I'm trying to develop some tests for confirming a TLS server honors the Extended Master Secret extension (RFC 7627).
I've stood up a simple selfserv server: /usr/lib/nss/selfserv -v -d /path/to/my/certdb/ -n MyCert -p 8000 -V tls1.0:tls1.2 But, when I run a test of that with OpenSSL's s_client: openssl s_client -connect 10.200.192.68:8000 I get the diagnostic 'Extended master secret: no'. Via Wireshark, I can confirm that s_client does include the extension in the Client Hello, but I don't see it in the Server Hello. I'm using mozilla-nss-tools-3.45-58.31.1.x86_64 under SLES 12 SP3. I acknowledge that I may be misinterpreting Wireshark, as I can find no example captures on the net of a Server Hello providing the extension. Is this an appropriate mechanism for testing for this feature? -- Brian Reichert <reich...@numachi.com> BSD admin/developer at large -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto