Skip to content

What feedback do you have for our email service?

← General Feedback

TLS Extended Master Secret is not supported on the API

The Mailgun API's TLS termination does not support TLS extended master secret, which means that customers using FIPS TLS libraries cannot use the Mailgun API without fiddling with their client side TLS config or indeed possibly at all (see https://www.redhat.com/en/blog/tls-extended-master-secret-and-fips-rhel for example); it also affects the Haskell TLS library independently of FIPS things for the same reason.

It is possible to apply a workaround to this which slightly degrades security, but this should be fixed, and so I am requesting that Mailgun make the necessary changes so that their TLS termination supports EMS. Most likely it is just that the TLS library needs to be updated.

$ openssl sclient -tls12 -connect api.mailgun.net:443

.....

New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 6C9E1490522BCB5299194841DD9D8A3C5B50B18D3686C324B451454DAAB39192
Session-ID-ctx:
Master-Key: 5469C16588CD00E98CA1758352718EBC88C54186C237867A0CCD673DD5275B76F3981D7BDB363F2BDFDD78816E56D5F7
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket:
0000 - 9f 7d c3 19 61 e0 1f ab-09 00 0a a6 db 11 2a 3c .}..a.........<
0010 - 8f 18 2e 9b d7 49 13 a4-d9 89 06 9c fc 6f 22 5e .....I.......o"^
0020 - 7b 4e 05 32 f6 de 5f fb-12 4b 70 4f 3b ef 62 04 {N.2.._..KpO;.b.
0030 - d5 e5 fe 8b 9f 83 5a 72-b8 15 3c cd 69 1f e8 da ......Zr..<.i...
0040 - 81 d5 05 6e 72 79 d7 e0-b5 fa 80 a4 6b f3 21 3b ...nry......k.!;
0050 - bf 34 6d fe 85 e5 07 86-7a 79 ca e9 4c b6 ab ea .4m.....zy..L...
0060 - 92 02 11 09 69 f8 84 fc-5c b9 cb 67 48 23 5c 15 ....i.....gH#.
0070 - 0d 77 8f 73 97 6e f9 b8-6e 6b 54 ba 2a 1b 9e f2 .w.s.n..nkT....
0080 - c5 .

Start Time: 1734725472
Timeout : 7200 (sec)
Verify return code: 0 (ok)

Extended master secret: no

See the line at the end stating "extended master secret: no". This output is using OpenSSL 3.3.2 3 Sep 2024 (Library: OpenSSL 3.3.2 3 Sep 2024).

This feedback is reposted from a ticket. This is not a feature request, it is a bug and it will likely be fixed by routine maintenance.

1 vote

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close

We’ll send you updates on this idea

Jade Lovelace shared this idea  ·   ·  Report…  ·  Admin →

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment

General Feedback: API

Categories

Feedback and Knowledge Base

(thinking…)