Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Support Extended Master Secret Extension in ssl-enum-ciphers

From: Clemens Lang <cllang () redhat com>
Date: Mon, 16 Oct 2023 13:54:11 +0200
Hello,


I’m trying to fix ssl-enum-ciphers with RHEL >= 9.2’s OpenSSL in FIPS mode, which now requires the extended master 
secret extension for a successful handshake. I opened a GitHub PR at https://github.com/nmap/nmap/pull/2724.

The summary is:

The FIPS 140-3 Implementation Guidelines in section D.Q require FIPS-certified cryptographic modules to use the RFC 
7627 Extended Master Secret for modules submitted after May 16th, 2023:


[a] new validation, […] submitted more than one year after [May 2022] shall use the extended master secret in the TLS 
1.2 KDF.


ssl-enum-ciphers was not sending this extension, causing some servers to abort the handshake. This lead to no support 
for TLS 1.2 being reported, even though support was available with the extended master secret. Add the EMS extension to 
the set of base extensions that are always sent to avoid this situation.

Servers that do not support EMS should just ignore this extension silently.


Thank you for developing NMAP!

-- 
Clemens Lang
RHEL Crypto Team
Red Hat



_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at https://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: