS or TLS 1.3. For more information, see link:https://access.redhat.com/solutions/7018256[TLS Extension "Extended Master Secret" enforced with Red Hat Enterprise Linux 9.2]. |
| errata-xmlrpc | 2023-06-21 14:39:51 UTC | Resolution | --- | ERRATA |
| Status | RELEASE_PENDING | CLOSED | ||
| Last Closed | 2023-06-21 14:39:51 UTC | |||
| errata-xmlrpc | 2023-06-21 14:40:39 UTC | Link ID | Red Hat Product Errata RHSA-2023:3722 | |
| Mirek Jahoda | 2023-06-22 07:17:54 UTC | CC | mjahoda | |
| Docs Contact | fhanzelk | |||
| Filip Hanzelka | 2023-06-26 07:09:23 UTC | Doc Text | .The `Extended Master Secret` TLS Extension is now enforced on FIPS-enabled systems With the release of the link:https://access.redhat.com/errata/RHSA-2023:3722[RHSA-2023:3722] advisory, the TLS `Extended Master Secret` extension (EMS - RFC7627) extension is mandatory for TLS 1.2 connections on FIPS-enabled RHEL 9 systems. This is in accordance with the upcoming FIPS-140-3 requirements. TLS 1.3 is not affected. Legacy clients that do not support EMS or TLS 1.3 now cannot connect to FIPS servers running on RHEL 9. Similarly, RHEL 9 clients in FIPS mode cannot connect to servers that only support TLS 1.2 without EMS. This in practice means that these clients cannot connect to servers on RHEL 6, RHEL 7 and non-RHEL legacy operating systems. This is because the legacy 1.0.x versions of OpenSSL do not support EMS or TLS 1.3. For more information, see link:https://access.redhat.com/solutions/7018256[TLS Extension "Extended Master Secret" enforced with Red Hat Enterprise Linux 9.2]. | .The `Extended Master Secret` TLS Extension is now enforced on FIPS-enabled systems With the release of the link:https://access.redhat.com/errata/RHSA-2023:3722[RHSA-2023:3722] advisory, the TLS `Extended Master Secret` (EMS) extension (RFC 7627) is mandatory for TLS 1.2 connections on FIPS-enabled RHEL 9 systems. This is in accordance with FIPS-140-3 requirements. TLS 1.3 is not affected. Legacy clients that do not support EMS or TLS 1.3 now cannot connect to FIPS servers running on RHEL 9. Similarly, RHEL 9 clients in FIPS mode cannot connect to servers that only support TLS 1.2 without EMS. This in practice means that these clients cannot connect to servers on RHEL 6, RHEL 7 and non-RHEL legacy operating systems. This is because the legacy 1.0.x versions of OpenSSL do not support EMS or TLS 1.3. For more information, see link:https://access.redhat.com/solutions/7018256[TLS Extension "Extended Master Secret" enforced with Red Hat Enterprise Linux 9.2]. |
| Jiri Herrmann | 2023-07-13 09:40:19 UTC | CC | jherrman | |
| Doc Text | .The `Extended Master Secret` TLS Extension is now enforced on FIPS-enabled systems With the release of the link:https://access.redhat.com/errata/RHSA-2023:3722[RHSA-2023:3722] advisory, the TLS `Extended Master Secret` (EMS) extension (RFC 7627) is mandatory for TLS 1.2 connections on FIPS-enabled RHEL 9 systems. This is in accordance with FIPS-140-3 requirements. TLS 1.3 is not affected. Legacy clients that do not support EMS or TLS 1.3 now cannot connect to FIPS servers running on RHEL 9. Similarly, RHEL 9 clients in FIPS mode cannot connect to servers that only support TLS 1.2 without EMS. This in practice means that these clients cannot connect to servers on RHEL 6, RHEL 7 and non-RHEL legacy operating systems. This is because the legacy 1.0.x versions of OpenSSL do not support EMS or TLS 1.3. For more information, see link:https://access.redhat.com/solutions/7018256[TLS Extension "Extended Master Secret" enforced with Red Hat Enterprise Linux 9.2]. | .The `Extended Master Secret` TLS Extension is now enforced on FIPS-enabled systems With the release of the link:https://access.redhat.com/errata/RHSA-2023:3722[RHSA-2023:3722] advisory, the TLS `Extended Master Secret` (EMS) extension (RFC 7627) is mandatory for TLS 1.2 connections on FIPS-enabled RHEL 9 systems. This is in accordance with FIPS-140-3 requirements. TLS 1.3 is not affected. Legacy clients that do not support EMS or TLS 1.3 now cannot connect to FIPS servers running on RHEL 9. Similarly, RHEL 9 clients in FIPS mode cannot connect to servers that only support TLS 1.2 without EMS. This in practice means that these clients cannot connect to servers on RHEL 6, RHEL 7 and non-RHEL legacy operating systems. This is because the legacy 1.0.x versions of OpenSSL do not support EMS or TLS 1.3. In addition, connecting from a FIPS-enabled RHEL client to a hypervisor such as VMWare ESX now fails with a `Provider routines::ems not enabled` error if the hypervisor uses TLS 1.2 without EMS. To work around this problem, update the hypervisor to support TLS 1.3 or TLS 1.2 with the EMS extension. For VMWare vSphere, this means version 8.0 or later. For more information, see link:https://access.redhat.com/solutions/7018256[TLS Extension "Extended Master Secret" enforced with Red Hat Enterprise Linux 9.2]. |
Back to bug 2188046