Bug 2157951

Summary: Support requiring EMS in TLS 1.2, default to it when in FIPS mode
Product: Red Hat Enterprise Linux 9 Reporter: Hubert Kario <hkario>
Component: opensslAssignee: Dmitry Belyavskiy <dbelyavs>
Status: VERIFIED --- QA Contact: Hubert Kario <hkario>
Severity: medium Docs Contact: Filip Hanzelka <fhanzelk>
Priority: medium    
Version: 9.0CC: ahadas, anarnold, cllang, fhanzelk, joschrod, mjahoda, rjones, ssorce
Target Milestone: rcKeywords: Triaged, ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openssl-3.0.7-16.el9 Doc Type: If docs needed, set a value
Doc Text:
.The `Extended Master Secret` TLS Extension is now enforced on FIPS-enabled systems With the release of the link:https://access.redhat.com/errata/RHSA-2023:3722[RHSA-2023:3722] advisory, the TLS `Extended Master Secret` (EMS) extension (RFC 7627) is mandatory for TLS 1.2 connections on FIPS-enabled RHEL 9 systems. This is in accordance with FIPS-140-3 requirements. TLS 1.3 is not affected. Legacy clients that do not support EMS or TLS 1.3 now cannot connect to FIPS servers running on RHEL 9. Similarly, RHEL 9 clients in FIPS mode cannot connect to servers that only support TLS 1.2 without EMS. This in practice means that these clients cannot connect to servers on RHEL 6, RHEL 7 and non-RHEL legacy operating systems. This is because the legacy 1.0.x versions of OpenSSL do not support EMS or TLS 1.3. For more information, see link:https://access.redhat.com/solutions/7018256[TLS Extension "Extended Master Secret" enforced with Red Hat Enterprise Linux 9.2].
 Story Points: ---
Clone Of:
: 2188046 (view as bug list) Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2218721, 2188046    

Description Hubert Kario 2023-01-03 17:03:40 UTC 
Description of problem:
FIPS 140-3 IG requires that only EMS KDF is in use for TLS 1.2 with modules validated after May 2023.

OpenSSL should have a way to require use of EMS when in FIPS mode.
Comment 12 Richard W.M. Jones 2023-06-30 07:54:34 UTC 
This change prevents connecting to VMware servers which stops all kinds of
things such as backups and V2V conversions: bug 2218721
Comment 13 Hubert Kario 2023-06-30 10:04:53 UTC 
Requiring use of TLSv1.2 with EMS is a non-optional requirement for cryptographic modules certified under current FIPS 140-3.

The solution is to upgrade the openssl used by VMware.

The EMS extension was standardised 8 years ago (RFC7627). If for some reason they don't want to use EMS, they can also use TLSv1.3, which was standardised 5 years ago (RFC8446).