Bug 2157953 - Support requiring EMS in TLS 1.2, default to it when in FIPS mode
Summary: Support requiring EMS in TLS 1.2, default to it when in FIPS mode
Keywords:
Status: VERIFIED
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: gnutls
Version: 9.0
Hardware: Unspecified
OS: Unspecified
high
unspecified
Target Milestone: rc
: ---
Assignee: Daiki Ueno
QA Contact: Alexander Sosedkin
URL:
Whiteboard:
Depends On:
Blocks: 2227257 2227258
TreeView+ depends on / blocked
 
Reported: 2023-01-03 17:10 UTC by Hubert Kario
Modified: 2023-08-02 10:22 UTC (History)
2 users (show)

Fixed In Version: gnutls-3.7.6-22.el9
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 2227257 2227258 (view as bug list)
Environment:
Last Closed:
Type: Bug
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Gitlab gnutls gnutls issues 1445 0 None opened Add setting for requiring use of EMS in TLS 1.2 2023-01-03 17:10:06 UTC
Gitlab gnutls gnutls merge_requests 1711 0 None opened priority: add %FORCE_SESSION_HASH modifier 2023-02-21 09:58:23 UTC
Red Hat Issue Tracker CRYPTO-9265 0 None None None 2023-01-12 07:12:39 UTC
Red Hat Issue Tracker RHELPLAN-143563 0 None None None 2023-01-03 17:20:55 UTC

Description Hubert Kario 2023-01-03 17:10:07 UTC
Description of problem:
FIPS 140-3 IG requires that only EMS KDF is in use for TLS 1.2 with modules validated after May 2023.

GnuTLS should have a way to require use of EMS when in FIPS mode.


Note You need to log in before you can comment on or make changes to this bug.