FIPS: Please enable Extended Master Secret for TLS 1.2
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Launchpad Mojo Specs |
New
|
Undecided
|
Unassigned |
Bug Description
For compatibility with FIPS enabled clients it would be nice if we could use a FIPS compliant TLS configuration.
Currently, on an jammy machine with fips enabled, https does work causing problems with add-apt-respository and more.
OpenSSL s_client tells us the problem is Extended Master Secret:
root@jammy-fips:~# openssl s_client -connect api.launchpad.
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = launchpad.net
verify return:1
400793BFE37F000
400793BFE37F000
and the corresponding code in openssl:
167 if (ossl_securityc
168 if (ctx->seedlen >= TLS_MD_
169 && CRYPTO_
170 TLS_MD_
171 ERR_raise(
172 return 0;
173 }
174 }
It would be nice if we could make this work. In the best case this is only a config change.
affects: | launchpad → launchpad-mojo-specs |