Hello, (Re-sent because I was not subscribed and the list does not seem to accept mails from non-subscribers.)
I’m trying to fix ssl-enum-ciphers with RHEL >= 9.2’s OpenSSL in FIPS mode, which now requires the extended master secret extension for a successful handshake. I opened a GitHub PR at https://github.com/nmap/nmap/pull/2724. The summary is: The FIPS 140-3 Implementation Guidelines in section D.Q require FIPS-certified cryptographic modules to use the RFC 7627 Extended Master Secret for modules submitted after May 16th, 2023: > [a] new validation, […] submitted more than one year after [May 2022] shall > use the extended master secret in the TLS 1.2 KDF. ssl-enum-ciphers was not sending this extension, causing some servers to abort the handshake. This lead to no support for TLS 1.2 being reported, even though support was available with the extended master secret. Add the EMS extension to the set of base extensions that are always sent to avoid this situation. Servers that do not support EMS should just ignore this extension silently. Thank you for developing NMAP! -- Clemens Lang RHEL Crypto Team Red Hat _______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at https://seclists.org/nmap-dev/
