Functional Package for Transport Layer Security (TLS)

Comment:Comment-1-Comment:Comment-2-Comment:Comment-3-Comment:Comment-4-Comment:Comment-5-Comment:Comment-6-Comment:Comment-7-Comment:Comment-8-Comment:Comment-9-

FunctionalPackageforTransportLayerSecurity(TLS)

Version:2.0-draft2022-08-24

NationalInformationAssurancePartnership

RevisionHistory

Version Date Comment

1.0 2018-12-17

Firstpublication

1.1 2019-03-01

Clarificationsregardingoverrideforinvalidcertificates,renegotiation_infoextension,DTLSversions,andnamedDiffie-HellmangroupsinDTLScontexts

2.0 2022-08-24

Addedauditevents,addedTLS1.3support,deprecatedTLS1.0and1.1,updatedalgorithms/ciphersuitesinaccordancewithCNSAsuiteRFCandtoconsiderPSK,restructuredSFRsforclarity

Contents

1 Introduction1.1 Overview1.2 Terms1.2.1 CommonCriteriaTerms1.2.2 TechnicalTerms

1.3 CompliantTargetsofEvaluation2 ConformanceClaims3 SecurityFunctionalRequirements3.1 AuditableEventsforMandatorySFRs3.2 CryptographicSupport(FCS)

AppendixA- OptionalRequirementsA.1 StrictlyOptionalRequirementsA.2 ObjectiveRequirementsA.3 Implementation-basedRequirements

AppendixB- Selection-basedRequirementsB.1 AuditableEventsforSelection-basedRequirementsB.2 CryptographicSupport(FCS)

AppendixC- AcronymsAppendixD- Bibliography

1Introduction

1.1OverviewTransportLayerSecurity(TLS)andtheclosely-relatedDatagramTLS(DTLS)arecryptographicprotocolsdesignedtoprovidecommunicationssecurityoverIPnetworks.Severalversionsoftheprotocolareinwidespreaduseinsoftwarethatprovidesfunctionalitysuchaswebbrowsing,email,instantmessaging,andvoice-over-IP(VoIP).MajorwebsitesuseTLStoprotectcommunicationstoandfromtheirservers.TLSisalsousedtoprotectcommunicationsbetweenhostsandnetworkinfrastructuredevicesforadministration.Theunderlyingplatform,suchasanoperatingsystem,oftenprovidestheactualTLSimplementation.TheprimarygoaloftheTLSprotocolistoprovideconfidentialityandintegrityofdatatransmittedbetweentwocommunicatingendpoints,aswellasauthenticationofatleasttheserverendpoint.TLSsupportsmanydifferentmethodsforexchangingkeys,encryptingdata,andauthenticatingmessageintegrity.ThesemethodsaredynamicallynegotiatedbetweentheclientandserverwhentheTLSconnectionisestablished.Asaresult,evaluatingtheimplementationofbothendpointsistypicallynecessarytoprovideassurancefortheoperatingenvironment.This"FunctionalPackageforTransportLayerSecurity"(shortname"TLS-PKG")definesfunctionalrequirementsfortheimplementationoftheTLSandDTLSprotocols.Therequirementsareintendedtoimprovethesecurityofproductsbyenablingtheirevaluation.

1.2TermsThefollowingsectionslistCommonCriteriaandtechnologytermsusedinthisdocument.

1.2.1CommonCriteriaTerms

Assurance GroundsforconfidencethataTOEmeetstheSFRs[CC].

BaseProtectionProfile(Base-PP)

ProtectionProfileusedasabasistobuildaPP-Configuration.

CollaborativeProtectionProfile(cPP)

AProtectionProfiledevelopedbyinternationaltechnicalcommunitiesandapprovedbymultipleschemes.

CommonCriteria(CC)

CommonCriteriaforInformationTechnologySecurityEvaluation(InternationalStandardISO/IEC15408).

CommonCriteriaTestingLaboratory

WithinthecontextoftheCommonCriteriaEvaluationandValidationScheme(CCEVS),anITsecurityevaluationfacilityaccreditedbytheNationalVoluntaryLaboratoryAccreditationProgram(NVLAP)andapprovedbytheNIAPValidationBodytoconductCommonCriteria-basedevaluations.

CommonEvaluationMethodology(CEM)

CommonEvaluationMethodologyforInformationTechnologySecurityEvaluation.

DistributedTOE

ATOEcomposedofmultiplecomponentsoperatingasalogicalwhole.

ExtendedPackage(EP)

AdeprecateddocumentformforcollectingSFRsthatimplementaparticularprotocol,technology,orfunctionality.SeeFunctionalPackages.

FunctionalPackage(FP)

AdocumentthatcollectsSFRsforaparticularprotocol,technology,orfunctionality.

OperationalEnvironment(OE)

HardwareandsoftwarethatareoutsidetheTOEboundarythatsupporttheTOEfunctionalityandsecuritypolicy.

ProtectionProfile(PP)

Animplementation-independentsetofsecurityrequirementsforacategoryofproducts.

ProtectionProfileConfiguration(PP-Configuration)

AcomprehensivesetofsecurityrequirementsforaproducttypethatconsistsofatleastoneBase-PPandatleastonePP-Module.

ProtectionProfileModule(PP-Module)

Animplementation-independentstatementofsecurityneedsforaTOEtypecomplementarytooneormoreBase-PPs.

SecurityAssuranceRequirement(SAR)

ArequirementtoassurethesecurityoftheTOE.

SecurityFunctionalRequirement(SFR)

ArequirementforsecurityenforcementbytheTOE.

SecurityTarget(ST)

Asetofimplementation-dependentsecurityrequirementsforaspecificproduct.

TargetofEvaluation(TOE)

Theproductunderevaluation.

TOESecurityFunctionality(TSF)

Thesecurityfunctionalityoftheproductunderevaluation.

TOESummarySpecification(TSS)

AdescriptionofhowaTOEsatisfiestheSFRsinanST.

1.2.2TechnicalTerms

CertificateAuthority(CA) Issuerofdigitalcertificates.

DatagramTransportLayerSecurity(DTLS)

Cryptographicnetworkprotocol,basedonTLS,whichprovidescommunicationssecurityfordatagramprotocols.

TransportLayerSecurity(TLS)

CryptographicnetworkprotocolforprovidingcommunicationssecurityoveraTCP/IPnetwork.

1.3CompliantTargetsofEvaluationTheTargetofEvaluation(TOE)inthisPackageisaproductwhichactsasa(D)TLSclient,a(D)TLSserver,orboth.ThisPackagedescribesthesecurityfunctionalityofTLSandDTLSintermsof[CC].ThecontentsofthisPackagemustbeappropriatelycombinedwithaPPorPP-Module.WhenthisPackageisinstantiatedbyaPPorPP-Module,thePackagemustincludeselection-basedrequirementsinaccordancewiththeselectionsorassignmentsindicatedinthePPorPP-Module.ThesemaybeexpandedbythetheSTauthor.ThePPorPP-ModulewhichinstantiatesthisPackagemusttypicallyincludethefollowingcomponentsinordertosatisfydependenciesofthisPackage.ItistheresponsibilityofthePPorPP-ModuleauthorwhoinstantiatesthisPackagetoensurethatdependenceonthesecomponentsissatisfied:

Component Explanation

FCS_CKM.1 TosupportTLSciphersuitesthatuseRSA,DHEorECDHEforkeyexchange,thePPorPP-ModulemustincludeFCS_CKM.1andspecifythecorrespondingkeygenerationalgorithm.

FCS_CKM.2 TosupportTLSciphersuitesthatuseRSA,DHEorECDHEforkeyexchange,thePPorPP-ModulemustincludeFCS_CKM.2andspecifythecorrespondingalgorithm.

FCS_COP.1 TosupportTLSciphersuitesthatuseAESforencryptionanddecryption,thePPorPP-ModulemustincludeFCS_COP.1(iteratingasneeded)andspecifyAESwithcorrespondingkeysizesandmodes.TosupportTLSciphersuitesthatuseSHAforhashing,thePPorPP-ModulemustincludeFCS_COP.1(iteratingasneeded)andspecifySHAwithcorrespondingdigestsizes.

FCS_RBG_EXT.1 TosupportrandombitgenerationneededfortheTLShandshake,thePPorPP-ModulemustincludeFCS_RBG_EXT.1.

FIA_X509_EXT.1 TosupportvalidationofcertificatesneededduringTLSconnectionsetup,thePPorPP-ModulemustincludeFIA_X509_EXT.1.

FIA_X509_EXT.2 TosupporttheuseofX509certificatesforauthenticationinTLSconnectionsetup,thePP

orPP-ModulemustincludeFIA_X509_EXT.2.

AnSTmustidentifytheapplicableversionofthePPorPP-ModuleandthisPackageinitsconformanceclaims.

2ConformanceClaimsConformanceStatement

AnSTmustclaimexactconformancetothisPP-Package,asdefinedintheCCandCEMaddendaforExactConformance,Selection-basedSFRs,andOptionalSFRs(datedMay2017).

CCConformanceClaimsThisPP-PackageisconformanttoParts2(extended)and3(conformant)ofCommonCriteriaVersion3.1,Revision5.

PPClaimThisPP-PackagedoesnotclaimconformancetoanyProtectionProfile.

PackageClaimThisPP-Packagedoesnotclaimconformancetoanypackages.

ConformanceStatementThisPackageservestoprovideProtectionProfileswithadditionalSFRsandassociatedEvaluationActivitiesspecifictoTLSclientsandservers.ThisPackageconformstoCommonCriteria[CC]forInformationTechnologySecurityEvaluation,Version3.1,Revision5.ItisCCPart2extendedconformant.InaccordancewithCCPart1,dependenciesarenotincludedwhentheyareaddressedbyotherSFRs.Theevaluationactivitiesprovideadequateproofthatanydependenciesarealsosatisfied.

3SecurityFunctionalRequirementsThischapterdescribesthesecurityrequirementswhichhavetobefulfilledbytheproductunderevaluation.ThoserequirementscomprisefunctionalcomponentsfromPart2of[CC].Thefollowingconventionsareusedforthecompletionofoperations:

Refinementoperation(denotedbyboldtextorstrikethroughtext):Isusedtoadddetailstoarequirement(includingreplacinganassignmentwithamorerestrictiveselection)ortoremovepartoftherequirementthatismadeirrelevantthroughthecompletionofanotheroperation,andthusfurtherrestrictsarequirement.Selection(denotedbyitalicizedtext):Isusedtoselectoneormoreoptionsprovidedbythe[CC]instatingarequirement.Assignmentoperation(denotedbyitalicizedtext):Isusedtoassignaspecificvaluetoanunspecifiedparameter,suchasthelengthofapassword.Showingthevalueinsquarebracketsindicatesassignment.Iterationoperation:IsindicatedbyappendingtheSFRnamewithaslashanduniqueidentifiersuggestingthepurposeoftheoperation,e.g."/EXAMPLE1."

3.1AuditableEventsforMandatorySFRsTheauditableeventsspecifiedinthisFunctionalPackageareincludedinaSecurityTargetiftheincorporatingPPorPP-ModulesupportsauditeventreportingthroughFAU_GEN.1andallothercriteriaintheincorporatingPPorPP-Modulearemet.

Table1:AuditableEventsforMandatoryRequirementsRequirement AuditableEvents AdditionalAuditRecordContents

FCS_TLS_EXT.1 Noeventsspecified N/A

3.2CryptographicSupport(FCS)

FCS_TLS_EXT.1TLSProtocolFCS_TLS_EXT.1.1

TheTSFshallimplement[selection:TLSasaclientTLSasaserverDTLSasaclientDTLSasaserver

].

ApplicationNote:IfTLSasaclientisselected,thentheSTmustincludetherequirementsfromFCS_TLSC_EXT.1.IfTLSasaserverisselected,thentheSTmustincludetherequirementsfromFCS_TLSS_EXT.1.

IfDTLSasaclientisselected,thentheSTmustincludetherequirementsfromFCS_DTLSC_EXT.1.IfDTLSasaserverisselected,thentheSTmustincludetherequirementsfromFCS_DTLSS_EXT.1.

EvaluationActivities

FCS_TLS_EXT.1TSSTheevaluatorshallexaminetheTSStoverifythattheTLSandDTLSclaimsareconsistentwiththoseselectedintheSFR.

GuidanceTheevaluatorshallensurethattheselectionsindicatedintheSTareconsistentwithselectionsinthedependentcomponents.

TestsTherearenotestactivitiesforthisSFR;thefollowinginformationisprovidedasanoverviewoftheexpectedfunctionalityandtestenvironmentforallsubsequentSFRs.

Figure1:TLSHelloThechartaboveprovidesanoverviewoftheTLShellomessages,thecontentandprotections,andtheestablishmentofcryptographickeysinsupportoftheprotections.

BluetextindicatesamessageorcontentuniquetoTLS1.2.GreentextindicatesuniquenesstoTLS1.3.BlacktextindicatesfeaturescommontobothTLS1.2andTLS1.3.Boldtextindicatesmandatoryfeatures.Italicsemphasizesoptionalfeatures.AshadedtextboxindicatesthatthemessageisencryptedforTLS1.2(blue),TLS1.3(green)orbothTLS1.2andTLS1.3(grey).Anoutlinedtextboxindicatesthatthecontentinthemessageissigned,and/orprovidesauthenticationofthehandshaketothatpoint.

TestEnvironment:TestsforTLS1.2andTLS1.3includeexaminationofthehandshakemessagesandbehavioroftheTSFwhenpresentedwithunexpectedorinvalidmessages.ForTLS1.2andbelow,previousversionsofthisFunctionalPackageonlyrequiredvisibilityofnetworktrafficandtheabilitytomodifyavalidhandshakemessagesenttotheTSF.

Figure2:TestenvironmentforTLS1.2usingnetworktrafficvisibilityandcontroltoolsTLS1.3introducestheencryptionofhandshakemessagessubsequenttotheserverhelloexchangewhichpreventsvisibilityandcontrolusingmidpointcapabilities.ToachieveequivalentvalidationofTLS1.3requirestheabilitytomodifythetrafficunderlyingtheencryptionappliedaftertheserverhellomessage.Thiscanbeachievedbyintroducingadditionalcontrolofthemessagessent,andvisibilityofmessagesreceivedbythetestTLSclient,whenvalidatingTLSserverfunctionalityortestserver,whenvalidatingTLSclientfunctionality.

Figure3:TestenvironmentforTLS1.3usingcustomendpointcapabilitiesforvisibilityandcontrol

Typically,acompliantTLS1.3librarymodifiedtoprovidevisibilityandcontrolofthehandshakemessagespriortoencryptionsufficesforalltests.Suchmodificationwillrequirethetestclientand/orservertobevalidated.SincevalidationsofproductssupportingonlyTLS1.2arestillexpectedunderthisPackage,thetestenvironmentforTLS1.2-onlyvalidationsmayincludenetworksniffersandman-in-the-middleproductsthatdonotrequiresuchmodificationstoacompliantTLS1.2library.Forconsistency,acompliantTLSclient(orTLSserver)togetherwiththenetworksniffersandman-in-the-middlecapabilitieswillalsobereferredtoasatestTLSclient(ortestTLSserver,respectively)inthefollowingevaluationactivities.

Figure4:CombinedtestenvironmentforTLS1.2andTLS1.3usingbothnetworktoolsandcustomendpointcapabilities

AppendixA-OptionalRequirementsAsindicatedintheintroductiontothisPP-Package,thebaselinerequirements(thosethatmustbeperformedbytheTOE)arecontainedinthebodyofthisPP-Package.ThisappendixcontainsthreeothertypesofoptionalrequirementsthatmaybeincludedintheST,butarenotrequiredinordertoconformtothisPP-Package.However,appliedmodules,packagesand/orusecasesmayrefinespecificrequirementsasmandatory.

Thefirsttype(A.1StrictlyOptionalRequirements)arestrictlyoptionalrequirementsthatareindependentoftheTOEimplementinganyfunction.IftheTOEfulfillsanyoftheserequirementsorsupportsacertainfunctionality,thevendorisencouragedtoincludetheSFRsintheST,butarenotrequiredinordertoconformtothisPP-Package.

Thesecondtype(A.2ObjectiveRequirements)areobjectiverequirementsthatdescribesecurityfunctionalitynotyetwidelyavailableincommercialtechnology.TherequirementsarenotcurrentlymandatedinthebodyofthisPP-Package,butwillbeincludedinthebaselinerequirementsinfutureversionsofthisPP-Package.Adoptionbyvendorsisencouragedandexpectedassoonaspossible.

Thethirdtype(A.3Implementation-basedRequirements)aredependentontheTOEimplementingaparticularfunction.IftheTOEfulfillsanyoftheserequirements,thevendormusteitheraddtherelatedSFRordisablethefunctionalityfortheevaluatedconfiguration.

A.1StrictlyOptionalRequirementsThisPP-PackagedoesnotdefineanyStrictlyOptionalrequirements.

A.2ObjectiveRequirementsThisPP-PackagedoesnotdefineanyObjectiverequirements.

A.3Implementation-basedRequirementsThisPP-PackagedoesnotdefineanyImplementation-basedrequirements.

AppendixB-Selection-basedRequirementsAsindicatedintheintroductiontothisPP-Package,thebaselinerequirements(thosethatmustbeperformedbytheTOEoritsunderlyingplatform)arecontainedinthebodyofthisPP-Package.ThereareadditionalrequirementsbasedonselectionsinthebodyofthePP-Package:ifcertainselectionsaremade,thenadditionalrequirementsbelowmustbeincluded.

B.1AuditableEventsforSelection-basedRequirementsTheauditableeventsinthetablebelowareincludedinaSecurityTargetifboththeassociatedrequirementisincludedandtheincorporatingPPorPP-ModulesupportsauditeventreportingthroughFAU_GEN.1andanyothercriteriaintheincorporatingPPorPP-Modulearemet.

Table2:AuditableEventsforSelection-basedRequirements

Requirement AuditableEvents AdditionalAuditRecordContents

FCS_DTLSC_EXT.1 [selection:Failureofthecertificatevaliditycheck,None]

IssuerNameandSubjectNameofcertificate.

FCS_DTLSC_EXT.2 Noeventsspecified N/A

FCS_DTLSS_EXT.1 [selection:Failureofthecertificatevaliditycheck,None]

IssuerNameandSubjectNameofcertificate

FCS_DTLSS_EXT.2 Noeventsspecified N/A

FCS_TLSC_EXT.1 [selection:FailuretoestablishaTLSsession,None]

Reasonforfailure.

[selection:Failuretoverifypresentedidentifier,None]

Presentedidentifierandreferenceidentifier.

[selection:Establishment/terminationofaTLSsession,None]

Non-TOEendpointofconnection.

FCS_TLSC_EXT.2 Noeventsspecified N/A





FCS_TLSS_EXT.1 [selection:FailuretoestablishaTLSsession,None]

Reasonforfailure

FCS_TLSS_EXT.2 Noeventsspecified N/A





B.2CryptographicSupport(FCS)

FCS_TLSC_EXT.1TLSClientProtocol

Theinclusionofthisselection-basedcomponentdependsuponselectioninFCS_TLS_EXT.1.1.

FCS_TLSC_EXT.1.1TheTSFshallimplementTLS1.2(RFC5246)and[selection:TLS1.3(RFC8446),nootherTLSversion]asaclientthatsupportsadditionalfunctionalityfor

sessionrenegotiationprotectionand[selection:mutualauthenticationsupplementaldowngradeprotectionsessionresumptionnooptionalfunctionality

]andshallabortattemptsbyaservertonegotiateallotherTLSorSSLversions.

ApplicationNote:SessionrenegotiationprotectionisrequiredforbothTLS1.2andTLS1.3,andtheSTmustincludetherequirementsfromFCS_TLSC_EXT.4.WithinFCS_TLSC_EXT.4,optionsforimplementationofsecuresessionrenegotiationforTLS1.2,orrejectingrenegotiationrequestsareclaimed.

TheSTauthorwillclaimTLS1.3functionalityifsupported,andoptionalfunctionalityasappropriatefortheclaimedversions.

If"mutualauthentication"isselected,thentheSTmustadditionallyincludetherequirementsfromFCS_TLSC_EXT.2.IftheTOEimplementsmutualauthentication,thisselectionmustbemade.

If"supplementaldowngradeprotection"isselected,thentheSTmustadditionallyincludetherequirementsfromFCS_TLSC_EXT.3.ThisisclaimedifTLS1.3issupported,oriftheproductsupportsTLS1.1orbelowdowngradeprotectionusingthemechanismdescribedinRFC8446.

If"sessionresumption"isselected,thentheSTmustadditionallyincludetherequirementsfromFCS_TLSC_EXT.5.

FCS_TLSC_EXT.1.2TheTSFshallbeabletosupportthefollowingTLS1.2ciphersuites:[selection:

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384asdefinedinRFC5289,RFC8422TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384asdefinedinRFC5289,RFC8422TLS_RSA_WITH_AES_256_GCM_SHA384asdefinedinRFC5288TLS_DHE_RSA_WITH_AES_256_GCM_SHA384asdefinedinRFC5288TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384asdefinedinRFC5289TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384asdefinedinRFC5289TLS_RSA_WITH_AES_256_CBC_SHA256asdefinedinRFC5246TLS_DHE_RSA_WITH_AES_256_CBC_SHA256asdefinedinRFC5246TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256asdefinedinRFC5289TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256asdefinedinRFC5289TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256asdefinedinRFC5289TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256asdefinedinRFC5289TLS_RSA_WITH_AES_128_CBC_SHA256asdefinedinRFC5246TLS_DHE_RSA_WITH_AES_128_CBC_SHA256asdefinedinRFC5246TLS_RSA_WITH_AES_128_CBC_SHAasdefinedinRFC5246PP-specificciphersuitesusingpre-sharedsecretsincluding[selection:

TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384asdefinedinRFC8442TLS_DHE_PSK_WITH_AES_256_GCM_SHA384asdefinedinRFC5487TLS_RSA_PSK_WITH_AES_256_GCM_SHA384asdefinedinRFC5487TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256asdefinedinRFC8442TLS_DHE_PSK_WITH_AES_128_GCM_SHA256asdefinedinRFC5487TLS_RSA_PSK_WITH_AES_128_GCM_SHA256asdefinedinRFC5487

]thefollowingTLS1.3ciphersuites:[selection:

TLS_AES_256_GCM_SHA384asdefinedinRFC8446TLS_AES_128_GCM_SHA256asdefinedinRFC8446[assignment:otherTLS1.3ciphersuites]]

]]offeringthesupportedciphersuitesinaclienthellomessageinpreferenceorder:[assignment:listofsupportedciphersuites].

ApplicationNote:TheSTauthorshouldselecttheciphersuitesthataresupported,andmustselectatleastoneciphersuiteforeachTLSversionsupported.Theciphersuitestobetestedintheevaluatedconfigurationarelimitedbythisrequirement.However,thisrequirementdoesnotrestricttheTOE'sabilitytoproposeadditionalnon-deprecatedciphersuitesbeyondtheoneslistedinthisrequirementinitsClientHellomessageasindicatedintheST.Thatis,theTOEmayproposeanyciphersuitenotexcludedbythiselement,butthe

evaluationwillonlytestciphersuitesfromtheabovelist.Itisnecessarytolimittheciphersuitesthatcanbeusedinanevaluatedconfigurationadministrativelyontheserverinthetestenvironment.

TLS1.3ciphersuitesareclaimedifsupportforTLS1.3isclaimedinFCS_TLSC_EXT.1.1.Theassignmentofpreferenceorderprovidesanorderedlistofallsupportedciphersuiteswiththemostpreferredciphersuiteslistedfirst.Ciphersuiteslistedin[RFC9151,“CNSASuiteTLSProfile”]arepreferredoverallotherciphersuites,GCMciphersuitesarepreferredoverCBCciphersuites,ECDHEpreferredoverRSAandDHE,andSHA256orSHA384overSHA1.

CiphersuitesforTLS1.2areoftheformTLS_{keyexchangealgorithm}_WITH_{encryptionalgorithm}_(messagedigestalgorithm},andarelistedintheTLSparameterssectionoftheinternetassignmentsatiana.org.

FCS_TLSC_EXT.1.3TheTSFshallnotofferthefollowingciphersuitesindicatingthefollowing:

thenullencryptioncomponentsupportforanonymousserversuseofdeprecatedorexport-gradecryptographyincludingDES,3DES,RC2,RC4,orIDEAforencryptionuseofMD

andshallabortsessionswhereaserverattemptstonegotiateciphersuitesnotenumeratedintheclienthellomessage.

FCS_TLSC_EXT.1.4TheTSFshallbeabletosupportthefollowingTLSclienthellomessageextensions:

signature_algorithmsextension(RFC8446)indicatingsupportfor[selection:

ecdsa-secp384r1_sha384(RFC8446)rsa_psks1_sha384(RFC8446)

],and[selection:rsa_pss_pss_sha384(RFC8603)rsa_pss_rsae_sha384(RFC8603)[assignment:othernon-deprecatedsignaturealgorithms]noothersignaturealgorithms

]extended_master_secretextension(RFC7627)enforcingserversupportthefollowingotherextensions:[selection:

signature_algorithms_certextension(RFC8446)indicatingsupportfor[selection:

ecdsa-secp384r1_sha384(RFC8446)rsk_psks1_sha384(RFC8446)

],and[selection:rsa_pss_pss_sha384(RFC8603)rsa_pss_rsae_sha384(RFC8603)rsa_pkcs1_sha256(RFC8446)rsa_pss_rsae_sha256(RFC8446)[assignment:othernon-deprecatedsignaturealgorithms]noothersignaturealgorithms

]supported_versionsextension(RFC8446)indicatingsupportforTLS1.3supported_groupsextension(RFC7919,RFC8446)indicatingsupportfor[selection:

secp256r1secp384r1secp521r1ffdhe2048(256)ffdhe3072(257)ffdhe4096(258)ffdhe6144(259)ffdhe8192(260)

]key_shareextension(RFC8446)post_handshake_auth(RFC8446),pre_shared_key(RFC8446),andpsk_key_exchange_mode(RFC8446)indicatingDHEorECDHEmodenootherextensions

]andshallnotsendthefollowingextensions:

early_datapsk_key_exchange_modeindicatingPSKonlymode.

ApplicationNote:IfTLS1.3isclaimedinFCS_TLSC_EXT.1.1,supported_versions,supported_groups,andkey_shareextensionsareclaimedinaccordancewithRFC8446.IfTLS1.3isnotclaimed,supported_versionsandkey_shareextensionsarenotclaimed.Otherextensionsmaybesupported;certainextensionsmayneedtobeclaimedbasedonotherSFRclaimsmade.

IfECDHEciphersuitesareclaimedinFCS_TLSC_EXT.1.2,thesupported_groupsextensionisclaimedherewithappropriatesecpgroupsclaimed.IfDHEciphersuitesareclaimedinFCS_TLSC_EXT.1.2,itispreferredthattheappropriateffdhegroupsbeclaimedhere.InasubsequentversionofthisFP,supportforffdhegroupswillberequiredwheneverDHEciphersuitesareclaimed.

When‘othernon-deprecatedsignaturealgorithms’isclaimed,theassignmentwilldescribethestandardsignatureandhashalgorithmssupported.MD5andSHA-1hashesaredeprecatedandarenotincludedinthesignature_algorithmsorsignature_algorithms_certextensions.

FCS_TLSC_EXT.1.5TheTSFshallbeableto[selection:

verifythatapresentedidentifierofnametype:[selection:DNSnametypeaccordingtoRFC6125URNnametypeaccordingtoRFC6125SRVnametypeaccordingtoRFC6125CommonNameconversiontoDNSnameaccordingtoRFC6125DirectorynametypeaccordingtoRFC5280IPaddressnametypeaccordingtoRFC5280rfc822NametypeaccordingtoRFC5280[assignment:othernametype]

]interfacewithaclientapplicationrequestingtheTLSchanneltoverifythatapresentedidentifier

]matchesareferenceidentifieroftherequestedTLSserverandshallabortthesessionifnomatchisfound.

ApplicationNote:TherulesforverificationidentityaredescribedinSection6ofRFC6125andSection7ofRFC5280.Thereferenceidentifierisestablishedbytheuser(e.g.,enteringaURLintoawebbrowserorclickingalink),byconfiguration(e.g.,configuringthenameofamailserverorauthenticationserver),orbyanapplication(e.g.,aparameterofanAPI)dependingontheproductservice.TheclientestablishesallacceptablereferenceidentifiersandinterfaceswiththeTLSimplementationtoprovideacceptablereferenceidentifiers,ortoacceptthepresentedidentifiersasvalidatedintheserver’scertificate.Iftheproductperformsmatchingofthereferenceidentifierstotheidentifiersprovidedintheserver’scertificate,thefirstoptionisclaimedandallsupportednametypesareclaimed;iftheproductpresentsthecertificate,orthepresentedidentifiersfromthecertificatetotheapplication,thesecondoptionisclaimed.

InmostcaseswhereTLSserversarerepresentedbyDNS-typenames,thepreferredmethodforverificationistheSubjectAlternativeNameusingDNSnames,URInames,orServiceNames.VerificationusingaconversionoftheCommonNamerelativedistinguishednamefromaDNSnametypeinthesubjectfieldisallowedforthepurposesofbackwardcompatibility.

Finally,theclientshouldavoidconstructingreferenceidentifiersusingwildcards.However,ifthepresentedidentifiersincludewildcards,theclientmustfollowthebestpracticesregardingmatching;thesebestpracticesarecapturedintheevaluationactivity.Supportforothernametypesisrare,butmaybeclaimedforspecificapplications.

[JF]Appnotetalksaboutwildcardsbestpracticesbeingcapturedintheevaluationactivitybutnothingintheactivityactuallycoversthis.

FCS_TLSC_EXT.1.6TheTSFshallnotestablishatrustedchanneliftheservercertificateisinvalid[selection:withnoexceptions,exceptwhenoverrideisauthorizedinthecasewherevalidrevocationinformationisnotavailable].

ApplicationNote:Acertificateusedinamannerthatdoesnotsupportrevocationcheckingshouldnotadvertiserevocationinformationlocations.

CommonmethodstoaddressthisincluderevokingtheissuingCA,resettingcertificatepinningmechanisms,orremovingentriesfromtruststores.Thus,acertificatethatdoesnotadvertiserevocationstatusinformationisconsideredtobenotrevokedanddoesnotneedtobeprocessedviaoverridemechanisms.Overridemechanismsareforusewithcertificateswithpublishedrevocationstatusinformationthatisnotaccessible,whethertemporarilyorbecausetheinformationcannotbeaccessedduringthestateoftheTOE(e.g.,forverifyingsignaturesonbootcode).ThecircumstancesshouldbedescribedbytheSTauthor,whoshouldindicatetheoverridemechanismandconditionsthatapplytotheoverride,includingsystemstate,user/adminactions,etc.

ThisSFRisclaimedif"TLSasaclient"isselectedinFCS_TLS_EXT.1.1.


FCS_TLSC_EXT.1TSSTheevaluatorshallcheckthedescriptionoftheimplementationofthisprotocolintheTSStoensurethesupportedTLSversions,features,ciphersuites,andextensionsarespecifiedinaccordancewithRFC5246(TLS1.2)andRFC8446(TLS1.3andupdatestoTLS1.2)andasrefinedinFCS_TLSC_EXT.1asappropriate.TheevaluatorshallverifythatciphersuitesindicatedinFCS_TLSC_EXT.1.2areincludedinthedescription,andthatnoneofthefollowingciphersuitesaresupported:ciphersuitesindicating'NULL,''RC2,''RC4,''DES,''IDEA,'or'TDES'intheencryptionalgorithmcomponent,indicating'anon,'orindicatingMD5orSHAinthemessagedigestalgorithmcomponent.TheevaluatorshallverifythattheTLSimplementationdescriptionincludestheextensionsasrequiredinFCS_TLSC_EXT.1.4.TheevaluatorshallverifythattheSTdescribesapplicationsthatusetheTLSfunctionsandhowtheyestablishreferenceidentifiers.TheevaluatorshallverifythattheSTincludesadescriptionofthenametypesparsedandmatchingmethodssupportedforassociatingtheservercertificatetoapplicationdefinedreferenceidentifiers.

GuidanceTheevaluatorshallchecktheoperationalguidancetoensurethatitcontainsinstructionsonconfiguringtheproductsothatTLSconformstothedescriptionintheTSSandthatitincludesanyinstructionsonconfiguringtheversion,ciphersuites,oroptionalextensionsthataresupported.TheevaluatorshallverifythatallconfigurablefeaturesformatchingidentifiersincertificatespresentedintheTLShandshaketoapplicationspecificreferenceidentifiersaredescribed.

TestsTheevaluatorshallperformthefollowingtests:

Test1:(supportedconfigurations)Foreachsupportedversion,andforeachsupportedciphersuiteassociatedwiththeversion:TheevaluatorshallestablishaTLSconnectionbetweentheTOEandatestTLSserverthatisconfiguredtonegotiatethetestedversionandciphersuiteinaccordancewiththeRFCfortheversion.TheevaluatorshallobservethattheTSFpresentsaclienthellowiththehighestversionofTLS1.2orthelegacyversion(value'0303')andshallobservethatthesupportedversionextensionisnotincludedforTLS1.2,and,ifTLS1.3issupported,ispresentandcontainsthevalue'0304'forTLS1.3.Theevaluatorshallobservethattheclienthelloindicatesthesupportedciphersuitesintheorderindicated,andthatitincludesonlytheextensionssupported,withappropriatevalues,forthatversioninaccordancewiththerequirement.TheevaluatorshallobservethattheTOEsuccessfullycompletestheTLShandshake.Note:TOEssupportingTLS1.3,butallowingaservertonegotiateTLS1.2,shouldincludeallciphersuitesandallextensionsasrequiredforeitherversion.IfsuchaTOEisconfigurabletosupportonlyTLS1.2,onlyTLS1.3,orbothTLS1.2andTLS1.3,Test1shouldbeperformedineachconfiguration–withadvertisedciphersuitesappropriatefortheconfiguration.TheconnectioninTest1maybeestablishedaspartoftheestablishmentofahigher-levelprotocol,e.g.,aspartofanEAPsession.Itissufficienttoobservethesuccessfulnegotiationofaciphersuitetosatisfytheintentofthetest;itisnotnecessarytoexaminethecharacteristicsoftheencryptedtrafficinanattempttodiscerntheciphersuitebeingused(forexample,thatthecryptographicalgorithmis128-bitAESandnot256-bitAES).

Test2:(obsoleteversions)Theevaluatorshallperformthefollowingtests:Test2.1:ForeachofSSLversion3,TLSversion1.0,andTLSversion1.1,theevaluatorshallinitiateaTLSconnectionfromtheTOEtoatestTLSserverthatisconfiguredtonegotiatetheobsoleteversionandobservethattheTSFterminatestheconnection.

Note:ItispreferredthattheTSFsendsafatalerroralertmessage(e.g.,protocolversion,insufficientsecurity)inresponsetothis,butitisacceptablethattheTSFterminatestheconnectionsilently(i.e.,withoutsendingafatalerroralert).Test2.2:TheevaluatorshallattempttoestablishaconnectionwithatestTLSserverthatisconfiguredtosendaserverhellomessageindicatingtheselectedversion(referredtoasthelegacyversionforTLS1.3)withavaluecorrespondingtoanundefinedTLS(legacy)version(e.g.,'0304')andobservethattheTSFterminatestheconnection.

Note:ItispreferredthattheTSFsendsafatalerroralertmessage(e.g.,protocolversion)inresponsetothis,butitisacceptablethattheTSFterminatestheconnectionsilently(i.e.,withoutsendingafatalerroralert).Test2.2isintendedtotesttheTSFresponsetonon-standardversions,includingearlyproposalsfor‘betaTLS1.3’versions.RFC8446requiresthelegacyversiontohavethevalue'0303'andspecifiesTLS1.3inthesupportedversionsextensionwiththevalue'0304'.Whilenotapreferredapproach,ifcontinuedsupportforabetaTLS1.3versionisdesiredandtheTSFcannotbeconfiguredtorejectsuchversions,anothervalue(e.g.,'0305')canbeusedinTest2.2.Implementationsofnon-standardversionsarenottested.

Test3:(ciphersuites)TheevaluatorshallperformthefollowingtestsonhandlingunexpectedciphersuitesusingatestTLSserversendinghandshakemessagescompliantwiththenegotiatedversionexceptasindicatedinthetest:

Test3.1:(ciphersuitenotoffered)Foreachsupportedversion,theevaluatorshallattempttoestablishaconnectionwithatestTLSserverconfiguredtonegotiatethesupportedversionandaciphersuitenotincludedintheclienthelloandobservethattheTOErejectstheconnection.

Note:ItispreferredthattheTSFsendsafatalerroralertmessage(e.g.,handshakefailure)inresponsetothis,butitisacceptablethattheTSFterminatestheconnectionsilently(i.e.,withoutsendingafatalerroralert).ThistestintendedtotesttheTSF’sgenericabilitytorecognizenon-offeredciphersuites.Iftheciphersuitesintheclienthelloareconfigurable,theevaluatorshallconfiguretheTSFtoofferaciphersuiteoutsidethosethataresupportedandusethatciphersuiteinthetest.IftheTSFciphersuitelistisnotconfigurable,itisacceptabletouseanamedciphersuitefromtheIANATLSprotocolsassociatedwiththetestedversion.Additionalspecialcasesofthistestforspecialciphersuitesareperformedseparately.Test3.2:(versionconfusion)Foreachsupportedversion,theevaluatorshallattempttoestablishaconnectionwithatestTLSserverthatisconfiguredtonegotiatethesupportedversionandaciphersuitethatisnotassociatedwiththatversionandobservethattheTOErejectstheconnection.Note:ItispreferredthattheTSFsendsafatalerroralertmessage(e.g.,handshakefailure)inresponsetothis,butitisacceptablethattheTSFterminatestheconnectionsilently(i.e.,withoutsendingafatalerroralert).ItisintendedthatTest3.2useTLS1.3ciphersuitesforaservernegotiatingTLS1.2.IfTLS1.3issupported,thetestservernegotiatingTLS1.3shouldselectaTLS1.2ciphersuitesupportedbytheTOEforTLS1.2andmatchingtheclient’ssupportedgroupsandsignaturealgorithmindicatedbyextensionsintheTLS1.3clienthello.IftheTOEisconfigurabletoallowbothTLS1.2andTLS1.3servers,thetestservershoulduseciphersuitesofferedbytheTSFinitsclienthellomessage.Test3.3:(nullciphersuite)Foreachsupportedversion,theevaluatorshallattempttoestablishaconnectionwithatestTLSserverconfiguredtonegotiatethenullciphersuite(TLS_NULL_WITH_NULL_NULL)andobservethattheTOErejectstheconnection.Note:ItispreferredthattheTSFsendsafatalerroralertmessage(e.g.,handshakefailure,insufficientsecurity)inresponsetothis,butitisacceptablethattheTSFterminatestheconnectionsilently(i.e.,withoutsendingafatalerroralert).Test3.4:(anonciphersuite)TheevaluatorshallattempttoestablishaTLS1.2connectionwithatestTLSserverconfiguredtonegotiateaciphersuiteusingtheanonymousserverauthenticationmethodandobservethattheTOErejectstheconnection.ItispreferredthattheTSFsendsafatalerroralertmessage(e.g.,handshakefailure,insufficientsecurity)inresponsetothis,butitisacceptablethattheTSFterminatestheconnectionsilently(i.e.,withoutsendingafatalerroralert).

SeeIANATLSparametersforavailableciphersuitestobeselectedbythetestTLSserver.Thetestciphersuiteshouldusesupportedcryptographicalgorithmsforasmanyoftheothercomponentsaspossible.Forexample,iftheTSFonlysupportstheciphersuiteTLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,thetestservercouldselectTLS_DH_ANON_WITH_AES_256_GCM_SHA_384.Test3.5:(deprecatedencryptionalgorithm)Foreachdeprecatedencryptionalgorithm(NULL,RC2,RC4,DES,IDEA,andTDES),theevaluatorshallattempttoestablishaTLS1.2connectionwithatestTLSserverconfiguredtonegotiateaciphersuiteusingthedeprecatedencryptionalgorithmandobservethattheTOErejectstheconnection.

Note:ItispreferredthattheTSFsendsafatalerroralertmessage(e.g.,handshakefailure,insufficientsecurity)inresponsetothis,butitisacceptablethattheTSFterminatestheconnectionsilently(i.e.,withoutsendingafatalerroralert).SeeIANATLSparametersforavailableciphersuitestobetested.Thetestciphersuiteshouldusesupportedcryptographicalgorithmsforasmanyoftheothercomponentsaspossible.Forexample,iftheTSFonlysupportsTLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,thetestservercouldselectTLS_ECDHE_PSK_WITH_NULL_SHA_384,TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_DHE_DSS_WITH_DES_CBC_SHA,TLS_RSA_WITH_IDEA_CBC_SHA,andTLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA.

Test4:(extensions)Foreachsupportedversionindicatedinthefollowingtests,theevaluatorshallestablishaconnectionfromtheTOEwithatestservernegotiatingthetestedversionandprovidingserverhandshakemessagesasindicatedwhenperformingthefollowingtestsforvalidatingproperextensionhandling:

Test4.1:(signature_algorithms)[conditional]IftheTSFsupportscertificate-basedserverauthentication,theevaluatorshallperformthefollowingtests:

Test4.1.1:Foreachsupportedversion,theevaluatorshallinitiateaTLSsessionwithaTLStestserverandobservethattheTSF’sclienthelloincludesthesignature_algorithmsextensionwithvaluesinconformancewiththeST.Test4.1.2:(TLS1.2only)[conditional]IftheTSFsupportsanECDHEorDHEciphersuite,theevaluatorshallensurethetestTLSserversendsacompliantserverhellomessageselectingTLS1.2andoneofthesupportedECDHEorDHEciphersuites,acompliantservercertificatemessage,andakeyexchangemessagesignedusingasignaturealgorithmandhashcombinationnotincludedintheclient’shellomessage(e.g.,RSAwithSHA-1).TheevaluatorshallobservethattheTSFterminatesthehandshake.

Note:ItispreferredthattheTSFsendsafatalerroralertmessage(e.g.,handshakefailure,illegalparameter,decryptionerror)inresponsetothis,butitisacceptablethattheTSFterminatestheconnectionsilently(i.e.,withoutsendingafatalerroralert).Test4.1.3:[conditional]IfTLS1.3issupported,theevaluatorshallconfigurethetestTLSservertorespondtotheTOEwithacompliantserverhellomessageselectingTLS1.3andaservercertificatemessage,butthenalsosendsacertificateverificationmessagethatusesasignaturealgorithmmethodnotincludedinthesignature_algorithmsextension.TheevaluatorshallobservethattheTSFterminatestheTLShandshake.Note:ItispreferredthattheTSFsendsafatalerroralertmessage(e.g.,handshakefailure,illegalparameter,badcertificate,decryptionerror)inresponsetothis,butitisacceptablethattheTSFterminatestheconnectionsilently(i.e.,withoutsendingafatalerroralert).Test4.1.4:[conditional]Forallsupportedversionsforwhichsignature_algorithms_certisnotsupported,theevaluatorshallensurethetestTLSserversendsacompliantserverhellomessageforthetestedversionandaservercertificatemessagecontainingavalidcertificatethatrepresentsthetestTLSserver,butwhichissignedusingasignatureandhashcombinationnotincludedintheTSF’ssignature_algorithmsextension(e.g.,acertificatesignedusingRSAandSHA-1).TheevaluatorshallobservethattheTSFterminatestheTLSsession.Note:ItispreferredthattheTSFsendsafatalerroralertmessage(e.g.,unsupportedcertificate,badcertificate,decryptionerror,handshakefailure)inresponsetothis,butitisacceptablethattheTSFterminatestheconnectionsilently(i.e.,withoutsendingafatalerroralert).Certificate-basedserverauthenticationisrequiredunlesstheTSFonlysupportsTLSwithsharedPSK.ForTLS1.2,thisisthecaseifonlyTLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384asdefinedinRFC8442,TLS_DHE_PSK_WITH_AES_256_GCM_SHA384asdefinedinRFC5487,TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256asdefinedinRFC8442,orTLS_DHE_PSK_WITH_AES_128_GCM_SHA256asdefinedinRFC5487,aresupported.ForTLS1.3,thisisthecaseifonlyPSKhandshakesaresupported.

Test4.2:(signature_algorithms_cert)[conditional]Ifsignature_algorithms_certissupported,thenforeachversionthatusesthesignature_algorithms_certextension,theevaluatorshallensurethatthetestTLSserversendsacompliantserverhellomessageselectingthetestedversionandindicatingcertificate-basedserverauthentication.TheevaluatorshallensurethatthetestTLSserverforwardsacertificatemessagecontainingavalidcertificatethatrepresentsthetestTLSserver,butwhichissignedbyavalidCertificationAuthorityusingasignatureandhashcombinationnotincludedintheTSF’ssignature_algorithms_certextension(e.g.,acertificatesignedusingRSAandSHA-1).TheevaluatorshallconfirmtheTSFterminatesthesession.Note:Supportforcertificatebasedauthenticationisassumedifthesignature_algorithms_certissupported.ForTLS1.2,anon-PSKciphersuite,oroneofTLS_RSA_PSK_WITH_AES_256_GCM_SHA384orTLS_RSA_PSK_WITH_AES_128_GCM_SHA256asdefinedinRFC5487isusedtoindicatecertificate-basedserverauthentication.ForTLS1.3,thetestservercompletesafullhandshake,evenifaPSKisofferedtoindicatecertificate-basedserverauthentication.IftheTSFonlysupportssharedPSKauthentication,Test4.2isnotperformed.ForTLS1.3,theservercertificatemessageisencrypted.TheevaluatorwillconfigurethetestTLSserverwiththeindicatedcertificateandensurethatthecertificateisindeedsentbyobservingthebufferofmessagestobeencrypted,orbyinspectingoneorbothsetsoflogsfromtheTSFandtestTLSserver.ItispreferredthattheTSFsendsafatalerroralertmessage(e.g.,unsupportedcertificate,badcertificate,decryptionerror,handshakefailure)inresponsetothis,butitisacceptablethattheTSFterminatestheconnectionsilently(i.e.,withoutsendingafatalerroralert).Test4.3:(extended_master_secret)(TLS1.2only)TheevaluatorshallinitiateaTLS1.2sessionwithatestTLSserverconfiguredtocomputeamastersecretaccordingtoRFC5246,section8.TheevaluatorshallobservethattheTSF’sclienthelloincludestheextendedmastersecretextensioninaccordancewithRFC7627,andensuresthatthetestTLSserverdoesnotincludetheextendedmastersecretextensioninitsserverhello.TheevaluatorshallobservethattheTSFterminatesthesession.Note:ItispreferredthattheTSFsendsafatalerroralertmessage(e.g.,handshakefailure)inresponsetothis,butitisacceptablethattheTSFterminatestheconnectionsilently(i.e.,withoutsendingafatalerroralert).Test4.4:(supported_groups)(TLS1.2only–forTLS1.3,testingiscombinedwithtestingofthekeyshareextension)

Test4.4.1:Foreachsupportedgroup,theevaluatorshallinitiateaTLSsessionwithacomplianttestTLS1.2serversupportingRFC7919.TheevaluatorshallensurethatthetestTLSserverisconfiguredtoselectTLS1.2andaciphersuiteusingthesupportedgroup.TheevaluatorshallobservethattheTSF’sclienthelloliststhesupportedgroupsasindicatedintheST,andthattheTSFsuccessfullyestablishestheTLSsession.Test4.4.2:[conditionalonTLS1.2supportforECDHEciphersuites]TheevaluatorshallinitiateaTLSsessionwithatestTLSserverthatisconfiguredtouseanexplicitversionofanamedECgroupsupportedbytheclient.TheevaluatorshallensurethatthetestTLSserverkeyexchangemessageincludestheexplicitformulationofthegroupinitskeyexchangemessageasindicatedinRFC4492section5.4.TheevaluatorshallconfirmthattheTSFterminatesthesession.

Note:ItispreferredthattheTSFsendsafatalerroralertmessage(e.g.,illegalparameter)inresponsetothis,butitisacceptablethattheTSFterminatestheconnectionsilently(i.e.,withoutsendingafatalerroralert).

Test5:(TLS1.3extensions)[conditional]IftheTSFsupportsTLS1.3,theevaluatorshallperformthefollowingtests.Foreachtest,theevaluatorshallobservethattheTSF’sclienthelloincludesthesupportedversionsextensionwiththevalue'0304'indicatingTLS1.3:

Test5.1:(supportedversions)TheevaluatorshallinitiateTLS1.3sessionsinturnfromtheTOEtoatestTLSserverconfiguredasindicatedinthesub-testsbelow:

Test5.1.1:TheevaluatorshallconfigurethetestTLSservertoincludethesupportedversionsextensionintheserverhellocontainingthevalue'0303.'TheevaluatorshallobservethattheTSFterminatestheTLSsession.Note:ItispreferredthattheTSFsendsafatalerroralertmessage(e.g.,illegalparameter,handshakefailure,protocolversion)inresponsetothis,butitisacceptablethattheTSFterminatestheconnectionsilently(i.e.,withoutsendingafatalerroralert).Test5.1.2:TheevaluatorshallconfigurethetestTLSservertoincludethesupportedversionsextensionintheserverhellocontainingthevalue'0304'and

completeacompliantTLS1.3handshake.TheevaluatorshallobservethattheTSFcompletestheTLS1.3handshakesuccessfully.Test5.1.3:[conditional]IftheTSFisconfigurabletosupportbothTLS1.2andTLS1.3,theevaluatorshallfollowoperationalguidancetoconfigurethisbehavior.TheevaluatorshallensurethatthetestTLSserversendsaTLS1.2compliantserverhandshakeandobservethattheserverrandomdoesnotincidentallyincludeanydowngrademessaging.TheevaluatorshallobservethattheTSFcompletestheTLS1.2handshakesuccessfully.Note:EnhanceddowngradeprotectiondefinedinRFC8446isoptional,andifsupported,istestedseparately.Theevaluatormayconfigurethetestserver’srandom,ormayrepeatthetestuntiltheserver’srandomdoesnotmatchadowngradeindicator.

Test5.2:(supportedgroups,keyshares)TheevaluatorshallinitiateTLS1.3sessionsinturnwithatestTLSserverconfiguredasindicatedinthefollowingsub-tests:

Test5.2.1:Foreachsupportedgroup,theevaluatorshallconfigurethecomplianttestTLS1.3servertoselectaciphersuiteusingthegroup.TheevaluatorshallobservethattheTSFsendsanelementofthegroupinitsclienthellokeysharesextension(afterahelloretrymessagefromthetestserver,ifthekeyshareforthegroupisnotincludedintheinitialclienthello).TheevaluatorshallensurethetestTLSserversendsanelementofthegroupinitsserverhelloandobservesthattheTSFcompletestheTLShandshakesuccessfully.Test5.2.2:Foreachsupportedgroup,theevaluatorshallmodifytheserverhellosentbythetestTLSservertoincludeaninvalidkeysharevalueclaimingtobeanelementthegroupindicatedinthesupportedgroupsextension.TheevaluatorshallobservethattheTSFterminatestheTLSsession.

Note:ItispreferredthattheTSFsendsafatalerroralertmessage(e.g.,illegalparameter)inresponsetothis,butitisacceptablethattheTSFterminatestheconnectionsilently(i.e.,withoutsendingafatalerroralert).ForDHEciphersuites,azerovalue,oravaluegreaterorequaltothemodulusisnotavalidelement.ForECDHEgroups,aninvalidpointcontainsxandycoordinatesofthecorrectsize,butrepresentsapointnotonthecurve.Theevaluatorcanconstructsuchaninvalidpointbymodifyingabyteintheycoordinateofavalidpointandverifythatthecoordinatesdonotsatisfythecurveequation.

Test5.3:(PSKsupport)[conditional]IftheTOEsupportspre-sharedkeys,theevaluatorshallfollowtheoperationalguidancetousepre-sharedkeys,shallestablishapre-sharedkeybetweentheTSFandthetestTLSserver,andinitiateTLS1.3sessionsinturnbetweentheTSFandthetestTLSserverconfiguredasindicatedinthefollowingsub-tests:

Test5.3.1:TheevaluatorshallconfiguretheTSFtousethepre-sharedkeyandensurethatthetestTLSserverfunctionsasacompliantTLS1.3server.TheevaluatorshallobservethattheTSF’sclienthelloincludesthepre_shared_keyextensionwiththevalidPSKindicatorsharedwiththetestserver.TheevaluatorshallalsoobservethattheTSF’sclienthelloalsoincludesthepsk_key_exchange_modeandthepost_handshake_authextensionsandthatthepsk_key_exchange_modeindicatesoneormoreofDHEorECDHEmodesbutdoesnotincludethePSK-onlymode.TheevaluatorshallobservethattheTSFcompletestheTLS1.3handshakesuccessfullyinaccordancewithRFC8446,toincludetheTSFsendingappropriatekeysharesforoneormoreofthesupportedgroups.Oncethehandshakeissuccessful,theevaluatorshallcausethetestTLSservertosendacertificaterequestandobservethattheTSFprovidesacertificatemessageandcertificateverifymessage.Note:Itmaybenecessarytocompleteastandardhandshakeandsendanew-ticketmessagefromthetestTLSservertoestablishapre-sharedkey,oritmightbepossibletoconfigurethepre-sharedkeymanuallyviaout-of-bandmechanisms.ThiscanbeperformedinconjunctionwithothertestingthatisnottestedaspartofthisSFR.ItisnotrequiredatthistimetosupportemergingstandardsonestablishingPSK,butassuchstandardsarefinalized,thisFPmaybeupdatedtorequiresuchsupport.TLSmessagesafterthehandshakeareencryptedsoitmaynotbepossibletoobservethecertificateandcertificateverifymessagessentbytheTSFdirectly.TheevaluatormayneedtoconfigurethetestTLSservertouseanapplicationthatrequirespost-handshakeclientauthenticationandterminatesthesessionorotherwisehasanobservableeffectifthecertificateisnotprovided.Test5.3.2:TheevaluatorshallattempttoconfiguretheTSFtosendearlydata.IfthereisnoindicationfromtheTSFthatthisisblocked,theevaluatorshallrepeattest5.3.1withtheTSFsoconfiguredandobservethattheTSFdoesnotsend

applicationdatapriortoreceivingtheserverhello.

Note:EarlydatawillbeencryptedunderthePSKandreceivedbythetestTLSserverpriortoitsendingaserverhellomessage.

Test6:(corruptfinishedmessage)Foreachsupportedversion,theevaluatorshallinitiateaTLSsessionfromtheTOEtoatestTLSserverthatsendsacompliantsetofserverhandshakemessages,exceptforsendingamodifiedfinishedmessage(modifyabyteofthefinishedmessagethatwouldhavebeensentbyacompliantserver).TheevaluatorshallobservethattheTSFterminatesthesessionanddoesnotcompletethehandshakebyobservingthattheTSFdoesnotsendapplicationdataprovidedtotheTLSchannel.Test7:(missingfinishedmessage)Foreachsupportedversion,theevaluatorshallinitiateasessionfromtheTOEtoatestTLSserverprovidingacomplianthandshake,exceptforsendingarandomTLSmessage(thefivebyteheaderindicatesacorrectTLSmessageforthenegotiatedversion,butnotindicatingafinishedmessage)asthefinalmessage.TheevaluatorshallobservethattheTSFterminatesthesessionanddoesnotsendapplicationdata.Note:ItispreferredthattheTSFsendsafatalerroralertmessage(e.g.,decryptionerror)inresponsetothis,butitisacceptablethattheTSFterminatestheconnectionsilently(i.e.,withoutsendingafatalerroralert).ForTLS1.2,themodifiedmessageissentafterthechange_cipher_specmessage.ForTLS1.3,themodifiedmessageissentasthelastmessageoftheserver’ssecondflightofmessages.Test8:(unexpected/corruptsignatureswithinhandshake)Theevaluatorshallperformthefollowingtests,accordingtotheversionssupported.

Test8.1:(TLS1.2only)[conditional]IftheSTindicatessupportforECDSAorDSAciphersuites,theevaluatorshallinitiateaTLSsessionwithacomplianttestTLSserverandmodifythesignatureintheserverkeyexchange.TheevaluatorshallobservethattheTSFterminatesthesessionwithafatalalertmessage(e.g.,decrypterror,handshakeerror).Test8.2:[conditional]IftheSTindicatessupportforTLS1.3,theevaluatorshallinitiateaTLSsessionbetweentheTOEandatestTLSserverthatisconfiguredtosendacompliantserverhellomessage,encryptedextensionmessage,andcertificatemessage,butwillsendacertificateverifymessagewithaninvalidsignature(e.g.,bymodifyingabytefromavalidsignature).TheevaluatorshallconfirmthattheTSFterminatesthesessionwithafatalerroralertmessage(e.g.,badcertificate,decrypterror,handshakeerror).Test8.3:(TLS1.2only)[conditional]IftheSTindicatessupportforbothRSAandECDSAmethodsinthesignature_algorithm(or,ifsupported,thesignature_algorithms_cert)extension,andiftheSTindicatesoneormoreTLS1.2ciphersuitesindicatingeachoftheRSAandECDSAmethodsinitssignaturecomponents,theevaluatorshallchoosetwociphersuites:oneindicatinganRSAsignature(cipher1)andoneindictainganECDSAsignature(cipher2).TheevalutorshallthenestablishestablishtwocertificatesthataretrustedbytheTOE:onerepresentingthetestTLS1.2serverusinganRSAsignature(cert1)andonerepresentingthetestTLS1.2serverusinganECDSAsignature(cert2).TheevaluatorshallinitiateaTLSsessionbetweentheTOEandthetestTLS1.2serverthatisconfiguredtoselectcipher1andtosendcert2.TheevaluatorshallverifythattheTSFterminatesthisTLSsession.TheevaluatorshalltheninitiateaTLSsessionbetweentheTOEandthetest1.2serverthatisconfiguredtoselectcipher2andtosendcert1.TheevaluatorshallverifythattheTSFalsoterminatesthisTLSsession.Note:ItispreferredthattheTSFsendsafatalerroralertmessage(e.g.,badcertificate,decryptionerror,handshakefailure)inresponsetothis,butitisacceptablethattheTSFterminatestheconnectionsilently(i.e.,withoutsendingafatalerroralert).

Test9:[conditional]IftheTSFsupportscertificate-basedserverauthentication,thenforeachsupportedversion,theevaluatorwillinitiateaTLSsessionfromtheTOEtothecomplianttestTLSserverconfiguredtonegotiatethetestedversion,andtoauthenticateusingacertificatetrustedbytheTSFasspecifiedinthefollowing:

Test9.1:(certificateextendedkeyusagepurpose)TheevaluatorshallsendaservercertificatethatcontainstheServerAuthenticationpurposeintheextendedKeyUsageextensionandverifythataconnectionisestablished.TheevaluatorshallrepeatthistestusingadifferentcertificatethatisotherwisevalidandtrustedbutlackstheServerAuthenticationpurposeintheextendedKeyUsageextensionandobservetheTSSterminatesthesession.Note:Thistestmaybeperformedaspartofcertificatevalidationtesting(FIA_X509_EXT.1).ItispreferredthattheTSFsendsafatalerroralertmessage(e.g.,badcertificate,decryptionerror,handshakefailure)inresponsetothis,butitisacceptablethattheTSFterminatestheconnectionsilently(i.e.,withoutsendingafatalerroralert).

Ideally,thetwocertificatesshouldbesimilarinregardstostructure,thetypesofidentifiersused,andthechainoftrust.Test9.2:(certificateidentifiers)Foreachsupportedmethodofmatchingpresentedidentifiers,andforeachnametypeforwhichtheTSFparsesthepresentedidentifiersfromtheservercertificateforthemethod,theevaluatorshallestablishavalidcertificatetrustedbytheTSFtorepresentthetestserverusingonlythetestednametype.Theevaluatorshallperformthefollowingsub-tests:

Test9.2.1:TheevaluatorshallpreparetheTSFasnecessarytousethematchingmethodandestablishreferenceidentifiersforthetestserverforthetestednametype.TheevaluatorshallensurethetestTLSserversendsacertificatewithamatchingnameofthetestednametypeandobservethattheTSFcompletestheconnection.Test9.2.2:TheevaluatorshallpreparetheTSFasnecessarytousethematchingmethodandestablishreferenceidentifiersthatdonotmatchthenamerepresentingthetestserver.TheevaluatorshallensurethetestTLSserversendsacertificatewithanameofthetypetested,andobservetheTSFterminatesthesession.

Note:ItispreferredthattheTSFsendsafatalerroralertmessage(e.g.,badcertificate,unknowncertificate)inresponsetothis,butitisacceptablethattheTSFterminatestheconnectionsilently(i.e.,withoutsendingafatalerroralert).

Test9.3:(mixedidentifiers)[conditional]IftheTSFsupportsanamematchingmethodwheretheTSFperformsmatchingofbothCN-encodednametypesandSANnamesofthesametype,thenforeachsuchmethod,andforeahsuchnametype,theevaluatorshallestablishavalidcertificatetrustedbytheTSFtorepresentthetestserverusingonenamefortheCN-encodednametypeandadifferentnamefortheSANnametypeTheevaluatorshallperformthefollowingtests:

Test9.3.1:TheevaluatorshallfollowtheoperationalguidancetoconfiguretheTSFtousethenamematchingmethodandestablishreferenceidentifiersmatchingonlytheSAN.TheevaluatorshallensurethatthetestserversendsthecertificatewiththematchingSANandnon-matchingCN-encodedname,andobservethattheTSFcompletestheconnection.

Note:ConfigurationoftheTSFmaydependontheapplicationusingTLS.Test9.3.2:TheevaluatorshallfollowtheoperationalguidancetoconfiguretheTSFtousethenamematchingmethodandestablishreferenceidentifiersmatchingonlytheCN-encodedname.TheevaluatorshallensurethatthetestserversendsthecertificatewiththematchingSANnameandnon-matchingCN-encodedname,andobservethattheTSFterminatesthesession.ItispreferredthattheTSFsendsafatalerroralertmessage(e.g.,badcertificate,unknowncertificate)inresponsetothis,butitisacceptablethattheTSFterminatestheconnectionsilently(i.e.,withoutsendingafatalerroralert).

Test9.4:(emptycertificate)TheevaluatorshallconfigurethetestTLSservertosupplyanemptycertificatemessageandverifythattheTSFterminatesthesession.Note:ItispreferredthattheTSFsendsafatalerroralertmessage(e.g.,badcertificate,unknowncertificate)inresponsetothis,butitisacceptablethattheTSFterminatestheconnectionsilently(i.e.,withoutsendingafatalerroralert).Test9.5:(invalidcertificate)[conditional]Ifvalidityexceptionsaresupported,thenforeachexceptionforcertificatevaliditysupported,theevaluatorshallconfiguretheTSFtoallowtheexceptionandensurethetestTLSserversendsacertificatethatisvalidandtrusted,exceptfortheallowedexception.TheevaluatorshallobservethattheTSFcompletesthesession.WithoutmodifyingtheTSFconfiguration,theevaluatorshallinitiateanewsessionwiththetestTLSserverthatincludesanadditionalvalidationerror,andobservethattheTSFterminatesthesession.Note:ItispreferredthattheTSFsendsafatalerroralertmessage(e.g.,decodeerror,badcertificate)inresponsetothis,butitisacceptablethattheTSFterminatestheconnectionsilently(i.e.,withoutsendingafatalerroralert).Theintentofthistestistoverifythescopeoftheexceptionprocessing.Ifverifyingcertificatestatusinformationisclaimedasanexception,thenthistestwillverifythataTLSsessionsucceedswhenallsupportedmethodsforobtainingcertificatestatusinformationisblockedfromtheTSF,toincluderemovinganystatusinformationthatmightbecachedbytheTSF.Iftheexceptionislimitedtospecificcertificates(e.g.,onlyleafcertificatesareexempt,oronlycertainleafcertificatesareexempt)theadditionalvalidationerrorcouldbeunavailablerevocationinformationforanon-exemptcertificate(e.g.,revocationstatusinformationfromanintermediateCAisblockedfortheissuingCAofanexemptleafcertificate,orrevocationinformationfromtheissuingCAisblockedforanon-exemptleafcertificate).Iftheonlyoptionfortheexceptionisforallrevocationinformationforallcertificates,anothervalidationerror

fromFIA_X509_EXT.1(e.g.,certificateexpiration,extendedkeyusage,etc.)maybeused.

FCS_TLSC_EXT.2TLSClientSupportforMutualAuthentication

Theinclusionofthisselection-basedcomponentdependsuponselectioninFCS_TLSC_EXT.1.1.

FCS_TLSC_EXT.2.1TheTSFshallsupportmutualauthenticationusingX.509v3certificatesduringthehandshakeand[selection:insupportofpost-handshakeauthenticationrequests,atnoothertime],inaccordancewith[selection:RFC5246,section7.4.4,RFC8446,section4.3.2].

ApplicationNote:ClientsthatsupportTLS1.3andpost-handshakeauthenticationclaim‘insupportofpost-handshakeauthenticationrequests’inthefirstselection.The‘atnoothertime’selectionisclaimedforclientsonlysupportingTLS1.2orforTLS1.3clientsthatdonotsupportpost-handshakeauthentication.

Thecertificaterequestsentbytheserverspecifiesthesignaturealgorithmsandcertificationauthoritiessupportedbytheserver.Iftheclientdoesnotpossessamatchingcertificate,itsendsanemptycertificatemessage.ThestructureofthecertificaterequestmessageischangedinTLS1.3tousethesignature_algorithm,signature_algorithms_cert,andcertificate_authoritiesextensions,andRFC8446allowsforTLS1.2implementationstousethenewmessagestructure.The"RFC8446,section4.3.2"optionisclaimedinthesecondselectionifTLS1.3issupportedoriftheRFC8446methodissupportedforTLS1.2servers.The"RFC5246,section7.4.4"optionisclaimediftheRFC5246methodissupportedforinteroperabilitywithTLS1.2serversthatdonotadopttheRFC8446method.Whenmutualauthenticationissupported,atleastoneofthesemethodsmustbeclaimed,pertheselection.

ThisSFRisclaimedif"mutualauthentication"isselectedinFCS_TLSC_EXT.1.1.


FCS_TLSC_EXT.2TSSTheevaluatorshallensurethattheTSSdescriptionrequiredperFIA_X509_EXT.2.1includestheuseofclient-sidecertificatesforTLSmutualauthentication.TheevaluatorshallalsoensurethattheTSSdescribesanyfactorsbeyondconfigurationthatarenecessaryinorderfortheclienttoengageinmutualauthenticationusingX.509v3certificates.

GuidanceTheevaluatorshallensurethattheoperationalguidanceincludesanyinstructionsnecessarytoconfiguretheTOEtoperformmutualauthentication.TheevaluatoralsoshallverifythattheoperationalguidancerequiredperFIA_X509_EXT.2.1includesinstructionsforconfiguringtheclient-sidecertificatesforTLSmutualauthentication.

TestsForeachsupportedTLSversion,theevaluatorshallperformthefollowingtests:

Test10:TheevaluatorshallestablishaTLSconnectionfromtheTSFtoatestTLSserverthatnegotiatesthetestedversionandwhichisnotconfiguredformutualauthentication(i.e.,doesnotsendaServer’sCertificateRequest(type13)message).TheevaluatorobservesnegotiationofaTLSchannelandconfirmsthattheTOEdidnotsendaClient’sCertificatemessage(type11)duringhandshake.Test11:TheevaluatorshallestablishaconnectiontoatestTLSserverwithasharedtrustedrootthatisconfiguredformutualauthentication(i.e.,itsendsaServer’sCertificateRequest(type13)message).TheevaluatorobservesnegotiationofaTLSchannelandconfirmsthattheTOErespondswithanon-emptyClient’sCertificatemessage(type11)andCertificateVerify(type15)message.Test12:[conditional]IftheTSFsupportspost-handshakeauthentication,theevaluatorshallestablishapre-sharedkeybetweentheTSFandatestTLS1.3server.TheevaluatorshallinitiateaTLSsessionusingthepre-sharedkeyandconfirmtheTSFandtestTLS1.3serversuccessfullycompletetheTLShandshakeandbothsupportpost-handshakeauthentication.Afterthesessionissuccessfullyestablished,theevaluatorshallinitiateacertificaterequestmessagefromthetestTLS1.3server.TheevaluatorshallobservethattheTSFreceivesthatauthenticationrequestandshalltakenecessaryactions,in

accordancewiththeoperationalguidance,tocompletetheauthenticationrequest.TheevaluatorshallconfirmthatthetestTLS1.3serverreceivescertificateandcertificateverificationmessagesfromtheTSFoverthechannelthatauthenticatestheclient.

Note:TLS1.3certificaterequestsfromthetestserverandclientcertificateandcertificateverifymessagesareencrypted.TheevaluatorconfirmsthattheTSFsendstheappropriatemessagesbyexaminingthemessagesreceivedatthetestTLS1.3serverandbyinspectinganyrelevantserverlogs.TheevaluatormayalsotakeadvantageofthecallingapplicationtodemonstratethattheTOEreceivesdataconfiguredatthetestTLSserver.

FCS_TLSC_EXT.3TLSClientDowngradeProtection


FCS_TLSC_EXT.3.1TheTSFshallnotestablishaTLSchanneliftheserverhellomessageincludes[selection:TLS1.2downgradeindicator,TLS1.1orbelowdowngradeindicator]intheserverrandomfield.

ApplicationNote:TheSTauthorclaimsthe“TLS1.2downgradeindicator”whenFCS_TLSC_EXT.1indicatessupportforbothTLS1.3andsupplementaldowngradeprotection.ThisoptionisnotclaimedifTLS1.3isnotsupported.The“TLS1.1orbelowdowngradeindicator”optionmaybeclaimedregardlessofsupportforTLS1.3,butshouldonlybeclaimediftheTSFiscapableofdetectingtheindicator.AsindicatedinFCS_TLSC_EXT.1.1,thisFPrequirestheclienttoterminateTLS1.1orbelowsessions.ItisacceptablefortheTSFtoalwaysterminateTLS1.1sessionsbasedontheserverhellonegotiatedversionfieldandignoreanydowngradeindicator.However,aproductthatiscapableofdetectingtheTLS1.1orbelowdowngradeindicatormaytakedifferentactionsdependingonwhethertheTLS1.1orbelowdowngradeindicatorisset.

ThisSFRisclaimedif"supplementaldowngradeprotection"isselectedinFCS_TLSS_EXT.1.1.


FCS_TLSC_EXT.3TSSTheevaluatorshallreviewtheTSSandconfirmthatthedescriptionoftheTLSclientprotocolincludesthedowngradeprotectionmechanisminaccordancewithRFC8446andidentifiesanyconfigurablefeaturesoftheTSFneededtomeettherequirements.IftheSTclaimsthattheTLS1.1andbelowindicatorisprocessed,theevaluatorshallconfirmthattheTSSindicateswhichconfigurationsallowprocessingofthedowngradeindicatorandthespecificresponseoftheTSFwhenitreceivesthedowngradeindicatorasopposedtosimplyterminatingthesessionfortheunsupportedversion.

GuidanceTheevaluatorshallreviewtheoperationalguidanceandconfirmthatanyinstructionstoconfiguretheTSFtomeettherequirementsareincluded.

TestsTheevaluatorshallperformthefollowingteststoconfirmtheresponsetodowngradeindicatorsfromatestTLS1.3server:

Test13:[conditional]IftheTSFsupportsTLS1.3,theevaluatorshallinitiateaTLS1.3sessionwithatestTLS1.3serverconfiguredtosendacompliantTLS1.2serverhello(notincludinganyTLS1.3extensions)butincludingtheTLS1.2downgradeindicator‘444F574E47524401’inthelasteightbytesoftheserverrandomfield.TheevaluatorshallconfirmthattheTSFterminatesthesession.

Note:ItispreferredthattheTSFsendafatalerroralertmessage(e.g.,illegalparameter),butitisacceptablethattheTSFterminatethesessionwithoutsendinganerroralert.Test14:[conditional]IftheTSFsupportstheTLS1.1orbelowdowngradeindicatorandiftheSTindicatesaconfigurationwheretheindicatorisprocessed,theevaluatorshallfollowoperationalguidanceinstructionstoconfiguretheTSFsoitparsesaTLS1.1handshaketodetectandprocesstheTLSdowngradeindicator.TheevaluatorshallinitiateaTLSsessionbetweentheTOEandatestTLSserverthatisconfiguredtosendaTLS1.1serverhellomessagewiththedowngradeindicator‘444F574E47524400’inthelasteightbytesoftheserverrandomfield,butwhichisotherwisecompliantwithRFC4346.TheevaluatorshallobservethattheTSFterminatesthesessionasdescribedintheST.

Note:ItispreferredthattheTSFsendafatalerroralertmessage(illegalparameterorunsupportedversion),butitisacceptablethattheTSFterminatethesessionwithoutsendinganerroralert.UseoftheTLS1.1andbelowindicatorasaredundantmechanismwherethereisnoconfigurationthatactuallyprocessesthevaluedoesnotrequireadditionaltesting,sincethiswouldbeaddressedbyTest2.1forFCS_TLSC_EXT.1.1.ThistestisonlyrequirediftheTSFrespondsdifferently(e.g.,adifferenterroralert)whenthedowngradeindicatorispresentthanwhenTLS1.1orbelowisnegotiatedandthedowngradeindicatorisnotpresent.

FCS_TLSC_EXT.4TLSClientSupportforRenegotiation


FCS_TLSC_EXT.4.1TheTSFshallsupportsecurerenegotiationthroughuseof[selection:the“renegotiation_info”TLSextension,theTLS_EMPTY_RENEGOTIATION_INFO_SCSVsignalingciphersuitesignalingvalue]inaccordancewithRFC5746,andshallterminatethesessionifanunexpectedserverhelloisreceivedand[selection:hellorequestmessageisreceived,innoothercase].

ApplicationNote:AclientallowingTLS1.2connectionsmaypresenteitherthe"renegotiation_info"extensionorthesignalingciphersuitevalueTLS_EMPTY_RENEGOTIATION_INFO_SCSVintheinitialclienthellomessagetoindicatesupportforsecurerenegotiation.TheSTauthorclaimsthemethodssupported.TheTLS_EMPTY_RENEGOTIATION_INFO_SCSVisthepreferredmechanismforTLS1.2protectionagainstinsecurerenegotiationwhentheclientdoesnotrenegotiate.TheSTauthorwillclaimthe‘hellorequestmessageisreceived’optioninthesecondselectiontoindicatesupportforthismechanism.

RFC5746allowstheclienttoacceptconnectionswithserversthatdonotsupporttheextension;thisFPrefinesRFC5746andrequirestheclienttoterminatesessionswithsuchservers.Thus,unexpectedserverhellomessagesincludeaninitialserverhellonegotiatingTLS1.2thatdoesnotcontainarenegotiation_infoextension,aninitialserverhellonegotiatingTLS1.2thathasarenegotiation_infothatisnon-empty,asubsequentserverhellonegotiatingTLS1.2thatdoesnotcontainarenegotiation_infoextension,andasubsequentserverhellonegotiatingTLS1.2thathasarenegotiation_infoextensionwithanincorrectrenegotiated_connectionvalue.

TLS1.3providesprotectionagainstinsecurerenegotiationbynotallowingrenegotiation.IfTLS1.3isclaimedinFCS_TLSC_EXT.1.1,theclientreceivesaserverhellothatattemptstonegotiateTLS1.3,andtheserverhelloalsocontainsarenegotiation_infoextension;theclientwillterminatetheconnection.

ThisSFRisclaimedif"TLSasaclient"isselectedinFCS_TLS_EXT.1.1.


FCS_TLSC_EXT.4TSSTheevaluatorshallexaminetheSTtoensurethatTLSrenegotiationprotectionsaredescribedinaccordancewiththerequirements.Theevaluatorshallensurethatanyconfigurablefeaturesoftherenegotiationprotectionsareidentified.

GuidanceTheevaluatorshallexaminetheoperationalguidancetoconfirmthatinstructionsforanyconfigurablefeaturesoftherenegotiationprotectionmechanismsareincluded.

TestsTheevaluatorshallperformthefollowingtestsasindicated.OneorbothofTests1or2isrequired,dependingonwhethertheTSFisconfigurabletorejectrenegotiationorsupportssecurerenegotiationmethodsdefinedforTLS1.2.IfTLS1.3issupported,Test2isrequired.

Test15:[conditional]IftheTSFsupportsaconfigurationtoacceptrenegotiationrequestsforTLS1.2,theevaluatorshallfollowanyoperationalguidancetoconfiguretheTSF.Theevaluatorshallperformthefollowingtests:

Test15.1:TheevaluatorshallinitiateaTLSconnectionwithatestserverconfiguredto

negotiateacompliantTLS1.2handshake.TheevaluatorshallinspectthemessagesreceivedbythetestTLS1.2server.Theevaluatorshallobservethateitherthe“renegotiation_info”fieldortheSCSVciphersuiteisincludedintheClientHellomessageduringtheinitialhandshake.Test15.2:Foreachofthefollowingsub-tests,theevaluatorshallinitiateanewTLSconnectionwithatestTLS1.2serverconfiguredtosendarenegotiation_infoextensionasspecified,butotherwisecompleteacompliantTLS1.2session:

Test15.2.1:TheevaluatorshallconfigurethetestTLS1.2servertosendarenegotiation_infoextensionwhosevalueindicatesanon-zerolength.TheevaluatorshallconfirmthattheTSFterminatestheconnection.Note:ItispreferredthattheTSFsendsafatalerroralertmessage(e.g.,illegalparameter)inresponsetothis,butitisacceptablethattheTSFterminatestheconnectionsilently(i.e.,withoutsendingafatalerroralert).Test15.2.2:TheevaluatorshallconfigurethetestTLS1.2servertosendacompliantrenegotiation_infoextensionandobservetheTSFsuccessfullycompletestheTLS1.2connection.Test15.2.3:TheevaluatorshallinitiateasessionrenegotiationaftercompletingasuccessfulhandhakewithatestTLS1.2serverthatcompletesasuccessfulTLS1.2handshake(asinTest1.1)andthensendsahelloresetrequestfromthetestTLSserverwitha“renegotiation_info”extensionthathasanunexpected“client_verify_data”or“server_verify_data”value(modifyabytefromacompliantresponse).TheevaluatorshallverifythattheTSFterminatestheconnection.

Note:ItispreferredthattheTSFsendsafatalerroralertmessage(e.g.,illegalparameter,handshakeerror)inresponsetothis,butitisacceptablethattheTSFterminatestheconnectionsilently(i.e.,withoutsendingafatalerroralert).

Test16:[conditional]iftheTSFsupportsaconfigurationthatpreventsrenegotiation,theevaluatorshallperformthefollowingtests:

Test16.1:(TLS1.2)[conditional]IftheTLSsupportsaconfigurationtorejectTLS1.2renegotiation,theevaluatorshallfollowtheoperationalguidanceasnecessarytopreventrenegotiation.TheevaluatorshallinitiateaTLSsessionbetweentheso-configuredTSFandatestTLS1.2serverthatisconfiguredtoperformacomplianthandshake,followedbyahelloresetrequest.TheevaluatorshallconfirmthattheTSFcompletestheinitialhandshakesuccessfullybutterminatestheTLSsessionafterreceivingthehelloresetrequest.Note:ItispreferredthattheTSFsendsafatalerroralertmessage(e.g.,unexpectedmessage)inresponsetothis,butitisacceptablethattheTSFterminatestheconnectionsilently(i.e.,withoutsendingafatalerroralert).Test16.2:[conditional]IftheTSFsupportsTLS1.3,theevaluatorshallinitiateaTLSsessionbetweentheTSFandatestTLS1.3serverthatcompletesacompliantTLS1.3handshake,followedbyahelloresetmessage.TheevaluatorshallobservethattheTSFcompletestheinitialTLS1.3handshakesuccessfully,butterminatesthesessiononreceivingthehelloresetmessage.ItispreferredthattheTSFsendsafatalerroralertmessage(e.g.,unexpectedmessage)inresponsetothis,butitisacceptablethattheTSFterminatestheconnectionsilently(i.e.,withoutsendingafatalerroralert).

FCS_TLSC_EXT.5TLSClientSupportforSessionResumption


FCS_TLSC_EXT.5.1TheTSFshallsupportsessionresumptionasaclientviatheuseof[selection:sessionIDinaccordancewithRFC5246,ticketsinaccordancewithRFC5077,PSKandticketsinaccordancewithRFC8446].

ApplicationNote:TheSTauthorindicateswhichsessionresumptionmechanismsaresupported.Oneorbothofthefirsttwooptions,"sessionIDinaccordancewithRFC5246"and"ticketsinaccordancewithRFC5077"areclaimedforTLS1.2resumption.IfresumptionofTLS1.3sessionsissupported,"PSKandticketsinaccordancewithRFC8446"isselected,andtheselection-basedSFRFCS_TLSC_EXT.6mustalsobeclaimed.

WhileitispossibletoperformsessionresumptionusingPSKciphersuitesinTLS1.2,thisisuncommon.ValidationofkeyexchangeandsessionnegotiationrulesforPSKciphersuitesisindependentofthesourceofthepre-sharedkeyandis

coveredinFCS_TLSC_EXT.1.

ThisSFRisclaimedif"sessionresumption"isselectedinFCS_TLSC_EXT.1.1.


FCS_TLSC_EXT.5TSSTheevaluatorshallexaminetheSTandconfirmthattheTLSclientprotocoldescriptionincludesadescriptionofthesupportedresumptionmechanisms.

GuidanceTheevaluatorshallensuretheoperationalguidancedescribesinstructionsforanyconfigurablefeaturesoftheresumptionmechanism.


Test17:ForeachsupportedTLSversionandforeachsupportedresumptionmechanismthatissupportedforthatversion,theevaluatorshallestablishanewTLSsessionbetweentheTSFandacomplianttestTLSserverthatisconfiguredtonegotiatetheindicatedversionandperformresumptionusingtheindicatedmechanism.TheevaluatorshallconfirmthattheTSFcompletestheinitialTLShandshakeandshallcausetheTSFtoclosethesessionnormally.TheevaluatorshallthencausetheTSFtoresumethesessionwiththetestTLSserverusingtheindicatedmethodandobservethattheTSFsuccessfullyestablishesthesession.

Note:Foreachmethod,successfulestablishmentreferstoproperuseofthemechanism,toincludecompliantextensionsandbehavior,asindicatedinthereferencedRFC.Test18:(TLS1.3sessionidecho)[conditional]IftheTSFsupportsTLS1.3,theevaluatorshallinitiateanewTLS1.3sessionwithatestTLSserver.TheevaluatorshallcausethetestTLSservertosendaTLS1.3serverhellomessage(orahelloretryrequestiftheTSFdoesn’tincludethekeyshareextension)thatcontainsadifferentvalueinthelegacy_session_idfield,andobservethattheTSFterminatesthesession.Note:ItispreferredthattheTSFsendsafatalerroralertmessage(e.g.,illegalparameter)inresponsetothis,butitisacceptablethattheTSFterminatestheconnectionsilently(i.e.,withoutsendingafatalerroralert).

FCS_TLSC_EXT.6TLSClientTLS1.3ResumptionRefinements


FCS_TLSC_EXT.6.1TheTSFshallsendapsk_key_exchange_modeextensionwiththevaluepsk_dhewhenTLS1.3sessionresumptionisoffered.

FCS_TLSC_EXT.6.2TheTSFshallnotsendearlydatainTLS1.3sessions.

ApplicationNote:ThisSFRisclaimedwhensessionresumptionissupportedforTLS1.3.RFC8446allowspre-sharedkeystobeuseddirectlyandalsoallowsearlydatatobeprotectedusingonlythepre-sharedkey.ThisSFRrefinestheRFCtousePSKonlywithasupplementalDHEorECDHEkeyexchangetoensureperfectforwardsecrecyforallsessions.

ThisSFRisclaimedif"PSKandticketsinaccordancewithRFC8446"isselectedinFCS_TLSC_EXT.5.1.


FCS_TLSC_EXT.6TSSTheevaluatorshallexaminetheTSStoverifythattheTLSclientprotocoldescriptionindicatesthatthePSKexchangerequiresDHEmodeandprohibitssendingearlydata.TheevaluatorshallexaminetheTSStoverifyitlistsallapplicationsthatcanbesecuredbyTLS1.3usingpre-sharedkeysanddescribeshoweachTLS1.3clientapplicationensuresdatafortheapplicationisnotsentusingearlydata.

GuidanceTheevaluatorshallexaminetheoperationalguidancetoverifythatinstructionsforanyconfigurablefeaturesthatarerequiredtomeettherequirementareincluded.TheevaluatorshallensuretheoperationalguidanceincludesanyinstructionsrequiredtoconfigureapplicationssotheTLS1.3clientimplementationdoesnotsendearlydata.

Tests[conditional]ForeachapplicationthatisabletobesecuredviaTLS1.3usingPSK,theevaluatorshallfollowoperationalguidancetoconfiguretheapplicationnottosendearlydata.TheevaluatorshallcausetheapplicationtoinitiatearesumedTLS1.3sessionbetweentheTSFandacomplianttestTLS1.3serverasinTest1ofFCS_TLSC_EXT.5.TheevaluatorshallobservethattheTSFclienthelloforTLS1.3includesthepsk_modeextensionwiththevaluePSK_DHEandsendsakeysharevalueforasupportedgroup.TheevaluatorshallconfirmthatearlydataisnotreceivedbythetestTLSserver.Note:IfnoapplicationssupportedbytheTOEprovidedatatoTLS1.3thatcanbesentusingPSK,thistestisomitted.

FCS_TLSS_EXT.1TLSServerProtocol


FCS_TLSS_EXT.1.1TheTSFshallimplementTLS1.2(RFC5246)and[selection:TLS1.3(RFC8446),nootherTLSversion]asaserverthatsupportsadditionalfunctionalityforsessionrenegotiationprotectionand[selection:

mutualauthenticationsupplementaldowngradeprotectionsessionresumptionnooptionalfunctionality

]andshallrejectconnectionattemptsfromclientssupportingonlyTLS1.1,TLS1.0,orSSLversions.

ApplicationNote:TheserequirementswillberevisitedasnewTLSversionsarestandardizedbytheIETF.

If"mutualauthentication"isselected,thentheSTmustadditionallyincludetherequirementsfromFCS_TLSS_EXT.2.IftheTOEimplementsmutualauthentication,thisselectionmustbemade.

If"sessionrenegotiationprotection"isselected,thentheSTmustadditionallyincludetherequirementsfromFCS_TLSS_EXT.4.IftheTOEimplementssessionrenegotiation,orifTLS1.3issupported,thisselectionmustbemade.

If"supplementaldowngradeprotection"isselected,thentheSTmustadditionallyincludetherequirementsfromFCS_TLSS_EXT.3.IftheTOEprovidesdowngradeprotectionasindicatedinRFC8446,inparticular,ifTLS1.3issupported,thisselectionmustbemade.

If"sessionresumption"isselected,thentheSTmustadditionallyincludetherequirementsfromFCS_TLSS_EXT.5.

FCS_TLSS_EXT.1.2TheTSFshallbeabletosupportthefollowingTLS1.2ciphersuites:[selection:

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384asdefinedinRFC5289,RFC8422TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384asdefinedinRFC5289,RFC8422TLS_RSA_WITH_AES_256_GCM_SHA384asdefinedinRFC5288TLS_DHE_RSA_WITH_AES_256_GCM_SHA384asdefinedinRFC5288TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384asdefinedinRFC5289TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384asdefinedinRFC5289TLS_RSA_WITH_AES_256_CBC_SHA256asdefinedinRFC5246TLS_DHE_RSA_WITH_AES_256_CBC_SHA256asdefinedinRFC5246TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256asdefinedinRFC5289TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256asdefinedinRFC5289TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256asdefinedinRFC5289TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256asdefinedinRFC5289TLS_RSA_WITH_AES_128_CBC_SHA256asdefinedinRFC5246TLS_DHE_RSA_WITH_AES_128_CBC_SHA256asdefinedinRFC5246

TLS_RSA_WITH_AES_128_CBC_SHAasdefinedinRFC5246PP-specificciphersuitesusingpre-sharedsecretsincluding[selection:

TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384asdefinedinRFC8442TLS_DHE_PSK_WITH_AES_256_GCM_SHA384asdefinedinRFC5487TLS_RSA_PSK_WITH_AES_256_GCM_SHA384asdefinedinRFC5487TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256asdefinedinRFC8442TLS_DHE_PSK_WITH_AES_128_GCM_SHA256asdefinedinRFC5487TLS_RSA_PSK_WITH_AES_128_GCM_SHA256asdefinedinRFC5487

]thefollowingTLS1.3ciphersuites:[selection:

TLS_AES_256_GCM_SHA384asdefinedinRFC8446TLS_AES_128_GCM_SHA256asdefinedinRFC8446[assignment:otherTLS1.3ciphersuites]]

]]usingapreferenceorderbasedon[selection:RFC9151priority,clienthelloordering,[assignment:additionalpriority]]

ApplicationNote:TheSTauthorshouldselecttheciphersuitesthataresupportedandmustselectatleastoneciphersuiteforeachTLSversionsupported.Itisnecessarytolimittheciphersuitesthatcanbeusedinanevaluatedconfigurationadministrativelyontheserverinthetestenvironment.Ifadministrativestepsneedtobetakensothattheciphersuitesnegotiatedbytheimplementationarelimitedtothoseinthisrequirement,thentheappropriateinstructionsneedtobecontainedintheguidance.

ThefinalselectionindicatestheTOE’spreferencefornegotiatingaciphersuite.RFC9151indicatestherequiredciphersuitesforNSSsystemsand‘RFC9151priority’isclaimedifthoseciphersuitesareselectedwheneverofferedbytheclient.Ingeneral,itispreferredthatGCMciphersuitesareselectedoverCBCciphersuites,ECDHEisselectedoverRSAandDHE,andSHA256orSHA384isselectedoverSHA1.

The‘clienthelloordering’optionisclaimedifclientpriorityisconsidered;ifbothareclaimed,theSTauthorshouldindicatewhichisprimaryandwhichissecondary,andwhetherthepriorityschemeisconfigurable.Ifotherpriorityschemesoriftertiarypriorityisused,theSTauthorwillclaimthethirdoptionanddescribetheschemeintheST.

SupportforTLS_RSA_WITH_AES_128_CBC_SHAisnotrequireddespitebeingmandatedbyRFC5246.

FCS_TLSS_EXT.1.3TheTSFshallnotestablishaconnectionwithaclientthatdoesnotindicatesupportforatleastoneofthesupportedciphersuites.

FCS_TLSS_EXT.1.4TheTSFshallbeabletoprocessthefollowingTLSclienthellomessageextensions:

signature_algorithmsextension(RFC8446)indicatingsupportfor[selection:

ecdsa-secp384r1_sha384(RFC8446)rsa_psks1_sha384(RFC8446)

],and[selection:rsa_pss_pss_sha384(RFC8603)rsa_pss_rsae_sha384(RFC8603)[assignment:othernon-deprecatedsignaturealgorithms]noothersignaturealgorithms

]extended_master_secretextension(RFC7627)enforcingclientsupportthefollowingotherextensions:[selection:

signature_algorithms_certextension(RFC8446)indicatingsupportfor[selection:

ecdsa-secp384r1_sha384(RFC8446)rsk_psks1_sha384(RFC8446)

],and[selection:rsa_pss_pss_sha384(RFC8603)rsa_pss_rsae_sha384(RFC8603)rsa_pkcs1_sha256(RFC8446)

rsa_pss_rsae_sha256(RFC8446)[assignment:othernon-deprecatedsignaturealgorithms]noothersignaturealgorithms

]supported_versionsextension(RFC8446)indicatingsupportforTLS1.3supported_groupsextension(RFC7919,RFC8446)indicatingsupportfor[selection:

secp256r1secp384r1secp521r1ffdhe2048(256)ffdhe3072(257)ffdhe4096(258)ffdhe6144(259)ffdhe8192(260)

]key_shareextension(RFC8446)nootherextensions

].

ApplicationNote:IfsupportforTLS1.3isclaimedinFCS_TLSS_EXT.1.1,theselectionsforsupported_versions,supported_groups,andkey_shareareclaimed.EvenifsupportforTLS1.3isnotclaimed,ifECDHEciphersuitesareclaimedinFCS_TLSS_EXT.1.4,theentryforsupported_groupsisclaimed.Supportforadditionalextensionsisacceptable.Forsignature_algorithmsandsignature_algorithms_certs(ifsupported),atleastoneofthesignatureschemespresentedinthefirstsub-selectionisclaimed.

FCS_TLSS_EXT.1.5TheTSFshallperformkeyestablishmentforTLSusing[selection:

RSAwithsize[selection:2048bits,3072bits,4096bits]andnoothersizesDiffie-Hellmanparameterswithsize[selection:2048bits,3072bits,4096bits,6144bits,8192bits]andnoothersizesDiffie-Hellmangroups[selection:ffdhe2048,ffdhe3072,ffdhe4096,ffdhe6144,ffdhe8192]andnoothergroups,consistentwiththeclient'ssupportedgroupsextensionand[selection:keyshare,noother]extensionECDHEparametersusingellipticcurves[selection:secp256r1,secp384r1,secp521r1]andnoothercurves,consistentwiththeclient'ssupportedgroupsextensionand[selection:keyshare,noother]extensionandusingnon-compressedformattingforpoints

].

ApplicationNote:TLS1.2andTLS1.3performkeyexchangeusingdifferentmechanisms.InTLS1.2,therequirementsapplytothekeyexchangemessagesreceivedbytheserverandoptionally(forDHEorECDHEciphersuites)sentbytheserver.InTLS1.3,therequirementsapplytothevaluesofthekeyshareextensioncontainedintheclientandserverhellomessages.Theoptionsdependonthesupportedciphersuites.Foreachsession,thekeyexchangemethodisconsistentwiththeselectedciphersuite(TLS1.2),thesupportedgroupsextension(TLS1.3andconditionally,TLS1.2),orthekeyshareextension(TLS1.3).

IftheSTlistsanRSAciphersuiteinFCS_TLSS_EXT.1.1,theSTmustincludetheRSAselectionintherequirement.

IftheSTlistsaDHEciphersuiteinFCS_TLSS_EXT.1.2,theSTmustincludetheDiffie-Hellmanselectionforparametersofacertainsize,theDiffie-HellmangroupsselectioninsupportofTLS1.2exchanges,orboth.Theselectionfor"Diffie-Hellmanparameters"referstothemethoddefinedbyRFC5246,section7.4.3wheretheserverprovidesDiffie-Hellmanparameterstotheclient.The“Diffie-Hellmangroups”selectionindicateskeyexchangenegotiationinaccordancewithRFC7919usingthesupportedgroupsextension.RFC7919identifiesparticularDiffie-Hellmangroups,whicharelistedinthefollowingselection.ThisoptionisthepreferredmechanismforTLS1.2,andmustbeclaimedifTLS1.3DHEciphersuitesaresupported.

IftheSTlistsanECDHEciphersuiteinFCS_TLSS_EXT.1.2,theSTmustincludetheselectionforECDHEusingellipticcurvesintherequirement,consistentwiththesupportindicatedforthesupportedgroupsextensioninFCS_TLSS_EXT.1.4.

WhenTLS1.3isnegotiated(ifsupported),thesupportedgroupnegotiated(asupportedDHEorECDHEgroup)agreeswithoneoftheclient’ssupportedgroupsandthesuppliedkeyshareelement,andtheproduct’skeyshareelementisamemberoftheselectedgroup.IftheTLS1.3clientdoesnotinitiallyprovideakeyshareelementforagroupsupportedbyboththeproductandtheclient,theTOEisexpectedtosendahelloretryrequestmessageindicatingtheselectedgroup;therequirementformatchingthegroupindicatedintheclient’shellomessageappliestotheclient’shellomessagereceivedinresponsetothehelloretryrequestmessage.

ThisSFRisclaimedif"TLSasaserver"isselectedinFCS_TLS_EXT.1.1.


FCS_TLSS_EXT.1TSSTheevaluatorshallcheckthedescriptionoftheimplementationofthisprotocolintheTSStoensurethesupportedTLSversions,features,ciphersuites,andextensions,arespecifiedinaccordancewithRFC5246(TLS1.2)andRFC8446(TLS1.3andupdatestoTLS1.2)asappropriate.TheevaluatorshallcheckthedescriptiontoseeifbetaTLS1.3versionsaresupported.TheevaluatorshallverifythatciphersuitesindicatedinFCS_TLSS_EXT.1.2areincludedinthedescription,andthatnoneofthefollowingciphersuitesaresupported:ciphersuitesindicating'NULL,''RC2,''RC4,''DES,''IDEA,'or'TDES'intheencryptionalgorithmcomponent,indicating'anon,'orindicatingMD5orSHAinthemessagedigestalgorithmcomponent.TheevaluatorshallverifythattheTLSimplementationdescriptionincludestheextensionsasrequiredinFCS_TLSS_EXT.1.4.TheevaluatorshallconfirmthattheTLSdescriptionincludesthenumberandtypesofcertificatesthatcanbeinstalledtorepresenttheTOE.

GuidanceTheevaluatorshallchecktheoperationalguidancetoensurethatitcontainsinstructionsonconfiguringtheproductsothattheTSFconformstotherequirements.IftheSTindicatesthatbetaversionsofTLS1.3aresupportedforbackwardcompatibility,theevaluatorshallensurethattheoperationalguidanceprovidesinstructionsfordisablingtheseversions.TheevaluatorshallreviewtheoperationalguidancetoensureinstructionsoninstallingcertificatesrepresentingtheTOEareprovided.


Test19:(supportedTLS1.2configurations)Theevaluatorshallperformthefollowingtests:Test19.1:ForeachsupportedTLS1.2ciphersuite,theevaluatorshallsendacompliantTLS1.2clienthellowiththehighestversionorlegacyversionof1.2(value'0303'),asingleentryintheciphersuitesfieldconsistingofthespecificciphersuite,andnosupportedversionextensionorkeyshareextension.TheevaluatorshallobservetheTSF’sserverhelloindicatesTLS1.2inthehighestversionorlegacyversionfield,doesnotincludeasupportedversionorkeyshareextension,andindicatesthespecificciphersuiteintheciphersuitefield.Iftheciphersuiterequirescertificate-basedauthentication,theevaluatorshallobservethattheTSFsendsavalidcertificaterepresentingtheTOEandsuccessfullycompletestheTLShandshake.Note:TheciphersuitesTLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384asdefinedinRFC8442,TLS_DHE_PSK_WITH_AES_256_GCM_SHA384asdefinedinRFC5487,TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256asdefinedinRFC8442,andTLS_DHE_PSK_WITH_AES_128_GCM_SHA256asdefinedinRFC5487,ifsupported,donotrequirecertificate-basedauthenticationoftheserver.Test19.2:(TLS1.2supportforTLS1.3clients)[conditional]IftheTSFisconfigurabletosupportonlyTLS1.2(orifTLS1.3isnotsupported),andiftheTSFsupportsDHEorECDHEciphersuites,theevaluatorshallfollowanyoperationalguidanceinstructionsnecessarytoconfiguretheTSFtoonlysupportTLS1.2.ForeachsupportedTLS1.2ciphersuitewithDHEorECDHEindicatedasthekeyexchangemethod,theevaluatorshallsendaclienthellowiththehighestversionorlegacyversionof1.2(value'0303'),alistofciphersuitesconsistingofoneormoreTLS1.3ciphersuitesfollowedbythespecificTLS1.2ciphersuiteandnootherTLS1.2ciphersuitesintheciphersuitesfield,andincludingaTLS1.3supportedgroupandkeyshareextensionwithconsistentvalues.TheevaluatorshallobservethattheTSF’sserverhelloindicatesTLS1.2inthehighestversionorlegacyversionfield,doesnotincludeasupportedversionorkeyshareextension,andindicatesthespecificTLS1.2ciphersuiteintheciphersuitefield.TheevaluatorshallobservethattheTSFcompletestheTLS1.2handshakesuccessfully.

Note:SupportedciphersuitesusingRSAkeyexchangeshouldnotbeincludedinthistest.ThesupportedgroupsextensionsentbythetestTLSclientshouldbeconsistentwiththeTLS1.2ciphersuite(e.g.,itshouldbeanECgroupiftheciphersuiteisECDHE).Test19.3:(TLS1.3support)[conditional]IftheTSFsupportsTLS1.3,thenforeachsupportedTLS1.3ciphersuiteandkeyexchangegroup,theevaluatorshallsendacompliantTLS1.3clienthelloindicatingalistofoneormoreTLS1.2ciphersuitesfollowedbythespecificTLS1.3ciphersuiteandnootherciphersuitesintheciphersuitesfield,asupportedversionextensionindicatingTLS1.3(value'0304')only,asupportedgroupsextensionindicatingtheselectedgroup,andakeyshareextensioncontainingavaluerepresentinganelementofthespecificgroup.TheevaluatorshallobservetheTSF’sserverhellocontainsthesupportedversionsextensionindicatingTLS1.3,thespecificciphersuiteintheselectedciphersuitefield,andakeyshareextensioncontaininganelementofthespecificsupportedgroup.TheevaluatorshallobservethattheTSFcompletestheTLS1.3handshakesuccessfully.

Note:TheconnectionsinTest1maybeestablishedaspartoftheestablishmentofahigher-levelprotocol,e.g.,aspartofanEAPsession.Itissufficienttoobservethesuccessfulnegotiationofaciphersuitetosatisfytheintentofthetest;itisnotnecessarytoexaminethecharacteristicsoftheencryptedtrafficinanattempttodiscerntheciphersuitebeingused(forexample,thatthecryptographicalgorithmis128-bitAESandnot256-bitAES).Itisnotnecessarytopaireverysupportedciphersuitewitheverysupportedgroup.Itissufficienttouseasetofciphersuiteandsupportedgrouppairssuchthateachciphersuiteandeachsupportedgroupareincludedinthisset.TLS1.3includesthesupported_groupsextensionintheencrypted_extensionsmessage.Thismessagemaybeobservedatthetestclientafteritisdecryptedtohelpverifythekey_shareisactuallyamemberofthesupportedgrouprequested.Test20:(obsoleteversions)Theevaluatorshallperformthefollowingtests:

Test20.1:ForeachofSSLversion2,SSLversion3,TLSversion1.0,andTLSversion1.1,theevaluatorshallsendaclienthellototheTSFindicatingtheselectedversionasthehighestversion.TheevaluatorshallobservetheTSFterminatestheconnection.Note:ItispreferredthattheTSFsendsafatalerroralertmessage(e.g.,protocolversion,insufficientsecurity)inresponsetothis,butitisacceptablethattheTSFterminatestheconnectionsilently(i.e.,withoutsendingafatalerroralert).Test20.2:TheevaluatorshallfollowtheoperationalguidancetoconfiguretheTSFtoensureanysupportedbetaTLS1.3versionsaredisabled,asnecessary.TheevaluatorshallsendtheTSFaclienthellomessageindicatingthesupportedversion(referredtoasthelegacyversionforTLS1.3)withthevalue'0304'andobservethattheTSFrespondswithaserverhelloindicatingthehighestversionsupported.Note:Test2.2isintendedtotesttheTSFresponsetonon-standardversions,includingbetaversionsofTLS1.3.IftheTSFsupportssuchbetaversions,theevaluatorshallfollowtheoperationalguidanceinstructionstodisablethempriortoconductingTest2.2.SomeTLS1.3implementationsignorethelegacyversionfieldandonlycheckforthesupported_versionsextensiontodetermineTLS1.3supportbyaclient.Itispreferredthatthelegacyversionfieldshouldstillbesettoastandardversion('0303')intheserverhello,butitisacceptablethatpresenceofthesupported_versionsindicatingTLS1.3(value'0304')overridesthelegacy_versionindicationtodeterminehighestsupportedversion.

Test21:(ciphersuites)TheevaluatorshallperformthefollowingtestsonhandlingunexpectedciphersuitesusingatestTLSclientsendinghandshakemessagescompliantwiththenegotiatedversionexceptasindicatedinthetest:

Test21.1:(ciphersuitenotsupported)Foreachsupportedversion,theevaluatorshallfollowtheoperationalguidance,ifavailable,toconfiguretheTSFtodisableasupportedciphersuite.TheevaluatorshallsendacompliantclienthellototheTSFindicatingsupportforthespecificversionandaciphersuitesfieldcontainingthissingledisabledciphersuite.TheevaluatorshallobservethattheTOErejectstheconnection.Note:ItispreferredthattheTSFsendsafatalerroralertmessage(e.g.,handshakefailure)inresponsetothis,butitisacceptablethattheTSFterminatestheconnectionsilently(i.e.,withoutsendingafatalerroralert).IftheTSF’sciphersuitesarenotconfigurable,itisacceptabletouseanamedciphersuitefromtheIANATLSprotocolsassociatedwiththetestedversion.Additionalspecialcasesofthistestforspecialciphersuitesareperformedseparately.Test21.2:(versionconfusion)Foreachsupportedversion,theevaluatorshallsendaclienthellothatiscompliantforthespecificversionthatincludesalistofciphersuitesconsistingofasingleciphersuitenotassociatedwiththatversion.Theevaluatorshall

observethattheTOErejectstheconnection.

Note:ItispreferredthattheTSFsendsafatalerroralertmessage(e.g.,handshakefailure)inresponsetothis,butitisacceptablethattheTSFterminatestheconnectionsilently(i.e.,withoutsendingafatalerroralert).ItispreferredthatTest3.2useTLS1.3ciphersuitesforaservernegotiatingTLS1.2.IfTLS1.3issupported,Test3.2alsoincludesaservernegotiatingTLS1.3withaTLS1.2ciphersuite–inthiscase,thenegotiatedciphersuiteshouldbechosentobeonesupportedbytheTOEifnegotiatingTLS1.2.IftheTOEisconfigurabletoallowbothTLS1.2andTLS1.3clients(ordoessobydefault),thisconfigurationisusedforboththeTLS1.2andTLS1.3iterationofthistest;otherwisetheTOEisconfiguredtosupportthenegotiatedversionineachiteration.Test21.3:(nullciphersuite)Foreachsupportedversion,theevaluatorshallsendaclienthelloindicatingsupportfortheversionandincludeaciphersuitelistconsistingofonlythenullciphersuite(TLS_NULL_WITH_NULL_NULL,withthevalue'0000')andobservethattheTOErejectstheconnection.Note:ItispreferredthattheTSFsendsafatalerroralertmessage(e.g.,handshakefailure,insufficientsecurity)inresponsetothis,butitisacceptablethattheTSFterminatestheconnectionsilently(i.e.,withoutsendingafatalerroralert).Test21.4:(anonciphersuite)TheevaluatorshallsendtheTSFaTLS1.2handshakethatiscompliant,exceptthattheciphersuitesfieldincludesaciphersuitelistconsistingonlyofciphersuitesusingtheanonymousserverauthenticationmethodandobservethattheTOErejectstheconnection.

Note:ItispreferredthattheTSFsendsafatalerroralertmessage(e.g.,handshakefailure,insufficientsecurity)inresponsetothis,butitisacceptablethattheTSFterminatestheconnectionsilently(i.e.,withoutsendingafatalerroralert).SeeIANATLSparametersforavailableciphersuitestobeincludedintheclienthello.Thetestciphersuiteslistshouldincludeciphersuitesusingsupportedcryptographicalgorithmsinasmanyoftheothercomponentsaspossible.Forexample,iftheTSFsupportstheciphersuiteTLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,theevaluatorshouldincludeTLS_DH_ANON_WITH_AES_256_GCM_SHA_384.Test21.5:(deprecatedencryptionalgorithm)TheevaluatorshallsendtheTSFaTLS1.2clienthellothatiscompliant,exceptthattheciphersuitesfieldisalistconsistingonlyofciphersuitesindicatingadeprecatedencryptionalgorithm,includingatleastoneeachofNULL,RC2,RC4,DES,IDEA,andTDES.TheevaluatorshallobservethattheTOErejectstheconnection.Note:ItispreferredthattheTSFsendsafatalerroralertmessage(e.g.,handshakefailure,insufficientsecurity)inresponsetothis,butitisacceptablethattheTSFterminatestheconnectionsilently(i.e.,withoutsendingafatalerroralert).SeeIANATLSparametersforavailableciphersuitestobeincluded.Thetestciphersuiteshouldusesupportedcryptographicalgorithmsforasmanyoftheothercomponentsaspossible.Forexample,iftheTSFsupportsTLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,thetestcouldincludeTLS_ECDHE_PSK_WITH_NULL_SHA_384,TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_DHE_DSS_WITH_DES_CBC_SHA,TLS_RSA_WITH_IDEA_CBC_SHA,andTLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA.

Test22:(extensions)Test22.1:(signaturealgorithms)[conditional]IftheTSFsupportscertificate-basedauthentication,thenforeachsupportedsignaturealgorithmindicatedintheST,theevaluatorshallperformthefollowingsub-testswithcertificatesthatrepresenttheTOE.Foreachsub-test,theevaluatorshallestablishato-be-signedcertificaterepresentingtheTOEusingapublic-privatekeypairsuitableforthespecificsignaturealgorithmvalue,andrequestthatthecertificatefromacertificationauthoritythatusesthesamesignaturealgorithm,inaccordancewithFIA_X509_EXT.3.thereferencetoFIA_X509_EXT.3impliesthatanyPPormodulethatusesthispackagemusthavetheabilitytogenerateitsownCSRs(eitheraspartoftheTOEoritsunderlyingplatform),unsureifthisisintendedorifitwillbepermissibletoloadacertissuedbyaCA.IftheTSFalsosupportsthesignature_algorithms_certextension,thenforeachvalueofthesignature_algorithms_certextension,theevaluatorshallrepeatthesub-testsusingato-be-signedcertificateusingakeypairconsistentwiththesignaturealgorithm,withacertificateobtainedfromacertificationauthoritythatsignscertificatesusingthespecificvalueofthesignature_algorithms_certextension.Note:TheTSFsupportscertificate-basedserverauthenticationiftheTLS1.2supportedciphersuitesincludeciphersuitesotherthanTLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384asdefinedinRFC8442,TLS_DHE_PSK_WITH_AES_256_GCM_SHA384asdefinedinRFC5487,

TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256asdefinedinRFC8442,andTLS_DHE_PSK_WITH_AES_128_GCM_SHA256asdefinedinRFC5487.Ifthesearetheonlysupportedciphersuites,thistestisomitted.ForTLS1.3,certificate-basedserverauthentication,theclienthelloshouldnotincludethePSKextension.TheevaluatorshallfollowoperationalguidanceinstructionstoprovisiontheTSFwithoneormoreofthesecertificatesasindicatedinthefollowingsub-tests:

Test22.1.1:(TLS1.2)Foreachsupportedvalueofthesignature_algorithmextension,theevaluatorshallprovisionacertificatewithakeypaircompatiblewiththespecificsignature_algorithmvalueandsendtheTSFaTLS1.2clienthellothatindicatesallsupportedciphersuitesandhasasignature_algorithmextensionconsistingofasinglevaluematchingthespecificsignaturealgorithm.IftheTSFsupportssignature_algorithms_certextension,theclienthelloalsocontainsthevalueconsistentwiththeprevisionedcertificate.TheevaluatorshallobservethattheTSFnegotiatesTLS1.2withaTLS1.2ciphersuitethatiscompatiblewiththesignaturealgorithm,andthatitsendsacertificatemessagecontainingtheprovisionedcertificatewithakeypairthatisconsistentwiththespecificsignature_algorithmvalue(andsignedusingthesignature_algorithms_certextensionvalue,ifsupported).Note:ForTLS1.2,theciphersuitedescribesthesignaturealgorithmasRSAorECDSAandiscompatiblewiththecertificateusedifthesignaturealgorithmcomponentoftheciphersuiteisofthesametypeasthesignaturevalueofthesignature_algorithmextension.Test22.1.2:[conditional]IftheTSFsupportsTLS1.3,thenforeachsupportedvalueofthesignature_algorithm,theevaluatorshallprovisionacertificatewithakeypairthatiscompatiblewiththespecificsignature_algorithmvalue,sendaTLS1.3clienthellothatindicatesasupportedciphersuiteandhasasignature_algorithmextensionconsistingofasinglevaluematchingthespecificsignaturealgorithm.IftheTSFsupportsthesignature_algorithms_certextension,theclienthelloalsocontainsasignature_algorithms_certextensionwithavalueconsistentwiththeprovisionedcertificate.TheevaluatorshallobservethattheTSFsendsacertificatemessagecontainingtheprovisionedcertificateconsistentwiththespecificsignature_algorithmvalue(andsignedusingthesignature_algorithms_certextensionvalue)andacertificateverifymessageusingthesignature_algorithmextensionvalue.

Note:ForTLS1.3,thecertificatemessageandcertificateverifyisencrypted.TheevaluatorconfirmsthevaluesofthesemessagesasreceivedatthetestTLSclient,usinglogs,orusingatestTLSclientdesignedtoexposethecertificatesaftertheyaredecrypted.Itisnotnecessarytomanuallyverifythesignatureusedinthekeyexchangemessage(TLS1.2)orcertificateverifymessage(TLS1.3).Test22.1.3:[conditional]IftheSTindicatesthattheTSFsupportsprovisioningofmultiplecertificates,theevaluatorshallrepeatTest4.1.1withboththeprovisionedcertificateindicatedforTest4.1.1(and4.1.2ifTLS1.3issupported)andacertificatethatdoesnotmatchthesignature_algorithmvalue.Theevaluatorshallobservethatthecertificatemessage(forTLS1.2)doesnotincludethecertificatethatdoesnotmatchthesignature_algorithmvalue(andsignature_algorithms_certvalueifsupported)intheclienthello.[JF]PerSME,thistesthasissueswithTLS1.3andwillneedupdatesTest22.1.4:(TLS1.2)TheevaluatorshallprovisionacertificateasinTest4.1.1butshallsendaclienthellothatonlyoffersciphersuiteswhosesignaturecomponentdoesnotmatchthevalueofthesignature_algorithmextension.TheevaluatorshallobservethattheTSFterminatesthehandshake.

Note:ItispreferredthattheTSFsendsafatalerroralertmessage(e.g.,handshakefailure,illegalparameter)inresponsetothis,butitisacceptablethattheTSFterminatestheconnectionsilently(i.e.,withoutsendingafatalerroralert).

Test22.2:(extendedmastersecret):TheevaluatorshallinitiateaTLS1.2sessionwiththeTSFfromatestTLSclientforwhichtheclienthellodoesnotincludetheextendedmastersecretextensionandobservethattheTSFterminatesthesession.

Note:ItispreferredthattheTSFsendsafatalerroralertmessage(e.g.,handshakeerror)inresponsetothis,butitisacceptablethattheTSFterminatestheconnectionsilently(i.e.,withoutsendingafatalerroralert).

Test23:(keyexchange)Theevaluatorshallperformthefollowingteststoconfirmcompliantkeyexchange:

Test23.1:(TLS1.2RSAkeyexchange)[conditional]IfanyofthesupportedTLS1.2

ciphersuitesintheSTincludesRSAforthekeyexchangemethod,theevaluatorshallperformthefollowingsub-tests:

Test23.1.1:ForeachsupportedRSAkeysize,theevaluatorshallprovisiontheTSFwithavalidcertificatethathasanRSApublickeyofthatsize.TheevaluatorshallinitiateavalidTLS1.2handshakefromacomplianttestTLS1.2clientandobservethattheservercertificatemessagematchestheprovisionedcertificate.Test23.1.2:ForeachsupportedRSAkeysize,theevaluatorshallsendtheTSFacompliantTLS1.2clienthello,butinplaceoftheclient’skeyexchangemessage,theevaluatorshallsendtheTSFa(non-compliant)KeyExchangemessagethatisproperlyformattedbutusesaninvalidEncryptedPreMasterSecretfieldintheTLShandshake(e.g.,modifyabyteofaproperlycomputedvalue).TheevaluatorshallattempttocompletethehandshakeusingcompliantclientchangecipherspecandfinishedmessagesandverifythattheTSFterminatesthehandshakeinamannerthatisindistinguishablefromafinishedmessageerroranddoesnotsendapplicationdata.Note:MitigationsfororacleattacksdescribedinRFC5246AppendixDrequiretheTSFtoexhibitthesamebehaviorforkeyexchangefailuresasitdoesforfinishedmessagefailures.ItispreferredthattheTSFsendafataldecryptfailureerroralertattheendofthehandshakeinboththiscaseandforafinishedmessageerror,butitisacceptablethattheTSFterminatethesessionwithanothererroralert,orwithoutsendinganerroralertineithercase.Ifthefailureerroralertisnotforadecryptionfailure,theevaluatorshallnotethattheTSF’sresponseagreeswiththeresponseobservedintheTLS1.2iterationofTest5.2.

Test23.2:Foreachsupportedversion,theevaluatorshallinitiateacomplianthandshakeupthroughthe(impliedforTLS1.3)changecipherspecmessage.Theevaluatorshallthensenda(non-compliant)clientfinishedhandshakemessagewithaninvalid‘verifydata’valueandverifythattheserverterminatesthesessionanddoesnotsendanyapplicationdata.Note:TLS1.2handshakesincludeexplicitchangecipherspecmessages,butTLS1.3omitsthechangecipherspecmessage.IfTLS1.3issupported,themodifiedfinishedmessageissentasthefinalmessagefromtheclientafterreceivingtheserver’ssecondflightofhandshakemessages{encryptedextensions,(newticket),(certificate,certificateverify),(certificaterequest)}.ItispreferredthattheTSFsendafataldecryptionfailureerroralert,butitisacceptablethattheTSFterminatethesessionusinganothererroralertorwithoutsendinganerroralert.Thefinishedmessageisencrypted.Theinvalid‘verifydata’canbeconstructedbymodifyingabyteofacompliantfinishedmessagepayload.Test23.3:(TLS1.2DHEorECDHEkeyexchange)[conditional]IftheSTindicatessupportforDHEorECDHEciphersuitesforTLS1.2,thentheevaluatorshallperformthefollowingsub-tests:

Test23.3.1:[conditional]IftheTSFsupportsDHEciphersuitesandsupportsDHEparametersthatarenotspecifiedinthesupportedgroupsextension,thenforeachsupportedDHEparameterset,theevaluatorshallfollowtheoperationalguidancetoconfiguretheTSFtousetheDHEparametersinitskeyexchange.TheevaluatorshalltheninitiateaTLS1.2handshakefromatestclientwithaclienthelloindicatingasingleDHEciphersuite.TheevaluatorshallobservethattheTSFkeyexchangemessageindicatestheconfiguredparametersandensurethattheclientkeyexchangeisavalidpointfortheparameterset.TheevaluatorshallconfirmthattheTSFsuccessfullycompletesthesession.Theevaluatorshallclosethesessionandresendtheclienthello.AftertheTSFrespondswithavalidkeyexchangemessage,theevaluatorshallsendanemptyclientkeyexchangemessageandobservethattheTSFterminatesthesession.Note:ItispreferredthattheTSFsendsafatalerroralertmessage(e.g.,decryptionfailure,illegalparameter,handshakeerror)inresponsetothis,butitisacceptablethattheTSFterminatestheconnectionsilently(i.e.,withoutsendingafatalerroralert).Test23.3.2:[conditional]IftheTSFsupportsDHEciphersuitesandsupportsDHEgroupsinthesupportedgroupsextension,thenforeachsupportedDHEgroup,theevaluatorshallsendtheTSFacompliantTLS1.2clienthelloindicatingasingleciphersuitethatiscompatiblewiththegroupandindicatingthegroupinthesupportedgroupsextension.TheevaluatorshallobservethattheTSFnegotiatesTLS1.2usingtheindicatedciphersuiteandthattheserverkeyexchangemessageindicatesthespecificgroup.TheevaluatorshallsendtheTOEaclientkeyexchangewithavalidpointinthegroupandobservethattheTSFsuccessfullycompletesthesession.Theevaluatorshallclosethesessionandresendtheclienthello.AftertheTSFrespondswithavalidkeyexchangemessage,theevaluatorshallsendtheTSFa

clientkeyexchangewiththepublickeyvalue'0.'TheevaluatorshallobservethattheTSFterminatesthesession.TheevaluatorshallsendanewclienthelloincludingthesameciphersuitebutindicatingagroupnotsupportedbytheTSFinthesupportedgroupsextension.TheevaluatorshallobservethattheTSFterminatesthesession.Note:ItispreferredthattheTSFsendsafatalerroralertmessage(e.g.,decryptionfailure,illegalparameter,handshakeerror)inresponsetothis,butitisacceptablethattheTSFterminatestheconnectionsilently(i.e.,withoutsendingafatalerroralert).Test23.3.3:[conditional]IftheTSFsupportsECDHEciphersuites(andthereforesupportsECDHEgroupsinthesupportedgroupsextension),theevaluatorshallsendaclienthellomessageindicatingasinglesupportedECDHEciphersuiteandincludingthesupportedECDHEgroupinthesupportedgroupsextension.TheevaluatorshallobservethattheTSFsendsakeyexchangemessagewithavalidpointofthespecifiedgroup.TheevaluatorshallsendtheTSFaclientkeyexchangemessagetotheTSFconsistingofavalidelementinthesupportedgroupandobservethattheTSFsuccessfullycompletesthesession.Theevaluatorshallclosethesessionandresendtheclienthello.AftertheTSFsendsthevalidkeyexchangemessage,theevaluatorshallsendaclientkeyexchangemessageconsistingofaninvalidelementofthesupportedgroupandobservethattheTSFterminatesthehandshake.TheevaluatorshallsendathirdclienthellototheTSFindicatingthesupportedECDHEciphersuiteandincludinganECDHEgroupthatisnotsupported.TheevaluatorshallobservethattheTSFterminatesthesession.

Note:ItispreferredthattheTSFsendsafatalerroralertmessage(e.g.,decryptionfailure,illegalparameter,handshakeerror,insufficientsecurity)inresponsetothis,butitisacceptablethattheTSFterminatestheconnectionsilently(i.e.,withoutsendingafatalerroralert).AninvalidECDSApointconsistsofproperlyformattedxandycomponents,butforwhichtheequationofthecurveisnotsatisfied.Toobtainaninvalidpoint,theevaluatorcanmodifyabyteoftheycoordinatevalueofavalidpointandconfirmthatthepointisnotonthecurve.TheIANATLSparameterswebsitelistsregisteredECDHEgroupsforuseinselectinganon-supportedgroup.IftheTSFsupportsallregisteredECDHEgroups,itisacceptabletosendtheclienthellowithoutasupportedgroupsextension.TheTSFshouldrejectsuchaclienthello,butitisacceptablefortheTSFtodefaulttoasupportedgroup.Inthiscase,theTSFpassesthetest.

Test23.4:(TLS1.3keyexchange)[conditional]IftheTSFsupportsTLS1.3,thenforeachsupportedgrouptheevaluatorshallperformthefollowingsub-tests:

Test23.4.1:TheevaluatorshallsendtheTSFacompliantTLS1.3clienthelloindicatingasinglekeysharevaluefromthesupportedgroupandshallobservethattheserverhelloincludesvalidelementsofthesupportedgroup.Test23.4.2:TheevaluatorshallsendtheTSFaTLS1.3clienthelloindicatingasupportedgroupsvaluesupportedbytheTSFbutcontainingakeyshareextensionindicatinganelementclaimingtobeinthesupportedgroupthatdoesnotrepresentavalidelementofthegroup.TheevaluatorshallobservethattheTSFterminatesthesession.

Note:ItispreferredthattheTSFsendsafatalerroralertmessage(e.g.,illegalparameter,handshakefailure,decryptionfailure)inresponsetothis,butitisacceptablethattheTSFterminatestheconnectionsilently(i.e.,withoutsendingafatalerroralert).ForDHEgroups,theinvalidelementmaybeofthewronglength;forECDHEgroups,theinvalidelementhascoordinates(xandy)thatdonotsatisfytheequationoftheellipticcurve.ToobtainaninvalidECDHEpoint,theevaluatorcanmodifyabyteoftheycoordinatevalueofavalidpointandconfirmthatthepointisnotonthecurve.

Test23.5:Foreachsupportedversion,theevaluatorshallinitiateaTLShandshakefromatestTLSclientwithcomplianthandshakemessagesnegotiatingtheversionandsupportedparameterstoincludethechangecipherspecmessage(impliedforTLS1.3),butwhichomitsthefinishedmessageandinsteadsendsanapplicationmessagecontainingrandomdata.TheevaluatorshallobservethattheTSFterminatestheconnection.Note:ItispreferredthattheTSFsendsafatalerroralertmessage(e.g.,decryptionfailure)inresponsetothis,butitisacceptablethattheTSFterminatestheconnectionsilently(i.e.,withoutsendingafatalerroralert).ApplicationdataisindicatedbytheTLSCipherTextContentTypefieldhavingvalue23(applicationdata).Thelegacyrecordversion'0303'andlengthfieldsshouldmatcha

validTLSCipherTextmessageofthesamesize.

FCS_TLSS_EXT.2TLSServerSupportforMutualAuthentication

Theinclusionofthisselection-basedcomponentdependsuponselectioninFCS_TLSS_EXT.1.1.

FCS_TLSS_EXT.2.1TheTSFshallsupportauthenticationofTLSclientsusingX.509v3certificatesduringtheTLShandshakeand[selection:duringpost-handshakerequests,atnoothertime]usingthecertificatetypesindicatedintheclient’ssignature_algorithmsand[selection:signature_algorithms_cert,noother]extension.

ApplicationNote:TLS1.3supportsauthenticationaftercompletingtheabbreviatedhandshakewithpre-sharedkeys.Aservermaysendaclientacertificaterequestafterthefinishedmessagewhenevertheclientincludesthepost-handshakeauthenticationextension.TheSTauthorclaims‘duringpost-handshakerequest’ifthisfeatureissupported.IfTLS1.3isnotsupported,oriftheTLSpost-handshakerequestextensionisnotrecognizedinaTLS1.3handshake,theSTauthorselects‘atnoothertime’.

FCS_TLSS_EXT.2.2TheTSFshallsupportauthenticationofTLSclientsusingX.509v3certificatesinaccordancewithFIA_X509_EXT.1.

FCS_TLSS_EXT.2.3TheTSFshallbeabletorejecttheestablishmentofatrustedchanneliftherequestedclientcertificateisinvalidand[selection:

continueestablishmentofaserver-onlyauthenticatedTLSchannelinaccordancewithFCS_TLSS_EXT.1insupportof[selection:allapplications,[assignment:listofcallingapplicationsthatacceptbothauthenticatedandunauthenticatedclientsessions]]whenanemptycertificatemessageisprovidedbytheclientcontinueestablishmentofamutuallyauthenticatedTLSchannelwhenrevocationstatusinformationforthe[selection:client'sleafcertificate,[assignment:specificintermediateleafCAcertificates],anynon-truststorecertificateinthecertificatechain]isnotavailableinsupportof[selection:allapplications,[assignment:listofcallingapplicationsconfigurabletoperformcertificatestatusinformationbypassprocessing]]as[selection:configuredbyanadministrator,confirmedbytheapplicationuser,asadefaultfor[assignment:subsetofapplications]]nootherprocessingoptionsformissingorinvalidclientcertificates

].

ApplicationNote:TheSTauthorclaimsanycertificateprocessingexceptionsthatareallowedforspecificcallingapplications.The‘continueestablishmentofaserver-onlyauthenticatedTLSchannel…’selectionisclaimediftheTLSproductsupportsapplicationsthatcanprovideservicestounauthenticatedusersiftheuserdoesnotpossessanappropriatecertificate.Withinthisselection,theSTauthorindicateswhichapplicationsareabletosupportbothauthenticatedandunauthenticatedusers.

TheSTauthorclaims‘continueestablishmentofamutuallyauthenticatedTLSchannel…’ifthereisanadministratorconfigurationoruserconfirmationthatrevocationstatusinformationisnotavailableforoneormoreofthecertificatesintheclient’scertificatechain.Ifclaimed,theSTauthorwilldescribeintheassignmentforintermediatevalueswhichCAcertificatesareincludedintheexception(forexample,“allintermediatesbuttheissuingCA”or“specificend-entitycertificatesasconfigured”).Withinthisselection,theSTauthorspecifieswhichapplicationsareimpactedandwhichauthorizeduserisallowedtoapprovecontinuingwiththesessionwhenrevocationinformationisnotavailable.Ifanadministratorconfigureswhetherausermayacceptacertificatewithoutstatusinformation,bothselectionsareclaimed.The‘asadefault’shouldonlybeselectedforapplicationsthatdonothaveaccesstorevocationinformation.MethodsforobtainingrevocationinformationareincludedinFIA_X509_EXT.1.

FCS_TLSS_EXT.2.4TheTSFshallbeableto[selection:

notestablishaTLSsessionifanentryoftheDistinguishedNameora

[selection:rfc822_name,dns_name,[assignment:supportednametypes]]intheSubjectAlternateNameextensioncontainedintheclientcertificatedoesnotmatchoneoftheexpectedidentifiersfortheclientinaccordancewith[selection:RFC2822,RFC6125,RFC5280,[assignment:RFCforthesupportednametype]]matchingrulespassthe[selection:validatedcertificate,RFC822namenormalizedaccordingtoRFC822,DNSnamenormalizedaccordingtoRFC6125,[assignment:listofRFC5280nametypesandnormalizationrules],[assignment:listof'other'nametypesandstandardnormalizationrules]]to[assignment:listofcallingapplicationscapableofmakingaccessdecisions]

].

ApplicationNote:AuthorizationforservicesprovidedbytheapplicationsthatareprotectedbytheTLSsessionisdeterminedeitherbytheapplicationestablishingasetofreferenceidentifiersorbypassingthereceivedidentifierstotheapplication.TheSTauthorindicatesthemethodssupportedand,foreachmethodsupported,indicatesallnametypessupported;atleastonenametypeisrequired.Intheassignmentofthefirstoption,theSTauthorindicatesallnametypesandthecorrespondingmethodformatchinginthesub-selections.Inthesecondmethodoption,theSTauthorindicateswhichnametypenormalizationstheproductsupports.Iftheproductpassestheentirevalidatedcertificatetotheapplication,nonormalizationofthenamescontainedinthecertificateisexpected.

Ifnamenormalizationisclaimed,careshouldbetakenregardingwildcardsandIPaddresses.IPaddressesembeddedinDNShostnamesandinDirectoryNameCNcomponentshavebeenobservedtoincludenon-standardwildcarddesignationsincludingthe‘*’character.AnyembeddedIPaddressesshouldusestandardCIDRnotationandshouldnotincludenonstandardencoding.

ThisSFRisclaimedif"mutualauthentication"isselectedinFCS_TLSS_EXT.1.1.


FCS_TLSS_EXT.2TSSTheevaluatorshallensurethattheTSSdescriptionrequiredperFIA_X509_EXT.2.1includestheuseofclient-sidecertificatesforTLSmutualauthentication,andthatthedescriptionincludesanycertificatevalidationexceptionrulesandthenametypessupportedformatchingtoreferenceidentifiersforallapplicationsthatuseTLS.TheevaluatorshallexaminetheTSStoensurethatanyCN-embeddednametypesthatareusedincludeadescriptionoftheencodingandmatchingrules.

GuidanceTheevaluatorshallverifythattheoperationalguidanceincludesinstructionsforconfiguringtruststoresforclient-sidecertificatesusedinTLSmutualauthentication.Theevaluatorshallensurethattheoperationalguidanceincludesinstructionsforconfiguringtheservertorequiremutualauthenticationofclientsusingthesecertificatesandforconfiguringanycertificatevalidationexceptionrules.TheevaluatorshallensurethattheoperationalguidanceincludesinstructionsforconfiguringreferenceidentifiersnormalizedormatchedbytheTSFandmatchingrulesforthesupportednametypes.

TestsTheevaluatorshalluseTLSasafunctiontoverifythatthevalidationrulesinFIA_X509_EXT.1areadheredtoandshallperformthetestslistedbelow.TheevaluatorshallapplytheoperationalguidancetoconfiguretheservertorequireTLSmutualauthenticationofclientsforthesetestsunlessoverriddenbyinstructionsinthetestactivity.Note:TLS1.3isafundamentallydifferentprotocolthanTLS1.2,soeventhoughthecertificatevalidationandnamecheckingtestsareidenticalforbothversions,itislikelythatearlydeploymentsofTLS1.3mayuseadifferentcode-basethatwarrantsindependenttesting.IfTLS1.3issupportedandtheevaluatorcanverifythattheTSFusesthesamecode-baseforcertificatevalidationandnamecheckingforbothTLS1.3andTLS1.2,itisacceptablethattestingbeperformedforonlyoneversionforthesetests.

Test24:Foreachsupportedversion,theevaluatorshallfollowtheoperationalguidancetoconfiguretheTOEtorequirevalidclientauthenticationwithnoexceptionsandinitiateaTLSsessionfromacompliantTLStestclientsupportingthatversion.Theevaluatorshallensurethatthetestclientsendsacertificate_liststructurewhichhasalengthofzero.TheevaluatorshallverifytheTSFterminatesthesessionandnoapplicationdataflows.

Note:ItispreferredthattheTSFsendsafatalerroralertmessage(e.g.,handshakefailure,badcertificaate,unknowncertificate,unknownCA)inresponsetothis,butitisacceptable

thattheTSFterminatestheconnectionsilently(i.e.,withoutsendingafatalerroralert).Test25:[conditional]IftheSTindicatesthattheTSFsupportsestablishmentofaTLSsessionformissingorinvalidcertificates,thenforeachsupportedversion,andforeachsupportedresponseoptionforamissingorinvalidcertificateindicatedinFCS_TLSS_EXT.2.3,theevaluatorshallconfiguretheTSFaccordingtotheoperationalguidancetorespondasindicatedforthecallingapplication.TheevaluatorshallsendclienthandshakemessagesfromatestTLSclientasindicatedforeachsub-test.Theevaluatorshallperformthefollowingsub-tests:

Test25.1:[conditional]:IftheTSFsupportsnon-authenticatedsessionestablishmentwhenreceivinganemptycertificatemessage,theevaluatorshallinitiateaTLShandshakefromacomplianttestTLSclientsupportingtheversionandprovidingacertificatemessagecontainingacertificate_liststructureoflengthzero.TheevaluatorshallconfirmthattheTSFnotifiesthecallingapplicationthattheuserisunauthenticated.Note:Specificproceduresfordeterminingthatthecallingapplicationisnotifiedwillvarybasedontheapplication.IfanAPItothecallingapplicationisnotavailable,theevaluatormayattempttoconfigurethecallingapplicationtoprovideadifferentresponse(e.g.,requireauthenticationforflaggeddata)forauthenticatedandnon-authenticatedusersandmakearequestatthetestclientthatresultsinaresponseindicatingtheapplicationistreatingtheclientasnon-authenticated.Test25.2:[conditional]IftheTSFsupportsexceptionsforwhenrevocationstatusinformationisunavailable,thentheevaluatorshallfollowtheoperationalguidancetoattempttoestablishanarrowlydefinedexceptionforwhichbothexemptandnon-exemptcertificatescanbeestablished.Theevaluatorshallestablishaprimarycertificatechainforthetestclientthatonlyexhibitstheallowedexceptionandoneormorealternatecertificatechainsforthetestclientthatdonotpasstheexceptionrule,asnecessarytotesttheboundariesoftheexceptionrules.Theevaluatorshallfollowtheoperationalguidancetoremoveanycachedrevocationstatusinformationforthetestclient’sprimarycertificatechain.TheevaluatorshallinitiateavalidTLSsessionfromthetestclientthatpresentstheprimarycertificateforthetestclient,provideanyfeedbackrequestedbytheTSFtoconfirmtheexception,andobservethattheTSFallowsthecertificateandcompletestheTLShandshakesuccessfully.Foreachalternatecertificatechain,theevaluatorshallrepeatthesessioninitiationfromthetestclientbutpresentthealternatecertificatechainandobservethattheTSFterminatesthesession.

Note:ItispreferredthattheTSFsendsafatalerroralertmessage(e.g.,badcertificate,unknowncertificate,accessdenied,handshakeerror)inresponsetothis,butitisacceptablethattheTSFterminatestheconnectionsilently(i.e.,withoutsendingafatalerroralert).Thealternatecertificatechainsareintendedtotesttheboundariesoftheexceptionrules.Forexample,iftheexceptionruleindicatesthatonlyleafcertificatesareexempt,theevaluatorwillincludeanalternatecertificatechainforwhichaCAcertificate’srevocationinformationisadvertisedbutisnotavailable;iftheexceptioncanbeconfiguredforanexplicitleafcertificate,orparticularsubjects,analternatechainwillbeincludedthatdoesnotincludeanexceptedcertificateorsubject.Iftheexceptionrulescanbeconfiguredforallcertificateshavingadvertisedrevocationinformation,analternatecertificatechaincanincludeanexpiredcertificate–onlyoneadditionalvalidityfailure(e.g.,expiredcertificate)isrequiredinthiscase.MorecomprehensivevalidityfailurehandlingisaddressedbytestingforFIA_X509_EXT.1.

Test26:Foreachsupportedversion,theevaluatorshallconfiguretheTSFtonegotiatetheversionandrequireclientauthenticationandperformthefollowingsteps:

ForeachsupportednamematchingmethodindicatedintheouterselectionofFCS_TLSS_EXT.2.4,andforeachnametypesupportedbythematchingmethodasindicatedintheinner-selectionsclaimedineachouterselection,theevaluatorshallestablishavalidprimarycertificatechainwithsinglenamesforatestclientcontainingonlythesupportednametypesandavalidalternatecertificatechainwithsinglenamesindicatingadifferentnameofthesametype.[conditional]IfanyofthesupportednametypesincludeCNencodingofanametypealsosupportedasaSANentry,theevaluatorshallestablishadditionalcertificatechainsasfollows:[JF]ThiswasupdatedbasedonSMEfeedbackbutunsureiffurtherupdatesareneeded

Theevaluatorshallestablishaprimarycertificatechainwithmultiplenames,toincludealeafcertificatewith:

aSANentrythatmatchesthenameintheprimarycertificatechainwithsinglenames,ofthesameSANnametype;andaCNentryencodingthesameSANtypewhichmatchesthenameinthealternatecertificatechainwithsinglenamesoftheCNencodingofthesameSANnametype.

Theevaluatorshallestablishanalternatecertificatechainwithmultiplenames,toincludealeafcertificatewith:

aSANentrythatmatchesthenameinthealternatecertificatechainwithsinglenames,ofthesameSANnametype;andaCNentryencodingthesameSANtypewhichmatchesthenameintheprimarycertificatechainwithsinglenames,oftheCNencodingofthesameSANnametype.

Inthiscase,theevaluatorshallalsoobtainanalternatecertificatechainwithmultiplenamesincludingaCNencodingofthenamematchingthatinthecorrespondingprimarycertificatecontainingonlytheCNencodingandaSANentryofthesametypethatmatchesthenameinthealternatecertificatechainhavingthesameSANtype.[conditional]IfanyofthesupportednametypesincludeCNencoding,theevaluatorshallfollowtheoperationalguidancetoconfiguretheTSF,establishingtrustintherootCAforallprimaryandalternatecertificatechains.TheevaluatorshallconfiguretheTSFandanyrelevantTOEapplicationsthatuseTLSforclientauthenticationasnecessarytoestablishreferenceidentifiersthatmatchthenamesintheclient’sprimarycertificatechainswithsinglenames,butnotmatchinganyofthenamesinthealternatecertificatechainswithsinglenames.Foreachprimarycertificatechain(withsingleormultiplenames),theevaluatorshallinitiateaTLSsessionfromthetestTLSclientthatisconfiguredtopresenttheprimarycertificatechaininacertificatemessageandavalidcertificateverifymessageinresponsetotheserver’scertificaterequestmessage.TheevaluatorshallconfirmthattheTSFacceptsthecertificateandcompletestheauthenticatedTLSsessionsuccessfully.Foreachalternatecertificatechain(withsingleormultiplenames),theevaluatorshallinitiateaTLSsessionfromthetestTLSclientthatisconfiguredtopresentthealternatecertificatechaininacertificatemessageandavalidcertificateverifymessageinresponsetotheserver’scertificaterequestmessage.TheevaluatorshallconfirmthattheTSFterminatesthesession.

Note:ItispreferredthattheTSFsendsafatalerroralertmessage(e.g.,accessdenied)inresponsetothis,butitisacceptablethattheTSFterminatestheconnectionsilently(i.e.,withoutsendingafatalerroralert).TheintentofthistestistoconfirmthatforeachmethodthattheTSFusestomatchnametypespresentedinvalidatedcertificates,itisabletorecognizebothmatchingandnon-matchingnames.NamesofspecialtypesimplicitlyencodedintheCNentryofthecertificatesubjectnameareespeciallypronetoerrorsincetheymayonlybevalidatedbytheissuingCAasadirectoryname(RDN)type,especiallyiftheissuingCAisunawareoftheintendedencodingasadifferentnametype.ItisabestpracticethatwhentheCNisinterpretedasanembeddednametypeotherthanRDN,anexplicitlyencodedSANentryshouldtakeprecedence.

FCS_TLSS_EXT.3TLSServerDowngradeProtection


FCS_TLSS_EXT.3.1TheTSFshallsettheserverhelloextensiontoarandomvalueconcatenatedwiththeTLS1.2downgradeindicatorwhennegotiatingTLS1.2asindicatedinRFC8446section4.1.3.

ApplicationNote:ThisSFRisclaimediftheTSFsupportsTLS1.3.RFC8446requiresboththeTLS1.2downgradeindicatoraswellasanindicatorforTLS1.1andbelow.ThisFPrequirestheservertorejectattemptstoestablishTLS1.1andbelow,makingthismechanismredundant.However,productsmaystillimplementbothindicatorstobecompliantwiththeRFC.

ThisSFRisclaimedif"supplementaldowngradeprotection"isselectedinFCS_TLSS_EXT.1.1.


FCS_TLSS_EXT.3TSSTheevaluatorshallexaminetheSTandconfirmthattheTLSdescriptionincludesdetailsonthesessiondowngradeprotectionsthataresupported.

GuidanceTheevaluatorshallexaminetheoperationalguidancetoconfirmthatinstructionsareincluded

toconfiguretheTSFtosupportonlyTLS1.3andtoprovidetheassociateddowngradeindications.

TestsTheevaluatorshallfollowtheoperationalguidanceasnecessarytoconfiguretheTSFtonegotiateonlyTLS1.3andtoprovidetheassociateddowngradeindications.TheevaluatorshallsendaTLSclienthellototheTOEthatindicatessupportforonlyTLS1.2.TheevaluatorshallobservethattheTSFsendsaserverhellowiththelasteightbytesoftheserverrandomvalueequalto444F574E47524401.

FCS_TLSS_EXT.4TLSServerSupportforRenegotiation


FCS_TLSS_EXT.4.1TheTSFshallsupportsecurerenegotiationthroughtheuseof[selection:the"renegotiation_info"TLSextension,notallowingsessionrenegotiation]inaccordancewithRFC5746.

FCS_TLSS_EXT.4.2TheTSFshall,whennegotiatingaTLS1.2session,[selection:includetherenegotiation_infoextensioninServerHellomessageswhenaclienthellowiththerenegotiation_infoextensionisreceivedandshallterminateasessionifneitheroftherenegotiation_infoorTLS_EMPTY_RENEGOTIATION_INFO_SCSVsignalingciphersuitesareindicatedintheclienthello,notallowrenegotiation].

FCS_TLSS_EXT.4.3TheTSFshallterminatethesessionifanunexpectedclienthelloisreceivedduringanactiveTLSsession.

ApplicationNote:RFC5746definesanextensiontoTLS1.2thatbindsrenegotiationhandshakestothecryptographyintheoriginalhandshake.AsarefinementoftheRFC,serversthatsupportrenegotiationandnegotiatingTLS1.2willterminateasessionifneitherofthemethodsdescribedinRFC5746areofferedbytheclient.RFC5746indicatesthataservernegotiatingTLS1.2isrequiredtoterminatethesessioniftheconditionsforsecurerenegotiationarenotmet.Alternatively,aTLSservermaynegotiateTLS1.2withoutanyRFC5746clientrenegotiationindicatorsifitalwaysterminatesanexistingsessionwhenanewclienthelloisreceived,similartotheimplementationofTLS1.3.

TLS1.3doesnotallowrenegotiation.Termination,asindicatedinFCS_TLSS_EXT.4.3,coversTLS1.3sessionsaswellasTLS1.2sessionswheretheclienthelloreceiveddoesnotcomplywithRFC5746,orwhenconfiguredtorejectrenegotiation(iftheproductisconfigurable).

ThisSFRisclaimedif"TLSasaserver"isselectedinFCS_TLS_EXT.1.1.


FCS_TLSS_EXT.4TSSTheevaluatorshallexaminetheSTtoconfirmthattheTLSdescriptionincludesdetailsonsessionrenegotiationprotectionmethodssupported,toincludewhenrenegotiationisprohibited.

GuidanceTheevaluatorshallexaminetheoperationalguidancetoconfirmthatanyinstructionsthatareneededtomeettherequirementsareincluded.IfsupportforTLS1.2isconfigurabletouseRFC5746methodsortodenyrenegotiation,theevaluatorshallensurethattheoperationalguidanceincludesinstructionsforconfiguringtheTSFinthismanner.

TestsTheevaluatorshallperformthefollowingtests,asindicatedforeachversionsupported,usingatestTLSclientabletoconstructtheindicatedmessagesandexposemessagesreceivedfromtheTSF:

Test27:(RFC5746compliantTLS1.2initialhandshake)[conditional]IftheTSFsupportsrenegotiation,theevaluatorshallfollowtheoperationalguidanceasnecessarytoconfiguretheTSFtoenforceRFC5746methods.TheevaluatorshallinitiateaTLS1.2sessionfromatestTLSclientforeachofthefollowingsub-tests:

Test27.1:Theevaluatorshallsendaninitialclienthellowithouttherenegotiation_infoextensionandwithoutincludingthesignalingciphersuitevalue,

TLS_EMPTY_RENEGOTIATION_INFO_SCSV.TheevaluatorshallobservethattheTSFterminatesthesession.

Note:ItispreferredthattheTSFsendsafatalerroralertmessage(e.g.,handshakefailure)inresponsetothis,butitisacceptablethattheTSFterminatestheconnectionsilently(i.e.,withoutsendingafatalerroralert).Test27.2:Theevaluatorshallsendaninitialclienthellowiththerenegotiation_infoextensionindicatingarenegotiated_connectionlengthgreaterthanzero.TheevaluatorshallobservethattheTSFterminatesthesession.

Note:ItispreferredthattheTSFsendsafatalerroralertmessage(e.g.,handshakefailure)inresponsetothis,butitisacceptablethattheTSFterminatestheconnectionsilently(i.e.,withoutsendingafatalerroralert).

Test28:(renegotiationattempt)Foreachofthefollowingsub-tests,theevaluatorshallestablishacompliantTLSchannelwithaninitialhandshakethatusestheindicatedsecurerenegotiationmethodfortheversionindicated.Withoutclosingthesession,theevaluatorshallsendasecondclienthellowithinthechannelspecifictotheversionasindicated:

Test28.1:[conditional]IftheTSFallowsrenegotiation,theevaluatorshallconfiguretheTSFtosupportRFC5746methods,sendaninitialhandshakewithavalidrenegotiationextension,sendanewTLS1.2clienthelloontheTLS1.2channelcontainingtherenegotiation_infoextensionindicatingvalidclient_verify_data,andobservetheTSFsuccessfullycompletesthehandshake.Test28.2:[conditional]IftheTSFallowsrenegotiation,theevaluatorshallsendaninitialclienthellocontainingavalidrenegotiationextension,sendanewTLS1.2clienthelloontheTLS1.2channelwiththesignalingciphersuitevalue,TLS_EMPTY_RENEGOTIATION_INFO_SCSV,andobservethattheTSFterminatesthesession.

Note:ItispreferredthattheTSFsendsafatalerroralertmessage(e.g.,handshakefailure)inresponsetothis,butitisacceptablethattheTSFterminatestheconnectionsilently(i.e.,withoutsendingafatalerroralert).Test28.3:[conditional]IftheTSFallowsrenegotiation,foreachTLS1.2renegotiationmethodclaimedinaccordancewithRFC5746,theevaluatorshallsendaninitialclienthelloindicatingthemethod,sendanewTLS1.2clienthelloontheTLS1.2channelwithoutarenegotiation_infoextension,andobservethattheTSFterminatesthesession.

Note:ItispreferredthattheTSFsendsafatalerroralertmessage(e.g.,unexpectedmessage)inresponsetothis,butitisacceptablethattheTSFterminatestheconnectionsilently(i.e.,withoutsendingafatalerroralert).Test28.4:[conditional]:IftheTSFallowsrenegotiation,foreachTLS1.2renegotiationmethodclaimedinaccordancewithRFC5746,theevaluatorshallsendaninitialclienthelloindicatingthemethod,sendanewTLS1.2clienthelloontheTLS1.2channelwitharenegotiation_infoextensionindicatinganinvalidclient_verify_datavalue(modifyabyteofavalidvalue),andobservethattheTSFterminatesthesession.

Note:ItispreferredthattheTSFsendsafatalerroralertmessage(e.g.,unexpectedmessage)inresponsetothis,butitisacceptablethattheTSFterminatestheconnectionsilently(i.e.,withoutsendingafatalerroralert).Test28.5:[conditional]IftheTSFsupportsTLS1.3,oriftheTSFrejectsrenegotiationforTLS1.2,thenforeachsuchversion,theevaluatorshallfollowtheoperationalguidanceasnecessarytoconfiguretheTSFtonegotiatetheversionandrejectrenegotiation.Theevaluatorshallinitiateavalidinitialsessionforthespecifiedversion,sendavalidclienthelloonthenon-renegotiableTLSchannel,andobservethattheTSFterminatesthesession.Note:ItispreferredthattheTSFsendsafatalerroralertmessage(e.g.,unexpectedmessage)inresponsetothis,butitisacceptablethattheTSFterminatestheconnectionsilently(i.e.,withoutsendingafatalerroralert).

FCS_TLSS_EXT.5TLSServerSupportforSessionResumption


FCS_TLSS_EXT.5.1TheTSFshallsupportsessionresumptionasaserverviatheuseof[selection:sessionIDinaccordancewithRFC5246,ticketsinaccordancewithRFC5077,PSKandticketsinaccordancewithRFC8446].

ApplicationNote:TheSTauthorindicateswhichsessionresumption

mechanismsaresupported.Oneorbothofthefirsttwooptions,"sessionIDinaccordancewithRFC5246"and"ticketsinaccordancewithRFC5077"areclaimedforTLS1.2resumption.IfresumptionofTLS1.3sessionsissupported,"PSKandticketsinaccordancewithRFC8446"isselected,andtheselection-basedSFRFCS_TLSS_EXT.6mustalsobeclaimed.

WhileitispossibletoperformsessionresumptionusingPSKciphersuitesinTLS1.2,thisisuncommon.ValidationofkeyexchangeandsessionnegotiationrulesforPSKciphersuitesisindependentofthesourceofthepre-sharedkeyandiscoveredinFCS_TLSS_EXT.1.

ThisSFRisclaimedif"sessionresumption"isselectedinFCS_TLSS_EXT.1.1.


FCS_TLSS_EXT.5TSSTheevaluatorshallexaminetheSTandconfirmthattheTLSserverprotocoldescriptionincludesadescriptionofthesupportedresumptionmechanisms.

GuidanceTheevaluatorshallensuretheoperationalguidancedescribesinstructionsforanyconfigurablefeaturesoftheresumptionmechanism.


Test29:Foreachsupportedversion,andforeachsupportedresumptionmethodforthatversion,theevaluatorshallestablishacompliantinitialTLSsessionwiththeTOEfortheversionusingthespecifiedmethod.Theevaluatorshallclosethesuccessfulsessionandinitiateresumptionusingthespecifiedmechanism.TheevaluatorshallobservethattheTSFsuccessfullyestablishestheresumedsessioninaccordancewiththerequirements.Test30:Foreachsupportedversionandeachsupportedresumptionmethodfortheversion,theevaluatorshallsendacompliantclienthellomessagesupportingonlythespecificversionandindicatingsupportfortheresumptionmethod.TheevaluatorshallallowtheTOEandtestclienttocontinuewiththecomplianthandshakeuntilresumptioninformationisestablishedbutthencauseafatalerrortoterminatethesession.TheevaluatorshallthensendanewclienthelloinanattempttoresumethesessionwiththeresumptioninformationprovidedandverifythattheTSFdoesnotresumethesession,butinsteadeitherterminatesthesessionorcompletesafullhandshake,ignoringtheresumptioninformation.

Note:ForTLS1.2,resumptioninformationshouldbeestablishedatthepointtheTSFsendsaserverhello,eitheracknowledgingthesession-basedresumptionoracknowledgingsupportforticket-basedresumptionandsendinganew_ticketmessage.ATLS1.2sessioncanthenbeterminatedbysendingamodifiedfinishedmessage.ForTLS1.3,thenew_ticketmessageissentafterthefinishedmessage;oncereceivedbytheclient,thesessioncanbeterminatedbymodifyingabyteoftheencryptedapplicationdata.

FCS_TLSS_EXT.6TLSServerTLS1.3ResumptionRefinements


FCS_TLSS_EXT.6.1TheTSFshallsupportTLS1.3resumptionusingPSKwithpsk_key_exchange_modeextensionwiththevaluepsk_dhe.

FCS_TLSS_EXT.6.2TheTSFshallignoreearlydatareceivedinTLS1.3sessions.

ApplicationNote:ThisSFRisclaimedwhensessionresumptionissupportedforTLS1.3.RFC8446allowspre-sharedkeystobeuseddirectlyandalsoallowsearlydatatobeprotectedusingonlythepre-sharedkey.ThisSFRrefinestheRFCtousePSKonlywithasupplementalDHEorECDHEkeyexchangetoensureperfectforwardsecrecyforallsessions.

ThisSFRisclaimedif"PSKandticketsinaccordancewithRFC8446"isselectedinFCS_TLSS_EXT.5.1.


FCS_TLSS_EXT.6TSSTheevaluatorshallexaminetheSTtoconfirmthattheTLSdescriptionincludesdetailsonsessionresumptionforTLS1.3,describeseachapplicationcapableofusingTLS1.3withPSK,anddescribeshowtheTSFandapplicationrespondtoclientattemptstouseearlydata(includingvialoggingorobservableresponses).TheevaluatorshallconfirmthattheTLSdescriptionshowsthatonlythepsk_dhe_kepsk_key_exchange_modeissupportedandthatearlyinformationisignored.

GuidanceTheevaluatorshallexaminetheoperationalguidancetoverifythatinstructionsforanyconfigurablefeaturesthatarerequiredtomeettherequirementareincluded.

TestsTheevaluatorshallfollowtheoperationalguidancetoconfiguretheTSFtonegotiateTLS1.3andshallperformthefollowingtests:

Test31:Theevaluatorshallattemptaresumedsession(asforFCS_TLSS_EXT.5Test1)butusingpsk_kemodeasthevalueforthepsk_key_exchange_modeintheresumptionclienthello.TheevaluatorshallobservethattheTSFrefusestoresumethesession,eitherbycompletingafullTLS1.3handshakeorbyterminatingthesession.

Note:ItispreferredthattheTSFsendsafatalerroralertmessage(e.g.,illegalparameter)inresponsetothis,butitisacceptablethattheTSFterminatestheconnectionsilently(i.e.,withoutsendingafatalerroralert).Test32:Theevaluatorshallinitiatearesumedsession(asforFCS_TLSS_EXT.5Test1)withatestTLS1.3clientattemptingtoprovideearlydatathatprovokesaknownreactionattheTOEifreceived.TheevaluatorshallobservethattheTSFdoesnotreacttotheearlydata,indicatingthatthedatawasignored.

Note:ThespecificearlydatausedmaydependontheapplicationscallingtheTLSsessionandshouldbeselectedtoinitiateanobservableresponseintheTSForcallingapplicationasdescribedintheST.ForHTTPS,forexample,theearlydatacanbeanHTTPPOSTthatupdatesdataattheTOE,whichcanthenbeobservedviaauserinterfacefortheapplicationifthedatawaspostedorviaapplicationloggingindicatingthattheoperationfailed.

FCS_DTLSC_EXT.1DTLSClientProtocol


FCS_DTLSC_EXT.1.1TheproductshallimplementDTLS1.2(RFC6347)and[selection:DTLS1.0(RFC4347),noearlierDTLSversions]asaclientthatsupportstheciphersuites[selection:

TLS_RSA_WITH_AES_128_CBC_SHAasdefinedinRFC5246TLS_RSA_WITH_AES_128_CBC_SHA256asdefinedinRFC5246TLS_RSA_WITH_AES_256_CBC_SHA256asdefinedinRFC5246TLS_RSA_WITH_AES_256_GCM_SHA384asdefinedinRFC5288TLS_DHE_RSA_WITH_AES_128_CBC_SHA256asdefinedinRFC5246TLS_DHE_RSA_WITH_AES_256_CBC_SHA256asdefinedinRFC5246TLS_DHE_RSA_WITH_AES_256_GCM_SHA384asdefinedinRFC5288TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256asdefinedinRFC5289TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256asdefinedinRFC5289TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384asdefinedinRFC5289TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384asdefinedinRFC5289TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256asdefinedinRFC5289TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256asdefinedinRFC5289TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384asdefinedinRFC5289TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384asdefinedinRFC5289

]andalsosupportsfunctionalityfor[selection:mutualauthenticationnone

].

ApplicationNote:IfanyECDHEorDHEciphersuitesareselected,thenFCS_TLSC_EXT.5isrequired.

Ifmutualauthenticationisselected,thentheSTmustadditionallyincludetherequirementsfromFCS_DTLSC_EXT.2.IftheTOEimplementsmutualauthentication,thisselectionmustbemade.

DifferencesbetweenDTLS1.2andTLS1.2areoutlinedinRFC6347;otherwisetheprotocolsarethesame.AllapplicationnoteslistedforFCS_TLSC_EXT.1.1thatarerelevanttoDTLSapplytothisrequirement.

FCS_DTLSC_EXT.1.2TheproductshallverifythatthepresentedidentifiermatchesthereferenceidentifieraccordingtoRFC6125.

ApplicationNote:TheTLSCelementhaschanged.Notsureifthisnotemakessense.AllapplicationnoteslistedforFCS_TLSC_EXT.1.5thatarerelevanttoDTLSapplytothisrequirement.

FCS_DTLSC_EXT.1.3Theproductshallnotestablishatrustedchanneliftheservercertificateisinvalid[selection:withnoexceptions,exceptwhenoverrideisauthorized].

ApplicationNote:AllapplicationnoteslistedforFCS_TLSC_EXT.1.6thatarerelevanttoDTLSapplytothisrequirement.

FCS_DTLSC_EXT.1.4Theproductshall[selection,chooseoneof:terminatetheDTLSsession,silentlydiscardtherecord]ifamessagereceivedcontainsaninvalidMACorifdecryptionfailsinthecaseofGCMandotherAEADciphersuites.


FCS_DTLSC_EXT.1TestsTheevaluatorshallperformtheevaluationactivitieslistedforFCS_TLSC_EXT.1.6.FCS_DTLSC_EXT.1.1TestsTheevaluatorshallperformtheevaluationactivitieslistedforFCS_TLSC_EXT.1.1,butensuringthatDTLS(andnotTLS)isusedineachevaluationactivity.

Fortestswhichinvolveversionnumbers,notethatinDTLStheon-the-wirerepresentationisthe1'scomplementofthecorrespondingtextualDTLSversionnumbers.ThisisdescribedinSection4.1ofRFC6347andRFC4347.Forexample,DTLS1.0isrepresentedbythebytes0xfe0xff,whiletheundefinedDTLS1.4wouldberepresentedbythebytes0xfe0xfb.FCS_DTLSC_EXT.1.2TestsTheevaluatorshallperformtheevaluationactivitieslistedforFCS_TLSC_EXT.1.5.FCS_DTLSC_EXT.1.4TSSTheevaluatorshallverifythattheTSSdescribestheactionsthattakeplaceifamessagereceivedfromtheDTLSServerfailstheMACintegritycheck.

TestsTheevaluatorshallestablishaconnectionusingaserver.Theevaluatorwillthenmodifyatleastonebyteinarecordmessage,andverifythattheclientdiscardstherecordorterminatestheDTLSsession.

FCS_DTLSC_EXT.2DTLSClientSupportforMutualAuthentication

Theinclusionofthisselection-basedcomponentdependsuponselectioninFCS_DTLSC_EXT.1.1.

FCS_DTLSC_EXT.2.1TheproductshallsupportmutualauthenticationusingX.509v3certificates.

ApplicationNote:AllapplicationnoteslistedforFCS_TLSC_EXT.2.1thatarerelevanttoDTLSapplytothisrequirement.


FCS_DTLSC_EXT.2TestsTheevaluatorshallperformtheevaluationactivitieslistedforFCS_TLSC_EXT.2.1.

FCS_DTLSS_EXT.1DTLSServerProtocol


FCS_DTLSS_EXT.1.1TheproductshallimplementDTLS1.2(RFC6347)and[selection:DTLS1.0(RFC4347),noearlierDTLSversions]asaserverthatsupportstheciphersuites[selection:

TLS_RSA_WITH_AES_128_CBC_SHAasdefinedinRFC5246TLS_RSA_WITH_AES_256_CBC_SHAasdefinedinRFC5246TLS_RSA_WITH_AES_128_CBC_SHA256asdefinedinRFC5246TLS_RSA_WITH_AES_256_CBC_SHA256asdefinedinRFC5246TLS_RSA_WITH_AES_128_GCM_SHA256asdefinedinRFC5288TLS_RSA_WITH_AES_256_GCM_SHA384asdefinedinRFC5288TLS_DHE_RSA_WITH_AES_128_CBC_SHA256asdefinedinRFC5246TLS_DHE_RSA_WITH_AES_256_CBC_SHA256asdefinedinRFC5246TLS_DHE_RSA_WITH_AES_128_GCM_SHA256asdefinedinRFC5288TLS_DHE_RSA_WITH_AES_256_GCM_SHA384asdefinedinRFC5288TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256asdefinedinRFC5289TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256asdefinedinRFC5289TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384asdefinedinRFC5289TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384asdefinedinRFC5289TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256asdefinedinRFC5289TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256asdefinedinRFC5289TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384asdefinedinRFC5289TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384asdefinedinRFC5289

]andnootherciphersuites,andalsosupportsfunctionalityfor[selection:mutualauthenticationnone

].

ApplicationNote:Ifmutualauthenticationisselected,thentheSTmustadditionallyincludetherequirementsfromFCS_DTLSS_EXT.2.IftheTOEimplementsmutualauthentication,thisselectionmustbemade.

AllapplicationnoteslistedforFCS_TLSS_EXT.1.1thatarerelevanttoDTLSapplytothisrequirement.

FCS_DTLSS_EXT.1.2Theproductshalldenyconnectionsfromclientsrequesting[assignment:listofDTLSprotocolversions].

ApplicationNote:AnyspecificDTLSversionnotselectedinFCS_DTLSS_EXT.1.1shouldbeassignedhere.ThisversionoftheFPdoesnotrequiretheservertodenyDTLS1.0,andiftheTOEsupportsDTLS1.0then"none"canbeassigned.InafutureversionofthisFP,DTLS1.0willberequiredtobedenied.

FCS_DTLSS_EXT.1.3TheproductshallnotproceedwithaconnectionhandshakeattemptiftheDTLSClientfailsvalidation.

ApplicationNote:TheprocesstovalidatetheIPaddressofaDTLSclientisspecifiedinsection4.2.1ofRFC6347(DTLS1.2)andRFC4347(DTLS1.0).TheservervalidatestheDTLSclientduringConnectionEstablishment(Handshaking)andpriortosendingaServerHellomessage.AfterreceivingaClientHello,theDTLSServersendsaHelloVerifyRequestalongwithacookie.Thecookieisasignedmessageusingakeyedhashfunction.TheDTLSClientthensendsanotherClientHellowiththecookieattached.IftheDTLSserversuccessfullyverifiesthesignedcookie,theClientisnotusingaspoofedIPaddress.

FCS_DTLSS_EXT.1.4TheproductshallperformkeyestablishmentforDTLSusing[selection:

RSAwithsize[selection:2048bits,3072bits,4096bits,noothersizes]Diffie-Hellmanparameterswithsize[selection:2048bits,3072bits,4096bits,6144bits,8192bits,noothersize]Diffie-Hellmangroups[selection:ffdhe2048,ffdhe3072,ffdhe4096,ffdhe6144,ffdhe8192,noothergroups]ECDHEparametersusingellipticcurves[selection:secp256r1,secp384r1,secp521r1]andnoothercurvesnootherkeyestablishmentmethods

].

ApplicationNote:IftheSTlistsanRSAciphersuiteinFCS_DTLSS_EXT.1.1,theSTmustincludetheRSAselectionintherequirement.IftheSTlistsaDHEciphersuiteinFCS_DTLSS_EXT.1.1,theSTmustincludeeithertheDiffie-Hellmanselectionforparametersofacertainsize,orforparticularDiffie-Hellmangroups.IftheSTlistsanECDHEciphersuiteinFCS_DTLSS_EXT.1.1,theSTmustincludetheNISTcurvesselectionintherequirement.

FCS_DTLSS_EXT.1.5Theproductshall[selection,chooseoneof:terminatetheDTLSsession,silentlydiscardtherecord]ifamessagereceivedcontainsaninvalidMACorifdecryptionfailsinthecaseofGCMandotherAEADciphersuites.


FCS_DTLSS_EXT.1.1TestsTheevaluatorshallperformtheevaluationactivitieslistedforFCS_TLSS_EXT.1.1,butensuringthatDTLS(andnotTLS)isusedineachstageoftheevaluationactivities.

Fortestswhichinvolveversionnumbers,notethatinDTLStheon-the-wirerepresentationisthe1'scomplementofthecorrespondingtextualDTLSversionnumbers.ThisisdescribedinSection4.1ofRFC6347andRFC4347.Forexample,DTLS1.0isrepresentedbythebytes0xfe0xff,whiletheundefinedDTLS1.4wouldberepresentedbythebytes0xfe0xfb.FCS_DTLSS_EXT.1.2Thefollowingevaluationactivitiesshallbeconductedunless"none"isassigned.TSSTheevaluatorshallverifythattheTSScontainsadescriptionofthedenialofoldDTLSversionsconsistentrelativetoselectionsinFCS_DTLSS_EXT.1.2.

GuidanceTheevaluatorshallverifythattheoperationalguidanceincludesanyconfigurationnecessarytomeetthisrequirement.

TestsTest33:TheevaluatorshallsendaClientHellorequestingaconnectionwitheachversionofDTLSspecifiedintheselectionandverifythattheserverdeniestheconnection.

FCS_DTLSS_EXT.1.3TSSTheevaluatorshallverifythattheTSSdescribeshowtheDTLSClientIPaddressisvalidatedpriortoissuingaServerHellomessage.

TestsModifyatleastonebyteinthecookiefromtheServer'sHelloVerifyRequestmessage,andverifythattheServerrejectstheClient'shandshakemessage.FCS_DTLSS_EXT.1.4TestsTheevaluatorshallperformtheevaluationactivitieslistedforFCS_TLSS_EXT.1.5.FCS_DTLSS_EXT.1.5TSSTheevaluatorshallverifythattheTSSdescribestheactionsthattakeplaceifamessagereceivedfromtheDTLSclientfailstheMACintegritycheck.

TestsTheevaluatorshallestablishaconnectionusingaclient.Theevaluatorwillthenmodifyatleastonebyteinarecordmessage,andverifythattheserverdiscardstherecordorterminatestheDTLSsession.

FCS_DTLSS_EXT.2DTLSServerSupportforMutualAuthentication

Theinclusionofthisselection-basedcomponentdependsuponselectioninFCS_DTLSS_EXT.1.1.

FCS_DTLSS_EXT.2.1TheproductshallsupportmutualauthenticationofDTLSclientsusingX.509v3certificates.

ApplicationNote:AllapplicationnoteslistedforFCS_TLSS_EXT.2.1thatarerelevanttoDTLSapplytothisrequirement.

FCS_DTLSS_EXT.2.2Theproductshallnotestablishatrustedchanneliftheclientcertificateisinvalid.

ApplicationNote:ThisusedtopointtoFCS_TLSS_EXT.2.2whichdoesn'texist.

FCS_DTLSS_EXT.2.3TheproductshallnotestablishatrustedchanneliftheDistinguishedName(DN)orSubjectAlternativeName(SAN)containedinacertificatedoesnotmatchoneoftheexpectedidentifiersfortheclient.

ApplicationNote:ThisusedtopointtoFCS_TLSS_EXT.2.3,butwordingchanged


FCS_DTLSS_EXT.2.1TestsTheevaluatorshallperformtheevaluationactivitieslistedforFCS_TLSS_EXT.2.1.FCS_DTLSS_EXT.2.2TestsThisusedtopointtoFCS_TLSS_EXT.2.2whichdoesn'texist.FCS_DTLSS_EXT.2.3TestsThisusedtopointtoFCS_TLSS_EXT.2.3,butwordingchanged

AppendixC-Acronyms

Acronym Meaning

AES AdvancedEncryptionStandard

Base-PP BaseProtectionProfile

CA CertificateAuthority

CBC CipherBlockChaining

CC CommonCriteria

CEM CommonEvaluationMethodology

CN CommonName

cPP CollaborativeProtectionProfile

DHE Diffie-HellmanEphemeral

DN DistinguishedName

DNS DomainNameServer

DTLS DatagramTransportLayerSecurity

EAP ExtensibleAuthenticationProtocol

ECDHE EllipticCurveDiffie-HellmanEphemeral

ECDSA EllipticCurveDigitalSignatureAlgorithm

EP ExtendedPackage

FP FunctionalPackage

GCM Galois/CounterMode

HTTP HypertextTransferProtocol

IETF InternetEngineeringTaskForce

IP InternetProtocol

NIST NationalInstituteofStandardsandTechnology

OE OperationalEnvironment

PP ProtectionProfile

PP-Configuration ProtectionProfileConfiguration

PP-Module ProtectionProfileModule

RFC RequestforComment(IETF)

RSA RivestShamirAdelman

SAN SubjectAlternativeName

SAR SecurityAssuranceRequirement

SCSV SignalingciphersuiteValue

SFR SecurityFunctionalRequirement

SHA SecureHashAlgorithm

ST SecurityTarget

TCP TransmissionControlProtocol

TLS TransportLayerSecurity

TOE TargetofEvaluation

TSF TOESecurityFunctionality

TSFI TSFInterface

TSS TOESummarySpecification

UDP UserDatagramProtocol

URI UniformResourceIdentifier

URL UniformResourceLocator

AppendixD-Bibliography

Identifier Title

[CC] CommonCriteriaforInformationTechnologySecurityEvaluation-Part1:IntroductionandGeneralModel,CCMB-2017-04-001,Version3.1Revision5,April2017.Part2:SecurityFunctionalComponents,CCMB-2017-04-002,Version3.1Revision5,April2017.Part3:SecurityAssuranceComponents,CCMB-2017-04-003,Version3.1Revision5,April2017.

http://www.commoncriteriaportal.org/files/ccfiles/CCPART1V3.1R5.pdf



Date post:	25-Nov-2023
Category:	Documents
Upload:	khangminh22
View:	1 times
Download:	0 times

Functional Package for Transport Layer Security (TLS)

Documents