FIPS: Please enable Extended Master Secret for TLS 1.2

For compatibility with FIPS enabled clients it would be nice if we could use a FIPS compliant TLS configuration.

Currently, on an jammy machine with fips enabled, https does work causing problems with add-apt-respository and more.

OpenSSL s_client tells us the problem is Extended Master Secret:

root@jammy-fips:~# openssl s_client -connect api.launchpad.net:443
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = launchpad.net
verify return:1
400793BFE37F0000:error:1C800073:Provider routines:kdf_tls1_prf_derive:invalid data:../providers/implementations/kdfs/tls1_prf.c:171:
400793BFE37F0000:error:0A0C0103:SSL routines:tls1_PRF:internal error:../ssl/t1_enc.c:79:

and the corresponding code in openssl:

167 if (ossl_securitycheck_enabled(PROV_LIBCTX_OF(ctx->provctx))) {
168 if (ctx->seedlen >= TLS_MD_MASTER_SECRET_CONST_SIZE
169 && CRYPTO_memcmp(ctx->seed, TLS_MD_MASTER_SECRET_CONST,
170 TLS_MD_MASTER_SECRET_CONST_SIZE) == 0) {
171 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DATA);
172 return 0;
173 }
174 }

It would be nice if we could make this work. In the best case this is only a config change.