2157951 – Support requiring EMS in TLS 1.2, default to it when in FIPS mode

Bug 2157951 - Support requiring EMS in TLS 1.2, default to it when in FIPS mode

Summary: Support requiring EMS in TLS 1.2, default to it when in FIPS mode

Keywords:
Status:	VERIFIED
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	openssl
Sub Component:
Version:	9.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Dmitry Belyavskiy
QA Contact:	Hubert Kario
Docs Contact:	Filip Hanzelka
URL:
Whiteboard:
Depends On:
Blocks:	2218721 2188046
TreeView+	depends on / blocked

Reported:	2023-01-03 17:03 UTC by Hubert Kario
Modified:	2023-07-25 07:32 UTC (History)
CC List:	8 users (show)
Fixed In Version:	openssl-3.0.7-16.el9
Doc Type:	If docs needed, set a value
Doc Text:	.The `Extended Master Secret` TLS Extension is now enforced on FIPS-enabled systems With the release of the link:https://access.redhat.com/errata/RHSA-2023:3722[RHSA-2023:3722] advisory, the TLS `Extended Master Secret` (EMS) extension (RFC 7627) is mandatory for TLS 1.2 connections on FIPS-enabled RHEL 9 systems. This is in accordance with FIPS-140-3 requirements. TLS 1.3 is not affected. Legacy clients that do not support EMS or TLS 1.3 now cannot connect to FIPS servers running on RHEL 9. Similarly, RHEL 9 clients in FIPS mode cannot connect to servers that only support TLS 1.2 without EMS. This in practice means that these clients cannot connect to servers on RHEL 6, RHEL 7 and non-RHEL legacy operating systems. This is because the legacy 1.0.x versions of OpenSSL do not support EMS or TLS 1.3. For more information, see link:https://access.redhat.com/solutions/7018256[TLS Extension "Extended Master Secret" enforced with Red Hat Enterprise Linux 9.2].
Clone Of:
Clones:	2188046 (view as bug list)
Environment:
Last Closed:
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	openssl openssl issues 19989	None	open	Add support for mandating use of EMS in TLS 1.2	2023-01-03 17:03:40 UTC
Github	openssl openssl pull 20241	None	open	Add option to FIPS module to enforce EMS check during KDF TLS1_PRF	2023-02-14 17:14:19 UTC
Red Hat Issue Tracker	CRYPTO-9271	None	None	None	2023-01-13 17:08:55 UTC
Red Hat Issue Tracker	RHELPLAN-143562	None	None	None	2023-01-03 17:05:03 UTC

Internal Links: 2224204

Description Hubert Kario 2023-01-03 17:03:40 UTC

Description of problem:
FIPS 140-3 IG requires that only EMS KDF is in use for TLS 1.2 with modules validated after May 2023.

OpenSSL should have a way to require use of EMS when in FIPS mode.

Comment 12 Richard W.M. Jones 2023-06-30 07:54:34 UTC

This change prevents connecting to VMware servers which stops all kinds of
things such as backups and V2V conversions: bug 2218721

Comment 13 Hubert Kario 2023-06-30 10:04:53 UTC

Requiring use of TLSv1.2 with EMS is a non-optional requirement for cryptographic modules certified under current FIPS 140-3.

The solution is to upgrade the openssl used by VMware.

The EMS extension was standardised 8 years ago (RFC7627). If for some reason they don't want to use EMS, they can also use TLSv1.3, which was standardised 5 years ago (RFC8446).

Note You need to log in before you can comment on or make changes to this bug.