diff --git a/nmap-ems-ssl-enum-ciphers.patch b/nmap-ems-ssl-enum-ciphers.patch
new file mode 100644
index 0000000000000000000000000000000000000000..0ce029b5f74ef100d9ad3988f51f1bc91d44c430
--- /dev/null
+++ b/nmap-ems-ssl-enum-ciphers.patch
@@ -0,0 +1,40 @@
+commit fc5fc2a26877e241bf9f175832cc89f5ec1e6925
+Author: Clemens Lang <cllang@redhat.com>
+Date:   Mon Oct 16 13:44:40 2023 +0200
+
+    Support EMS in ssl-enum-ciphers
+    
+    The FIPS 140-3 Implementation Guidelines in section D.Q require
+    FIPS-certified cryptographic modules to use the RFC 7627 Extended Master
+    Secret for modules submitted after May 16th, 2023:
+    
+    > [a] new validation, […] submitted more than one year after [May 2022]
+    > shall use the extended master secret in the TLS 1.2 KDF.
+    
+    ssl-enum-ciphers was not sending this extension, causing some servers to
+    abort the handshake. This lead to no support for TLS 1.2 being reported,
+    even though support was available with the extended master secret. Add
+    the EMS extension to the set of base extensions that are always sent to
+    avoid this situation.
+    
+    Servers that do not support EMS should just ignore this extension
+    silently.
+    
+    Signed-off-by: Clemens Lang <cllang@redhat.com>
+
+diff --git a/scripts/ssl-enum-ciphers.nse b/scripts/ssl-enum-ciphers.nse
+index 881b6bdcb..bd441120c 100644
+--- a/scripts/ssl-enum-ciphers.nse
++++ b/scripts/ssl-enum-ciphers.nse
+@@ -528,6 +528,11 @@ local function base_extensions(host)
+     ["ec_point_formats"] = tls.EXTENSION_HELPERS["ec_point_formats"]({"uncompressed"}),
+     -- Enable SNI if a server name is available
+     ["server_name"] = tlsname and tls.EXTENSION_HELPERS["server_name"](tlsname),
++    -- Enable the Extended Master Secret extension, since FIPS 140-3 IG section
++    -- D.Q now requires it for servers in FIPS mode and some vendors may reject
++    -- handshakes without it. Not sending the extension would show those
++    -- servers as not supporting TLS 1.2 at all.
++    ["extended_master_secret"] = "",
+   }
+ end
+ 
diff --git a/nmap-upstream-e4a68441.patch b/nmap-upstream-e4a68441.patch
new file mode 100644
index 0000000000000000000000000000000000000000..7a3a2c0d96793eefe85a29fba87e319f86b95dc3
--- /dev/null
+++ b/nmap-upstream-e4a68441.patch
@@ -0,0 +1,56 @@
+--- a/nmap-ems-ssl-enum-ciphers.patch
++++ b/nmap-ems-ssl-enum-ciphers.patch
+@@ -0,0 +1,40 @@
++commit fc5fc2a26877e241bf9f175832cc89f5ec1e6925
++Author: Clemens Lang <cllang@redhat.com>
++Date:   Mon Oct 16 13:44:40 2023 +0200
++
++    Support EMS in ssl-enum-ciphers
++    
++    The FIPS 140-3 Implementation Guidelines in section D.Q require
++    FIPS-certified cryptographic modules to use the RFC 7627 Extended Master
++    Secret for modules submitted after May 16th, 2023:
++    
++    > [a] new validation, […] submitted more than one year after [May 2022]
++    > shall use the extended master secret in the TLS 1.2 KDF.
++    
++    ssl-enum-ciphers was not sending this extension, causing some servers to
++    abort the handshake. This lead to no support for TLS 1.2 being reported,
++    even though support was available with the extended master secret. Add
++    the EMS extension to the set of base extensions that are always sent to
++    avoid this situation.
++    
++    Servers that do not support EMS should just ignore this extension
++    silently.
++    
++    Signed-off-by: Clemens Lang <cllang@redhat.com>
++
++diff --git a/scripts/ssl-enum-ciphers.nse b/scripts/ssl-enum-ciphers.nse
++index 881b6bdcb..bd441120c 100644
++--- a/scripts/ssl-enum-ciphers.nse
+++++ b/scripts/ssl-enum-ciphers.nse
++@@ -528,6 +528,11 @@ local function base_extensions(host)
++     ["ec_point_formats"] = tls.EXTENSION_HELPERS["ec_point_formats"]({"uncompressed"}),
++     -- Enable SNI if a server name is available
++     ["server_name"] = tlsname and tls.EXTENSION_HELPERS["server_name"](tlsname),
+++    -- Enable the Extended Master Secret extension, since FIPS 140-3 IG section
+++    -- D.Q now requires it for servers in FIPS mode and some vendors may reject
+++    -- handshakes without it. Not sending the extension would show those
+++    -- servers as not supporting TLS 1.2 at all.
+++    ["extended_master_secret"] = "",
++   }
++ end
++ 
+
+--- a/nmap.spec
++++ b/nmap.spec
+@@ -28,6 +28,8 @@ Patch3: ncat_reg_stdin.diff
+ Patch7: nmap_resolve_config.patch
+ # backport of upstream pcre2 migration, rhbz#2128336
+ Patch8: nmap-pcre2.patch
++# https://github.com/nmap/nmap/pull/2724
++Patch9: nmap-ems-ssl-enum-ciphers.patch
+ 
+ 
+ BuildRequires: automake make
+
diff --git a/nmap.spec b/nmap.spec
index fde96355fe6229616f1b5ae1c29d9a7370c9488e..8d3f4e33cce8be35ca788c9da4935690d29c53b7 100644
--- a/nmap.spec
+++ b/nmap.spec
@@ -1,4 +1,4 @@
-%define anolis_release 1
+%define anolis_release 2
 %global _hardened_build 1
 
 %bcond_without pcre
@@ -12,6 +12,7 @@ URL: http://nmap.org/
 # Uses combination of licenses based on GPL license, but with extra modification
 License: Nmap
 Source0: http://nmap.org/dist/%{name}-%{version}.tar.bz2
+Patch1: nmap-ems-ssl-enum-ciphers.patch
 
 BuildRequires: automake make
 BuildRequires: autoconf
@@ -182,6 +183,9 @@ fi
 %doc ncat/docs/AUTHORS ncat/docs/README ncat/docs/THANKS ncat/docs/examples
 
 %changelog
+* Thu Jan 29 2026 wenjie2025 <wency.cn@gmail.com> - 3:7.94-2
+- Add nmap-ems-ssl-enum-ciphers.patch to support EMS in ssl-enum-ciphers
+
 * Sun May 21 2023 Funda Wang <fundawang@yeah.net> - 3:7.94-1
 - New version 3.94
 - Enable ndiff and zenmap as they are python3 compatible