TLS 1.0/1.1 extended master secret testing

[jvdsn]

Right now, it is impossible for FIPS modules to claim the TLS 1.0/1.1 PRF as approved, because the ACVP testing does not support the extended master secret[^1]. On the other hand, for TLS 1.2, FIPS now mandates that the extended master secret is used in approved services[^2]. This creates an inconsistent situation between 1.0/1.1 and 1.2. Extended master secret is considered more secure than the master secret, so TLS clients and servers alike want to use it whenever available.

Will extended master secret testing be added to the TLS 1.0/1.1 PRF?

[^1]: FIPS 140-3 IG D.Q, Additional Comment 1 ("However, it can only be used in the approved mode if CAVP tested. If no CAVP testing is available, there will be no vendor affirmed option") [^2]: FIPS 140-3 IG D.Q, Resolution ("A new validation, or any revalidation that extends the module’s sunset date, submitted more than one year after the publication date of this IG shall use the extended master secret in the TLS 1.2 KDF")