Follow-up changes to extended master secret enforcement
It turned out that enforcing EMS in TLS 1.2 causes interoperability issues, even though it is required by FIPS 140-3. This adds 3 levels of enforcement:
- keep the current modifier keywords (
%NO_SESSION_HASHand%FORCE_SESSION_HASH) - add a new configuration option
tls-session-hash, whose value could be eitherrequestorrequire - the configuration option takes precedence over modifier keywords
- in either case, non-EMS usage (by checking the label being "master secret") is reported through service indicator
Checklist
-
Commits have Signed-off-by:with name/author being identical to the commit author -
Code modified for feature -
Test suite updated with functionality tests -
Test suite updated with negative tests -
Documentation updated / NEWS entry present (for non-trivial changes) -
CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout)
Reviewer's checklist:
-
Any issues marked for closing are addressed -
There is a test suite reasonably covering new functionality or modifications -
Function naming, parameters, return values, types, etc., are consistent and according to CONTRIBUTION.md -
This feature/change has adequate documentation added -
No obvious mistakes in the code
Edited by Daiki Ueno