Date post: | 25-Nov-2023 |
Category: |
Documents |
Upload: | khangminh22 |
View: | 1 times |
Download: | 0 times |
Comment:Comment-1-Comment:Comment-2-Comment:Comment-3-Comment:Comment-4-Comment:Comment-5-Comment:Comment-6-Comment:Comment-7-Comment:Comment-8-Comment:Comment-9-
FunctionalPackageforTransportLayerSecurity(TLS)
Version:2.0-draft2022-08-24
NationalInformationAssurancePartnership
RevisionHistory
Version Date Comment
1.0 2018-12-17
Firstpublication
1.1 2019-03-01
Clarificationsregardingoverrideforinvalidcertificates,renegotiation_infoextension,DTLSversions,andnamedDiffie-HellmangroupsinDTLScontexts
2.0 2022-08-24
Addedauditevents,addedTLS1.3support,deprecatedTLS1.0and1.1,updatedalgorithms/ciphersuitesinaccordancewithCNSAsuiteRFCandtoconsiderPSK,restructuredSFRsforclarity
Contents
1 Introduction1.1 Overview1.2 Terms1.2.1 CommonCriteriaTerms1.2.2 TechnicalTerms
1.3 CompliantTargetsofEvaluation2 ConformanceClaims3 SecurityFunctionalRequirements3.1 AuditableEventsforMandatorySFRs3.2 CryptographicSupport(FCS)
AppendixA- OptionalRequirementsA.1 StrictlyOptionalRequirementsA.2 ObjectiveRequirementsA.3 Implementation-basedRequirements
AppendixB- Selection-basedRequirementsB.1 AuditableEventsforSelection-basedRequirementsB.2 CryptographicSupport(FCS)
AppendixC- AcronymsAppendixD- Bibliography
1Introduction
1.1OverviewTransportLayerSecurity(TLS)andtheclosely-relatedDatagramTLS(DTLS)arecryptographicprotocolsdesignedtoprovidecommunicationssecurityoverIPnetworks.Severalversionsoftheprotocolareinwidespreaduseinsoftwarethatprovidesfunctionalitysuchaswebbrowsing,email,instantmessaging,andvoice-over-IP(VoIP).MajorwebsitesuseTLStoprotectcommunicationstoandfromtheirservers.TLSisalsousedtoprotectcommunicationsbetweenhostsandnetworkinfrastructuredevicesforadministration.Theunderlyingplatform,suchasanoperatingsystem,oftenprovidestheactualTLSimplementation.TheprimarygoaloftheTLSprotocolistoprovideconfidentialityandintegrityofdatatransmittedbetweentwocommunicatingendpoints,aswellasauthenticationofatleasttheserverendpoint.TLSsupportsmanydifferentmethodsforexchangingkeys,encryptingdata,andauthenticatingmessageintegrity.ThesemethodsaredynamicallynegotiatedbetweentheclientandserverwhentheTLSconnectionisestablished.Asaresult,evaluatingtheimplementationofbothendpointsistypicallynecessarytoprovideassurancefortheoperatingenvironment.This"FunctionalPackageforTransportLayerSecurity"(shortname"TLS-PKG")definesfunctionalrequirementsfortheimplementationoftheTLSandDTLSprotocols.Therequirementsareintendedtoimprovethesecurityofproductsbyenablingtheirevaluation.
1.2TermsThefollowingsectionslistCommonCriteriaandtechnologytermsusedinthisdocument.
1.2.1CommonCriteriaTerms
Assurance GroundsforconfidencethataTOEmeetstheSFRs[CC].
BaseProtectionProfile(Base-PP)
ProtectionProfileusedasabasistobuildaPP-Configuration.
CollaborativeProtectionProfile(cPP)
AProtectionProfiledevelopedbyinternationaltechnicalcommunitiesandapprovedbymultipleschemes.
CommonCriteria(CC)
CommonCriteriaforInformationTechnologySecurityEvaluation(InternationalStandardISO/IEC15408).
CommonCriteriaTestingLaboratory
WithinthecontextoftheCommonCriteriaEvaluationandValidationScheme(CCEVS),anITsecurityevaluationfacilityaccreditedbytheNationalVoluntaryLaboratoryAccreditationProgram(NVLAP)andapprovedbytheNIAPValidationBodytoconductCommonCriteria-basedevaluations.
CommonEvaluationMethodology(CEM)
CommonEvaluationMethodologyforInformationTechnologySecurityEvaluation.
DistributedTOE
ATOEcomposedofmultiplecomponentsoperatingasalogicalwhole.
ExtendedPackage(EP)
AdeprecateddocumentformforcollectingSFRsthatimplementaparticularprotocol,technology,orfunctionality.SeeFunctionalPackages.
FunctionalPackage(FP)
AdocumentthatcollectsSFRsforaparticularprotocol,technology,orfunctionality.
OperationalEnvironment(OE)
HardwareandsoftwarethatareoutsidetheTOEboundarythatsupporttheTOEfunctionalityandsecuritypolicy.
ProtectionProfile(PP)
Animplementation-independentsetofsecurityrequirementsforacategoryofproducts.
ProtectionProfileConfiguration(PP-Configuration)
AcomprehensivesetofsecurityrequirementsforaproducttypethatconsistsofatleastoneBase-PPandatleastonePP-Module.
ProtectionProfileModule(PP-Module)
Animplementation-independentstatementofsecurityneedsforaTOEtypecomplementarytooneormoreBase-PPs.
SecurityAssuranceRequirement(SAR)
ArequirementtoassurethesecurityoftheTOE.
SecurityFunctionalRequirement(SFR)
ArequirementforsecurityenforcementbytheTOE.
SecurityTarget(ST)
Asetofimplementation-dependentsecurityrequirementsforaspecificproduct.
TargetofEvaluation(TOE)
Theproductunderevaluation.
TOESecurityFunctionality(TSF)
Thesecurityfunctionalityoftheproductunderevaluation.
TOESummarySpecification(TSS)
AdescriptionofhowaTOEsatisfiestheSFRsinanST.
1.2.2TechnicalTerms
CertificateAuthority(CA) Issuerofdigitalcertificates.
DatagramTransportLayerSecurity(DTLS)
Cryptographicnetworkprotocol,basedonTLS,whichprovidescommunicationssecurityfordatagramprotocols.
TransportLayerSecurity(TLS)
CryptographicnetworkprotocolforprovidingcommunicationssecurityoveraTCP/IPnetwork.
1.3CompliantTargetsofEvaluationTheTargetofEvaluation(TOE)inthisPackageisaproductwhichactsasa(D)TLSclient,a(D)TLSserver,orboth.ThisPackagedescribesthesecurityfunctionalityofTLSandDTLSintermsof[CC].ThecontentsofthisPackagemustbeappropriatelycombinedwithaPPorPP-Module.WhenthisPackageisinstantiatedbyaPPorPP-Module,thePackagemustincludeselection-basedrequirementsinaccordancewiththeselectionsorassignmentsindicatedinthePPorPP-Module.ThesemaybeexpandedbythetheSTauthor.ThePPorPP-ModulewhichinstantiatesthisPackagemusttypicallyincludethefollowingcomponentsinordertosatisfydependenciesofthisPackage.ItistheresponsibilityofthePPorPP-ModuleauthorwhoinstantiatesthisPackagetoensurethatdependenceonthesecomponentsissatisfied:
Component Explanation
FCS_CKM.1 TosupportTLSciphersuitesthatuseRSA,DHEorECDHEforkeyexchange,thePPorPP-ModulemustincludeFCS_CKM.1andspecifythecorrespondingkeygenerationalgorithm.
FCS_CKM.2 TosupportTLSciphersuitesthatuseRSA,DHEorECDHEforkeyexchange,thePPorPP-ModulemustincludeFCS_CKM.2andspecifythecorrespondingalgorithm.
FCS_COP.1 TosupportTLSciphersuitesthatuseAESforencryptionanddecryption,thePPorPP-ModulemustincludeFCS_COP.1(iteratingasneeded)andspecifyAESwithcorrespondingkeysizesandmodes.TosupportTLSciphersuitesthatuseSHAforhashing,thePPorPP-ModulemustincludeFCS_COP.1(iteratingasneeded)andspecifySHAwithcorrespondingdigestsizes.
FCS_RBG_EXT.1 TosupportrandombitgenerationneededfortheTLShandshake,thePPorPP-ModulemustincludeFCS_RBG_EXT.1.
FIA_X509_EXT.1 TosupportvalidationofcertificatesneededduringTLSconnectionsetup,thePPorPP-ModulemustincludeFIA_X509_EXT.1.
FIA_X509_EXT.2 TosupporttheuseofX509certificatesforauthenticationinTLSconnectionsetup,thePP
orPP-ModulemustincludeFIA_X509_EXT.2.
AnSTmustidentifytheapplicableversionofthePPorPP-ModuleandthisPackageinitsconformanceclaims.
2ConformanceClaimsConformanceStatement
AnSTmustclaimexactconformancetothisPP-Package,asdefinedintheCCandCEMaddendaforExactConformance,Selection-basedSFRs,andOptionalSFRs(datedMay2017).
CCConformanceClaimsThisPP-PackageisconformanttoParts2(extended)and3(conformant)ofCommonCriteriaVersion3.1,Revision5.
PPClaimThisPP-PackagedoesnotclaimconformancetoanyProtectionProfile.
PackageClaimThisPP-Packagedoesnotclaimconformancetoanypackages.
ConformanceStatementThisPackageservestoprovideProtectionProfileswithadditionalSFRsandassociatedEvaluationActivitiesspecifictoTLSclientsandservers.ThisPackageconformstoCommonCriteria[CC]forInformationTechnologySecurityEvaluation,Version3.1,Revision5.ItisCCPart2extendedconformant.InaccordancewithCCPart1,dependenciesarenotincludedwhentheyareaddressedbyotherSFRs.Theevaluationactivitiesprovideadequateproofthatanydependenciesarealsosatisfied.
3SecurityFunctionalRequirementsThischapterdescribesthesecurityrequirementswhichhavetobefulfilledbytheproductunderevaluation.ThoserequirementscomprisefunctionalcomponentsfromPart2of[CC].Thefollowingconventionsareusedforthecompletionofoperations:
Refinementoperation(denotedbyboldtextorstrikethroughtext):Isusedtoadddetailstoarequirement(includingreplacinganassignmentwithamorerestrictiveselection)ortoremovepartoftherequirementthatismadeirrelevantthroughthecompletionofanotheroperation,andthusfurtherrestrictsarequirement.Selection(denotedbyitalicizedtext):Isusedtoselectoneormoreoptionsprovidedbythe[CC]instatingarequirement.Assignmentoperation(denotedbyitalicizedtext):Isusedtoassignaspecificvaluetoanunspecifiedparameter,suchasthelengthofapassword.Showingthevalueinsquarebracketsindicatesassignment.Iterationoperation:IsindicatedbyappendingtheSFRnamewithaslashanduniqueidentifiersuggestingthepurposeoftheoperation,e.g."/EXAMPLE1."
3.1AuditableEventsforMandatorySFRsTheauditableeventsspecifiedinthisFunctionalPackageareincludedinaSecurityTargetiftheincorporatingPPorPP-ModulesupportsauditeventreportingthroughFAU_GEN.1andallothercriteriaintheincorporatingPPorPP-Modulearemet.
Table1:AuditableEventsforMandatoryRequirementsRequirement AuditableEvents AdditionalAuditRecordContents
FCS_TLS_EXT.1 Noeventsspecified N/A
3.2CryptographicSupport(FCS)
FCS_TLS_EXT.1TLSProtocolFCS_TLS_EXT.1.1
TheTSFshallimplement[selection:TLSasaclientTLSasaserverDTLSasaclientDTLSasaserver
].
ApplicationNote:IfTLSasaclientisselected,thentheSTmustincludetherequirementsfromFCS_TLSC_EXT.1.IfTLSasaserverisselected,thentheSTmustincludetherequirementsfromFCS_TLSS_EXT.1.
IfDTLSasaclientisselected,thentheSTmustincludetherequirementsfromFCS_DTLSC_EXT.1.IfDTLSasaserverisselected,thentheSTmustincludetherequirementsfromFCS_DTLSS_EXT.1.
EvaluationActivities
FCS_TLS_EXT.1TSSTheevaluatorshallexaminetheTSStoverifythattheTLSandDTLSclaimsareconsistentwiththoseselectedintheSFR.
GuidanceTheevaluatorshallensurethattheselectionsindicatedintheSTareconsistentwithselectionsinthedependentcomponents.
TestsTherearenotestactivitiesforthisSFR;thefollowinginformationisprovidedasanoverviewoftheexpectedfunctionalityandtestenvironmentforallsubsequentSFRs.
Figure1:TLSHelloThechartaboveprovidesanoverviewoftheTLShellomessages,thecontentandprotections,andtheestablishmentofcryptographickeysinsupportoftheprotections.
BluetextindicatesamessageorcontentuniquetoTLS1.2.GreentextindicatesuniquenesstoTLS1.3.BlacktextindicatesfeaturescommontobothTLS1.2andTLS1.3.Boldtextindicatesmandatoryfeatures.Italicsemphasizesoptionalfeatures.AshadedtextboxindicatesthatthemessageisencryptedforTLS1.2(blue),TLS1.3(green)orbothTLS1.2andTLS1.3(grey).Anoutlinedtextboxindicatesthatthecontentinthemessageissigned,and/orprovidesauthenticationofthehandshaketothatpoint.
TestEnvironment:TestsforTLS1.2andTLS1.3includeexaminationofthehandshakemessagesandbehavioroftheTSFwhenpresentedwithunexpectedorinvalidmessages.ForTLS1.2andbelow,previousversionsofthisFunctionalPackageonlyrequiredvisibilityofnetworktrafficandtheabilitytomodifyavalidhandshakemessagesenttotheTSF.
Figure2:TestenvironmentforTLS1.2usingnetworktrafficvisibilityandcontroltoolsTLS1.3introducestheencryptionofhandshakemessagessubsequenttotheserverhelloexchangewhichpreventsvisibilityandcontrolusingmidpointcapabilities.ToachieveequivalentvalidationofTLS1.3requirestheabilitytomodifythetrafficunderlyingtheencryptionappliedaftertheserverhellomessage.Thiscanbeachievedbyintroducingadditionalcontrolofthemessagessent,andvisibilityofmessagesreceivedbythetestTLSclient,whenvalidatingTLSserverfunctionalityortestserver,whenvalidatingTLSclientfunctionality.
Figure3:TestenvironmentforTLS1.3usingcustomendpointcapabilitiesforvisibilityandcontrol
Typically,acompliantTLS1.3librarymodifiedtoprovidevisibilityandcontrolofthehandshakemessagespriortoencryptionsufficesforalltests.Suchmodificationwillrequirethetestclientand/orservertobevalidated.SincevalidationsofproductssupportingonlyTLS1.2arestillexpectedunderthisPackage,thetestenvironmentforTLS1.2-onlyvalidationsmayincludenetworksniffersandman-in-the-middleproductsthatdonotrequiresuchmodificationstoacompliantTLS1.2library.Forconsistency,acompliantTLSclient(orTLSserver)togetherwiththenetworksniffersandman-in-the-middlecapabilitieswillalsobereferredtoasatestTLSclient(ortestTLSserver,respectively)inthefollowingevaluationactivities.
Figure4:CombinedtestenvironmentforTLS1.2andTLS1.3usingbothnetworktoolsandcustomendpointcapabilities
AppendixA-OptionalRequirementsAsindicatedintheintroductiontothisPP-Package,thebaselinerequirements(thosethatmustbeperformedbytheTOE)arecontainedinthebodyofthisPP-Package.ThisappendixcontainsthreeothertypesofoptionalrequirementsthatmaybeincludedintheST,butarenotrequiredinordertoconformtothisPP-Package.However,appliedmodules,packagesand/orusecasesmayrefinespecificrequirementsasmandatory.
Thefirsttype(A.1StrictlyOptionalRequirements)arestrictlyoptionalrequirementsthatareindependentoftheTOEimplementinganyfunction.IftheTOEfulfillsanyoftheserequirementsorsupportsacertainfunctionality,thevendorisencouragedtoincludetheSFRsintheST,butarenotrequiredinordertoconformtothisPP-Package.
Thesecondtype(A.2ObjectiveRequirements)areobjectiverequirementsthatdescribesecurityfunctionalitynotyetwidelyavailableincommercialtechnology.TherequirementsarenotcurrentlymandatedinthebodyofthisPP-Package,butwillbeincludedinthebaselinerequirementsinfutureversionsofthisPP-Package.Adoptionbyvendorsisencouragedandexpectedassoonaspossible.
Thethirdtype(A.3Implementation-basedRequirements)aredependentontheTOEimplementingaparticularfunction.IftheTOEfulfillsanyoftheserequirements,thevendormusteitheraddtherelatedSFRordisablethefunctionalityfortheevaluatedconfiguration.
A.1StrictlyOptionalRequirementsThisPP-PackagedoesnotdefineanyStrictlyOptionalrequirements.
A.2ObjectiveRequirementsThisPP-PackagedoesnotdefineanyObjectiverequirements.
A.3Implementation-basedRequirementsThisPP-PackagedoesnotdefineanyImplementation-basedrequirements.
AppendixB-Selection-basedRequirementsAsindicatedintheintroductiontothisPP-Package,thebaselinerequirements(thosethatmustbeperformedbytheTOEoritsunderlyingplatform)arecontainedinthebodyofthisPP-Package.ThereareadditionalrequirementsbasedonselectionsinthebodyofthePP-Package:ifcertainselectionsaremade,thenadditionalrequirementsbelowmustbeincluded.
B.1AuditableEventsforSelection-basedRequirementsTheauditableeventsinthetablebelowareincludedinaSecurityTargetifboththeassociatedrequirementisincludedandtheincorporatingPPorPP-ModulesupportsauditeventreportingthroughFAU_GEN.1andanyothercriteriaintheincorporatingPPorPP-Modulearemet.
Table2:AuditableEventsforSelection-basedRequirements
Requirement AuditableEvents AdditionalAuditRecordContents
FCS_DTLSC_EXT.1 [selection:Failureofthecertificatevaliditycheck,None]
IssuerNameandSubjectNameofcertificate.
FCS_DTLSC_EXT.2 Noeventsspecified N/A
FCS_DTLSS_EXT.1 [selection:Failureofthecertificatevaliditycheck,None]
IssuerNameandSubjectNameofcertificate
FCS_DTLSS_EXT.2 Noeventsspecified N/A
FCS_TLSC_EXT.1 [selection:FailuretoestablishaTLSsession,None]
Reasonforfailure.
[selection:Failuretoverifypresentedidentifier,None]
Presentedidentifierandreferenceidentifier.
[selection:Establishment/terminationofaTLSsession,None]
Non-TOEendpointofconnection.
FCS_TLSC_EXT.2 Noeventsspecified N/A
FCS_TLSC_EXT.3 Noeventsspecified N/A
FCS_TLSC_EXT.4 Noeventsspecified N/A
FCS_TLSC_EXT.5 Noeventsspecified N/A
FCS_TLSC_EXT.6 Noeventsspecified N/A
FCS_TLSS_EXT.1 [selection:FailuretoestablishaTLSsession,None]
Reasonforfailure
FCS_TLSS_EXT.2 Noeventsspecified N/A
FCS_TLSS_EXT.3 Noeventsspecified N/A
FCS_TLSS_EXT.4 Noeventsspecified N/A
FCS_TLSS_EXT.5 Noeventsspecified N/A
FCS_TLSS_EXT.6 Noeventsspecified N/A
B.2CryptographicSupport(FCS)
FCS_TLSC_EXT.1TLSClientProtocol
Theinclusionofthisselection-basedcomponentdependsuponselectioninFCS_TLS_EXT.1.1.
FCS_TLSC_EXT.1.1TheTSFshallimplementTLS1.2(RFC5246)and[selection:TLS1.3(RFC8446),nootherTLSversion]asaclientthatsupportsadditionalfunctionalityfor
sessionrenegotiationprotectionand[selection:mutualauthenticationsupplementaldowngradeprotectionsessionresumptionnooptionalfunctionality
]andshallabortattemptsbyaservertonegotiateallotherTLSorSSLversions.
ApplicationNote:SessionrenegotiationprotectionisrequiredforbothTLS1.2andTLS1.3,andtheSTmustincludetherequirementsfromFCS_TLSC_EXT.4.WithinFCS_TLSC_EXT.4,optionsforimplementationofsecuresessionrenegotiationforTLS1.2,orrejectingrenegotiationrequestsareclaimed.
TheSTauthorwillclaimTLS1.3functionalityifsupported,andoptionalfunctionalityasappropriatefortheclaimedversions.
If"mutualauthentication"isselected,thentheSTmustadditionallyincludetherequirementsfromFCS_TLSC_EXT.2.IftheTOEimplementsmutualauthentication,thisselectionmustbemade.
If"supplementaldowngradeprotection"isselected,thentheSTmustadditionallyincludetherequirementsfromFCS_TLSC_EXT.3.ThisisclaimedifTLS1.3issupported,oriftheproductsupportsTLS1.1orbelowdowngradeprotectionusingthemechanismdescribedinRFC8446.
If"sessionresumption"isselected,thentheSTmustadditionallyincludetherequirementsfromFCS_TLSC_EXT.5.
FCS_TLSC_EXT.1.2TheTSFshallbeabletosupportthefollowingTLS1.2ciphersuites:[selection:
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384asdefinedinRFC5289,RFC8422TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384asdefinedinRFC5289,RFC8422TLS_RSA_WITH_AES_256_GCM_SHA384asdefinedinRFC5288TLS_DHE_RSA_WITH_AES_256_GCM_SHA384asdefinedinRFC5288TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384asdefinedinRFC5289TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384asdefinedinRFC5289TLS_RSA_WITH_AES_256_CBC_SHA256asdefinedinRFC5246TLS_DHE_RSA_WITH_AES_256_CBC_SHA256asdefinedinRFC5246TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256asdefinedinRFC5289TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256asdefinedinRFC5289TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256asdefinedinRFC5289TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256asdefinedinRFC5289TLS_RSA_WITH_AES_128_CBC_SHA256asdefinedinRFC5246TLS_DHE_RSA_WITH_AES_128_CBC_SHA256asdefinedinRFC5246TLS_RSA_WITH_AES_128_CBC_SHAasdefinedinRFC5246PP-specificciphersuitesusingpre-sharedsecretsincluding[selection:
TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384asdefinedinRFC8442TLS_DHE_PSK_WITH_AES_256_GCM_SHA384asdefinedinRFC5487TLS_RSA_PSK_WITH_AES_256_GCM_SHA384asdefinedinRFC5487TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256asdefinedinRFC8442TLS_DHE_PSK_WITH_AES_128_GCM_SHA256asdefinedinRFC5487TLS_RSA_PSK_WITH_AES_128_GCM_SHA256asdefinedinRFC5487
]thefollowingTLS1.3ciphersuites:[selection:
TLS_AES_256_GCM_SHA384asdefinedinRFC8446TLS_AES_128_GCM_SHA256asdefinedinRFC8446[assignment:otherTLS1.3ciphersuites]]
]]offeringthesupportedciphersuitesinaclienthellomessageinpreferenceorder:[assignment:listofsupportedciphersuites].
ApplicationNote:TheSTauthorshouldselecttheciphersuitesthataresupported,andmustselectatleastoneciphersuiteforeachTLSversionsupported.Theciphersuitestobetestedintheevaluatedconfigurationarelimitedbythisrequirement.However,thisrequirementdoesnotrestricttheTOE'sabilitytoproposeadditionalnon-deprecatedciphersuitesbeyondtheoneslistedinthisrequirementinitsClientHellomessageasindicatedintheST.Thatis,theTOEmayproposeanyciphersuitenotexcludedbythiselement,butthe
evaluationwillonlytestciphersuitesfromtheabovelist.Itisnecessarytolimittheciphersuitesthatcanbeusedinanevaluatedconfigurationadministrativelyontheserverinthetestenvironment.
TLS1.3ciphersuitesareclaimedifsupportforTLS1.3isclaimedinFCS_TLSC_EXT.1.1.Theassignmentofpreferenceorderprovidesanorderedlistofallsupportedciphersuiteswiththemostpreferredciphersuiteslistedfirst.Ciphersuiteslistedin[RFC9151,“CNSASuiteTLSProfile”]arepreferredoverallotherciphersuites,GCMciphersuitesarepreferredoverCBCciphersuites,ECDHEpreferredoverRSAandDHE,andSHA256orSHA384overSHA1.
CiphersuitesforTLS1.2areoftheformTLS_{keyexchangealgorithm}_WITH_{encryptionalgorithm}_(messagedigestalgorithm},andarelistedintheTLSparameterssectionoftheinternetassignmentsatiana.org.
FCS_TLSC_EXT.1.3TheTSFshallnotofferthefollowingciphersuitesindicatingthefollowing:
thenullencryptioncomponentsupportforanonymousserversuseofdeprecatedorexport-gradecryptographyincludingDES,3DES,RC2,RC4,orIDEAforencryptionuseofMD
andshallabortsessionswhereaserverattemptstonegotiateciphersuitesnotenumeratedintheclienthellomessage.
FCS_TLSC_EXT.1.4TheTSFshallbeabletosupportthefollowingTLSclienthellomessageextensions:
signature_algorithmsextension(RFC8446)indicatingsupportfor[selection:
ecdsa-secp384r1_sha384(RFC8446)rsa_psks1_sha384(RFC8446)
],and[selection:rsa_pss_pss_sha384(RFC8603)rsa_pss_rsae_sha384(RFC8603)[assignment:othernon-deprecatedsignaturealgorithms]noothersignaturealgorithms
]extended_master_secretextension(RFC7627)enforcingserversupportthefollowingotherextensions:[selection:
signature_algorithms_certextension(RFC8446)indicatingsupportfor[selection:
ecdsa-secp384r1_sha384(RFC8446)rsk_psks1_sha384(RFC8446)
],and[selection:rsa_pss_pss_sha384(RFC8603)rsa_pss_rsae_sha384(RFC8603)rsa_pkcs1_sha256(RFC8446)rsa_pss_rsae_sha256(RFC8446)[assignment:othernon-deprecatedsignaturealgorithms]noothersignaturealgorithms
]supported_versionsextension(RFC8446)indicatingsupportforTLS1.3supported_groupsextension(RFC7919,RFC8446)indicatingsupportfor[selection:
secp256r1secp384r1secp521r1ffdhe2048(256)ffdhe3072(257)ffdhe4096(258)ffdhe6144(259)ffdhe8192(260)
]key_shareextension(RFC8446)post_handshake_auth(RFC8446),pre_shared_key(RFC8446),andpsk_key_exchange_mode(RFC8446)indicatingDHEorECDHEmodenootherextensions
]andshallnotsendthefollowingextensions:
early_datapsk_key_exchange_modeindicatingPSKonlymode.
ApplicationNote:IfTLS1.3isclaimedinFCS_TLSC_EXT.1.1,supported_versions,supported_groups,andkey_shareextensionsareclaimedinaccordancewithRFC8446.IfTLS1.3isnotclaimed,supported_versionsandkey_shareextensionsarenotclaimed.Otherextensionsmaybesupported;certainextensionsmayneedtobeclaimedbasedonotherSFRclaimsmade.
IfECDHEciphersuitesareclaimedinFCS_TLSC_EXT.1.2,thesupported_groupsextensionisclaimedherewithappropriatesecpgroupsclaimed.IfDHEciphersuitesareclaimedinFCS_TLSC_EXT.1.2,itispreferredthattheappropriateffdhegroupsbeclaimedhere.InasubsequentversionofthisFP,supportforffdhegroupswillberequiredwheneverDHEciphersuitesareclaimed.
When‘othernon-deprecatedsignaturealgorithms’isclaimed,theassignmentwilldescribethestandardsignatureandhashalgorithmssupported.MD5andSHA-1hashesaredeprecatedandarenotincludedinthesignature_algorithmsorsignature_algorithms_certextensions.
FCS_TLSC_EXT.1.5TheTSFshallbeableto[selection:
verifythatapresentedidentifierofnametype:[selection:DNSnametypeaccordingtoRFC6125URNnametypeaccordingtoRFC6125SRVnametypeaccordingtoRFC6125CommonNameconversiontoDNSnameaccordingtoRFC6125DirectorynametypeaccordingtoRFC5280IPaddressnametypeaccordingtoRFC5280rfc822NametypeaccordingtoRFC5280[assignment:othernametype]
]interfacewithaclientapplicationrequestingtheTLSchanneltoverifythatapresentedidentifier
]matchesareferenceidentifieroftherequestedTLSserverandshallabortthesessionifnomatchisfound.
ApplicationNote:TherulesforverificationidentityaredescribedinSection6ofRFC6125andSection7ofRFC5280.Thereferenceidentifierisestablishedbytheuser(e.g.,enteringaURLintoawebbrowserorclickingalink),byconfiguration(e.g.,configuringthenameofamailserverorauthenticationserver),orbyanapplication(e.g.,aparameterofanAPI)dependingontheproductservice.TheclientestablishesallacceptablereferenceidentifiersandinterfaceswiththeTLSimplementationtoprovideacceptablereferenceidentifiers,ortoacceptthepresentedidentifiersasvalidatedintheserver’scertificate.Iftheproductperformsmatchingofthereferenceidentifierstotheidentifiersprovidedintheserver’scertificate,thefirstoptionisclaimedandallsupportednametypesareclaimed;iftheproductpresentsthecertificate,orthepresentedidentifiersfromthecertificatetotheapplication,thesecondoptionisclaimed.
InmostcaseswhereTLSserversarerepresentedbyDNS-typenames,thepreferredmethodforverificationistheSubjectAlternativeNameusingDNSnames,URInames,orServiceNames.VerificationusingaconversionoftheCommonNamerelativedistinguishednamefromaDNSnametypeinthesubjectfieldisallowedforthepurposesofbackwardcompatibility.
Finally,theclientshouldavoidconstructingreferenceidentifiersusingwildcards.However,ifthepresentedidentifiersincludewildcards,theclientmustfollowthebestpracticesregardingmatching;thesebestpracticesarecapturedintheevaluationactivity.Supportforothernametypesisrare,butmaybeclaimedforspecificapplications.
[JF]Appnotetalksaboutwildcardsbestpracticesbeingcapturedintheevaluationactivitybutnothingintheactivityactuallycoversthis.
FCS_TLSC_EXT.1.6TheTSFshallnotestablishatrustedchanneliftheservercertificateisinvalid[selection:withnoexceptions,exceptwhenoverrideisauthorizedinthecasewherevalidrevocationinformationisnotavailable].
ApplicationNote:Acertificateusedinamannerthatdoesnotsupportrevocationcheckingshouldnotadvertiserevocationinformationlocations.
CommonmethodstoaddressthisincluderevokingtheissuingCA,resettingcertificatepinningmechanisms,orremovingentriesfromtruststores.Thus,acertificatethatdoesnotadvertiserevocationstatusinformationisconsideredtobenotrevokedanddoesnotneedtobeprocessedviaoverridemechanisms.Overridemechanismsareforusewithcertificateswithpublishedrevocationstatusinformationthatisnotaccessible,whethertemporarilyorbecausetheinformationcannotbeaccessedduringthestateoftheTOE(e.g.,forverifyingsignaturesonbootcode).ThecircumstancesshouldbedescribedbytheSTauthor,whoshouldindicatetheoverridemechanismandconditionsthatapplytotheoverride,includingsystemstate,user/adminactions,etc.
ThisSFRisclaimedif"TLSasaclient"isselectedinFCS_TLS_EXT.1.1.
EvaluationActivities
FCS_TLSC_EXT.1TSSTheevaluatorshallcheckthedescriptionoftheimplementationofthisprotocolintheTSStoensurethesupportedTLSversions,features,ciphersuites,andextensionsarespecifiedinaccordancewithRFC5246(TLS1.2)andRFC8446(TLS1.3andupdatestoTLS1.2)andasrefinedinFCS_TLSC_EXT.1asappropriate.TheevaluatorshallverifythatciphersuitesindicatedinFCS_TLSC_EXT.1.2areincludedinthedescription,andthatnoneofthefollowingciphersuitesaresupported:ciphersuitesindicating'NULL,''RC2,''RC4,''DES,''IDEA,'or'TDES'intheencryptionalgorithmcomponent,indicating'anon,'orindicatingMD5orSHAinthemessagedigestalgorithmcomponent.TheevaluatorshallverifythattheTLSimplementationdescriptionincludestheextensionsasrequiredinFCS_TLSC_EXT.1.4.TheevaluatorshallverifythattheSTdescribesapplicationsthatusetheTLSfunctionsandhowtheyestablishreferenceidentifiers.TheevaluatorshallverifythattheSTincludesadescriptionofthenametypesparsedandmatchingmethodssupportedforassociatingtheservercertificatetoapplicationdefinedreferenceidentifiers.
GuidanceTheevaluatorshallchecktheoperationalguidancetoensurethatitcontainsinstructionsonconfiguringtheproductsothatTLSconformstothedescriptionintheTSSandthatitincludesanyinstructionsonconfiguringtheversion,ciphersuites,oroptionalextensionsthataresupported.TheevaluatorshallverifythatallconfigurablefeaturesformatchingidentifiersincertificatespresentedintheTLShandshaketoapplicationspecificreferenceidentifiersaredescribed.
TestsTheevaluatorshallperformthefollowingtests:
Test1:(supportedconfigurations)Foreachsupportedversion,andforeachsupportedciphersuiteassociatedwiththeversion:TheevaluatorshallestablishaTLSconnectionbetweentheTOEandatestTLSserverthatisconfiguredtonegotiatethetestedversionandciphersuiteinaccordancewiththeRFCfortheversion.TheevaluatorshallobservethattheTSFpresentsaclienthellowiththehighestversionofTLS1.2orthelegacyversion(value'0303')andshallobservethatthesupportedversionextensionisnotincludedforTLS1.2,and,ifTLS1.3issupported,ispresentandcontainsthevalue'0304'forTLS1.3.Theevaluatorshallobservethattheclienthelloindicatesthesupportedciphersuitesintheorderindicated,andthatitincludesonlytheextensionssupported,withappropriatevalues,forthatversioninaccordancewiththerequirement.TheevaluatorshallobservethattheTOEsuccessfullycompletestheTLShandshake.Note:TOEssupportingTLS1.3,butallowingaservertonegotiateTLS1.2,shouldincludeallciphersuitesandallextensionsasrequiredforeitherversion.IfsuchaTOEisconfigurabletosupportonlyTLS1.2,onlyTLS1.3,orbothTLS1.2andTLS1.3,Test1shouldbeperformedineachconfiguration–withadvertisedciphersuitesappropriatefortheconfiguration.TheconnectioninTest1maybeestablishedaspartoftheestablishmentofahigher-levelprotocol,e.g.,aspartofanEAPsession.Itissufficienttoobservethesuccessfulnegotiationofaciphersuitetosatisfytheintentofthetest;itisnotnecessarytoexaminethecharacteristicsoftheencryptedtrafficinanattempttodiscerntheciphersuitebeingused(forexample,thatthecryptographicalgorithmis128-bitAESandnot256-bitAES).
Test2:(obsoleteversions)Theevaluatorshallperformthefollowingtests:Test2.1:ForeachofSSLversion3,TLSversion1.0,andTLSversion1.1,theevaluatorshallinitiateaTLSconnectionfromtheTOEtoatestTLSserverthatisconfiguredtonegotiatetheobsoleteversionandobservethattheTSFterminatestheconnection.
Note:ItispreferredthattheTSFsendsafatalerroralertmessage(e.g.,protocolversion,insufficientsecurity)inresponsetothis,butitisacceptablethattheTSFterminatestheconnectionsilently(i.e.,withoutsendingafatalerroralert).Test2.2:TheevaluatorshallattempttoestablishaconnectionwithatestTLSserverthatisconfiguredtosendaserverhellomessageindicatingtheselectedversion(referredtoasthelegacyversionforTLS1.3)withavaluecorrespondingtoanundefinedTLS(legacy)version(e.g.,'0304')andobservethattheTSFterminatestheconnection.
Note:ItispreferredthattheTSFsendsafatalerroralertmessage(e.g.,protocolversion)inresponsetothis,butitisacceptablethattheTSFterminatestheconnectionsilently(i.e.,withoutsendingafatalerroralert).Test2.2isintendedtotesttheTSFresponsetonon-standardversions,includingearlyproposalsfor‘betaTLS1.3’versions.RFC8446requiresthelegacyversiontohavethevalue'0303'andspecifiesTLS1.3inthesupportedversionsextensionwiththevalue'0304'.Whilenotapreferredapproach,ifcontinuedsupportforabetaTLS1.3versionisdesiredandtheTSFcannotbeconfiguredtorejectsuchversions,anothervalue(e.g.,'0305')canbeusedinTest2.2.Implementationsofnon-standardversionsarenottested.
Test3:(ciphersuites)TheevaluatorshallperformthefollowingtestsonhandlingunexpectedciphersuitesusingatestTLSserversendinghandshakemessagescompliantwiththenegotiatedversionexceptasindicatedinthetest:
Test3.1:(ciphersuitenotoffered)Foreachsupportedversion,theevaluatorshallattempttoestablishaconnectionwithatestTLSserverconfiguredtonegotiatethesupportedversionandaciphersuitenotincludedintheclienthelloandobservethattheTOErejectstheconnection.
Note:ItispreferredthattheTSFsendsafatalerroralertmessage(e.g.,handshakefailure)inresponsetothis,butitisacceptablethattheTSFterminatestheconnectionsilently(i.e.,withoutsendingafatalerroralert).ThistestintendedtotesttheTSF’sgenericabilitytorecognizenon-offeredciphersuites.Iftheciphersuitesintheclienthelloareconfigurable,theevaluatorshallconfiguretheTSFtoofferaciphersuiteoutsidethosethataresupportedandusethatciphersuiteinthetest.IftheTSFciphersuitelistisnotconfigurable,itisacceptabletouseanamedciphersuitefromtheIANATLSprotocolsassociatedwiththetestedversion.Additionalspecialcasesofthistestforspecialciphersuitesareperformedseparately.Test3.2:(versionconfusion)Foreachsupportedversion,theevaluatorshallattempttoestablishaconnectionwithatestTLSserverthatisconfiguredtonegotiatethesupportedversionandaciphersuitethatisnotassociatedwiththatversionandobservethattheTOErejectstheconnection.Note:ItispreferredthattheTSFsendsafatalerroralertmessage(e.g.,handshakefailure)inresponsetothis,butitisacceptablethattheTSFterminatestheconnectionsilently(i.e.,withoutsendingafatalerroralert).ItisintendedthatTest3.2useTLS1.3ciphersuitesforaservernegotiatingTLS1.2.IfTLS1.3issupported,thetestservernegotiatingTLS1.3shouldselectaTLS1.2ciphersuitesupportedbytheTOEforTLS1.2andmatchingtheclient’ssupportedgroupsandsignaturealgorithmindicatedbyextensionsintheTLS1.3clienthello.IftheTOEisconfigurabletoallowbothTLS1.2andTLS1.3servers,thetestservershoulduseciphersuitesofferedbytheTSFinitsclienthellomessage.Test3.3:(nullciphersuite)Foreachsupportedversion,theevaluatorshallattempttoestablishaconnectionwithatestTLSserverconfiguredtonegotiatethenullciphersuite(TLS_NULL_WITH_NULL_NULL)andobservethattheTOErejectstheconnection.Note:ItispreferredthattheTSFsendsafatalerroralertmessage(e.g.,handshakefailure,insufficientsecurity)inresponsetothis,butitisacceptablethattheTSFterminatestheconnectionsilently(i.e.,withoutsendingafatalerroralert).Test3.4:(anonciphersuite)TheevaluatorshallattempttoestablishaTLS1.2connectionwithatestTLSserverconfiguredtonegotiateaciphersuiteusingtheanonymousserverauthenticationmethodandobservethattheTOErejectstheconnection.ItispreferredthattheTSFsendsafatalerroralertmessage(e.g.,handshakefailure,insufficientsecurity)inresponsetothis,butitisacceptablethattheTSFterminatestheconnectionsilently(i.e.,withoutsendingafatalerroralert).
SeeIANATLSparametersforavailableciphersuitestobeselectedbythetestTLSserver.Thetestciphersuiteshouldusesupportedcryptographicalgorithmsforasmanyoftheothercomponentsaspossible.Forexample,iftheTSFonlysupportstheciphersuiteTLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,thetestservercouldselectTLS_DH_ANON_WITH_AES_256_GCM_SHA_384.Test3.5:(deprecatedencryptionalgorithm)Foreachdeprecatedencryptionalgorithm(NULL,RC2,RC4,DES,IDEA,andTDES),theevaluatorshallattempttoestablishaTLS1.2connectionwithatestTLSserverconfiguredtonegotiateaciphersuiteusingthedeprecatedencryptionalgorithmandobservethattheTOErejectstheconnection.
Note:ItispreferredthattheTSFsendsafatalerroralertmessage(e.g.,handshakefailure,insufficientsecurity)inresponsetothis,butitisacceptablethattheTSFterminatestheconnectionsilently(i.e.,withoutsendingafatalerroralert).SeeIANATLSparametersforavailableciphersuitestobetested.Thetestciphersuiteshouldusesupportedcryptographicalgorithmsforasmanyoftheothercomponentsaspossible.Forexample,iftheTSFonlysupportsTLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,thetestservercouldselectTLS_ECDHE_PSK_WITH_NULL_SHA_384,TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_DHE_DSS_WITH_DES_CBC_SHA,TLS_RSA_WITH_IDEA_CBC_SHA,andTLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA.
Test4:(extensions)Foreachsupportedversionindicatedinthefollowingtests,theevaluatorshallestablishaconnectionfromtheTOEwithatestservernegotiatingthetestedversionandprovidingserverhandshakemessagesasindicatedwhenperformingthefollowingtestsforvalidatingproperextensionhandling:
Test4.1:(signature_algorithms)[conditional]IftheTSFsupportscertificate-basedserverauthentication,theevaluatorshallperformthefollowingtests:
Test4.1.1:Foreachsupportedversion,theevaluatorshallinitiateaTLSsessionwithaTLStestserverandobservethattheTSF’sclienthelloincludesthesignature_algorithmsextensionwithvaluesinconformancewiththeST.Test4.1.2:(TLS1.2only)[conditional]IftheTSFsupportsanECDHEorDHEciphersuite,theevaluatorshallensurethetestTLSserversendsacompliantserverhellomessageselectingTLS1.2andoneofthesupportedECDHEorDHEciphersuites,acompliantservercertificatemessage,andakeyexchangemessagesignedusingasignaturealgorithmandhashcombinationnotincludedintheclient’shellomessage(e.g.,RSAwithSHA-1).TheevaluatorshallobservethattheTSFterminatesthehandshake.
Note:ItispreferredthattheTSFsendsafatalerroralertmessage(e.g.,handshakefailure,illegalparameter,decryptionerror)inresponsetothis,butitisacceptablethattheTSFterminatestheconnectionsilently(i.e.,withoutsendingafatalerroralert).Test4.1.3:[conditional]IfTLS1.3issupported,theevaluatorshallconfigurethetestTLSservertorespondtotheTOEwithacompliantserverhellomessageselectingTLS1.3andaservercertificatemessage,butthenalsosendsacertificateverificationmessagethatusesasignaturealgorithmmethodnotincludedinthesignature_algorithmsextension.TheevaluatorshallobservethattheTSFterminatestheTLShandshake.Note:ItispreferredthattheTSFsendsafatalerroralertmessage(e.g.,handshakefailure,illegalparameter,badcertificate,decryptionerror)inresponsetothis,butitisacceptablethattheTSFterminatestheconnectionsilently(i.e.,withoutsendingafatalerroralert).Test4.1.4:[conditional]Forallsupportedversionsforwhichsignature_algorithms_certisnotsupported,theevaluatorshallensurethetestTLSserversendsacompliantserverhellomessageforthetestedversionandaservercertificatemessagecontainingavalidcertificatethatrepresentsthetestTLSserver,butwhichissignedusingasignatureandhashcombinationnotincludedintheTSF’ssignature_algorithmsextension(e.g.,acertificatesignedusingRSAandSHA-1).TheevaluatorshallobservethattheTSFterminatestheTLSsession.Note:ItispreferredthattheTSFsendsafatalerroralertmessage(e.g.,unsupportedcertificate,badcertificate,decryptionerror,handshakefailure)inresponsetothis,butitisacceptablethattheTSFterminatestheconnectionsilently(i.e.,withoutsendingafatalerroralert).Certificate-basedserverauthenticationisrequiredunlesstheTSFonlysupportsTLSwithsharedPSK.ForTLS1.2,thisisthecaseifonlyTLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384asdefinedinRFC8442,TLS_DHE_PSK_WITH_AES_256_GCM_SHA384asdefinedinRFC5487,TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256asdefinedinRFC8442,orTLS_DHE_PSK_WITH_AES_128_GCM_SHA256asdefinedinRFC5487,aresupported.ForTLS1.3,thisisthecaseifonlyPSKhandshakesaresupported.
Test4.2:(signature_algorithms_cert)[conditional]Ifsignature_algorithms_certissupported,thenforeachversionthatusesthesignature_algorithms_certextension,theevaluatorshallensurethatthetestTLSserversendsacompliantserverhellomessageselectingthetestedversionandindicatingcertificate-basedserverauthentication.TheevaluatorshallensurethatthetestTLSserverforwardsacertificatemessagecontainingavalidcertificatethatrepresentsthetestTLSserver,butwhichissignedbyavalidCertificationAuthorityusingasignatureandhashcombinationnotincludedintheTSF’ssignature_algorithms_certextension(e.g.,acertificatesignedusingRSAandSHA-1).TheevaluatorshallconfirmtheTSFterminatesthesession.Note:Supportforcertificatebasedauthenticationisassumedifthesignature_algorithms_certissupported.ForTLS1.2,anon-PSKciphersuite,oroneofTLS_RSA_PSK_WITH_AES_256_GCM_SHA384orTLS_RSA_PSK_WITH_AES_128_GCM_SHA256asdefinedinRFC5487isusedtoindicatecertificate-basedserverauthentication.ForTLS1.3,thetestservercompletesafullhandshake,evenifaPSKisofferedtoindicatecertificate-basedserverauthentication.IftheTSFonlysupportssharedPSKauthentication,Test4.2isnotperformed.ForTLS1.3,theservercertificatemessageisencrypted.TheevaluatorwillconfigurethetestTLSserverwiththeindicatedcertificateandensurethatthecertificateisindeedsentbyobservingthebufferofmessagestobeencrypted,orbyinspectingoneorbothsetsoflogsfromtheTSFandtestTLSserver.ItispreferredthattheTSFsendsafatalerroralertmessage(e.g.,unsupportedcertificate,badcertificate,decryptionerror,handshakefailure)inresponsetothis,butitisacceptablethattheTSFterminatestheconnectionsilently(i.e.,withoutsendingafatalerroralert).Test4.3:(extended_master_secret)(TLS1.2only)TheevaluatorshallinitiateaTLS1.2sessionwithatestTLSserverconfiguredtocomputeamastersecretaccordingtoRFC5246,section8.TheevaluatorshallobservethattheTSF’sclienthelloincludestheextendedmastersecretextensioninaccordancewithRFC7627,andensuresthatthetestTLSserverdoesnotincludetheextendedmastersecretextensioninitsserverhello.TheevaluatorshallobservethattheTSFterminatesthesession.Note:ItispreferredthattheTSFsendsafatalerroralertmessage(e.g.,handshakefailure)inresponsetothis,butitisacceptablethattheTSFterminatestheconnectionsilently(i.e.,withoutsendingafatalerroralert).Test4.4:(supported_groups)(TLS1.2only–forTLS1.3,testingiscombinedwithtestingofthekeyshareextension)
Test4.4.1:Foreachsupportedgroup,theevaluatorshallinitiateaTLSsessionwithacomplianttestTLS1.2serversupportingRFC7919.TheevaluatorshallensurethatthetestTLSserverisconfiguredtoselectTLS1.2andaciphersuiteusingthesupportedgroup.TheevaluatorshallobservethattheTSF’sclienthelloliststhesupportedgroupsasindicatedintheST,andthattheTSFsuccessfullyestablishestheTLSsession.Test4.4.2:[conditionalonTLS1.2supportforECDHEciphersuites]TheevaluatorshallinitiateaTLSsessionwithatestTLSserverthatisconfiguredtouseanexplicitversionofanamedECgroupsupportedbytheclient.TheevaluatorshallensurethatthetestTLSserverkeyexchangemessageincludestheexplicitformulationofthegroupinitskeyexchangemessageasindicatedinRFC4492section5.4.TheevaluatorshallconfirmthattheTSFterminatesthesession.
Note:ItispreferredthattheTSFsendsafatalerroralertmessage(e.g.,illegalparameter)inresponsetothis,butitisacceptablethattheTSFterminatestheconnectionsilently(i.e.,withoutsendingafatalerroralert).
Test5:(TLS1.3extensions)[conditional]IftheTSFsupportsTLS1.3,theevaluatorshallperformthefollowingtests.Foreachtest,theevaluatorshallobservethattheTSF’sclienthelloincludesthesupportedversionsextensionwiththevalue'0304'indicatingTLS1.3:
Test5.1:(supportedversions)TheevaluatorshallinitiateTLS1.3sessionsinturnfromtheTOEtoatestTLSserverconfiguredasindicatedinthesub-testsbelow:
Test5.1.1:TheevaluatorshallconfigurethetestTLSservertoincludethesupportedversionsextensionintheserverhellocontainingthevalue'0303.'TheevaluatorshallobservethattheTSFterminatestheTLSsession.Note:ItispreferredthattheTSFsendsafatalerroralertmessage(e.g.,illegalparameter,handshakefailure,protocolversion)inresponsetothis,butitisacceptablethattheTSFterminatestheconnectionsilently(i.e.,withoutsendingafatalerroralert).Test5.1.2:TheevaluatorshallconfigurethetestTLSservertoincludethesupportedversionsextensionintheserverhellocontainingthevalue'0304'and
completeacompliantTLS1.3handshake.TheevaluatorshallobservethattheTSFcompletestheTLS1.3handshakesuccessfully.Test5.1.3:[conditional]IftheTSFisconfigurabletosupportbothTLS1.2andTLS1.3,theevaluatorshallfollowoperationalguidancetoconfigurethisbehavior.TheevaluatorshallensurethatthetestTLSserversendsaTLS1.2compliantserverhandshakeandobservethattheserverrandomdoesnotincidentallyincludeanydowngrademessaging.TheevaluatorshallobservethattheTSFcompletestheTLS1.2handshakesuccessfully.Note:EnhanceddowngradeprotectiondefinedinRFC8446isoptional,andifsupported,istestedseparately.Theevaluatormayconfigurethetestserver’srandom,ormayrepeatthetestuntiltheserver’srandomdoesnotmatchadowngradeindicator.
Test5.2:(supportedgroups,keyshares)TheevaluatorshallinitiateTLS1.3sessionsinturnwithatestTLSserverconfiguredasindicatedinthefollowingsub-tests:
Test5.2.1:Foreachsupportedgroup,theevaluatorshallconfigurethecomplianttestTLS1.3servertoselectaciphersuiteusingthegroup.TheevaluatorshallobservethattheTSFsendsanelementofthegroupinitsclienthellokeysharesextension(afterahelloretrymessagefromthetestserver,ifthekeyshareforthegroupisnotincludedintheinitialclienthello).TheevaluatorshallensurethetestTLSserversendsanelementofthegroupinitsserverhelloandobservesthattheTSFcompletestheTLShandshakesuccessfully.Test5.2.2:Foreachsupportedgroup,theevaluatorshallmodifytheserverhellosentbythetestTLSservertoincludeaninvalidkeysharevalueclaimingtobeanelementthegroupindicatedinthesupportedgroupsextension.TheevaluatorshallobservethattheTSFterminatestheTLSsession.
Note:ItispreferredthattheTSFsendsafatalerroralertmessage(e.g.,illegalparameter)inresponsetothis,butitisacceptablethattheTSFterminatestheconnectionsilently(i.e.,withoutsendingafatalerroralert).ForDHEciphersuites,azerovalue,oravaluegreaterorequaltothemodulusisnotavalidelement.ForECDHEgroups,aninvalidpointcontainsxandycoordinatesofthecorrectsize,butrepresentsapointnotonthecurve.Theevaluatorcanconstructsuchaninvalidpointbymodifyingabyteintheycoordinateofavalidpointandverifythatthecoordinatesdonotsatisfythecurveequation.
Test5.3:(PSKsupport)[conditional]IftheTOEsupportspre-sharedkeys,theevaluatorshallfollowtheoperationalguidancetousepre-sharedkeys,shallestablishapre-sharedkeybetweentheTSFandthetestTLSserver,andinitiateTLS1.3sessionsinturnbetweentheTSFandthetestTLSserverconfiguredasindicatedinthefollowingsub-tests:
Test5.3.1:TheevaluatorshallconfiguretheTSFtousethepre-sharedkeyandensurethatthetestTLSserverfunctionsasacompliantTLS1.3server.TheevaluatorshallobservethattheTSF’sclienthelloincludesthepre_shared_keyextensionwiththevalidPSKindicatorsharedwiththetestserver.TheevaluatorshallalsoobservethattheTSF’sclienthelloalsoincludesthepsk_key_exchange_modeandthepost_handshake_authextensionsandthatthepsk_key_exchange_modeindicatesoneormoreofDHEorECDHEmodesbutdoesnotincludethePSK-onlymode.TheevaluatorshallobservethattheTSFcompletestheTLS1.3handshakesuccessfullyinaccordancewithRFC8446,toincludetheTSFsendingappropriatekeysharesforoneormoreofthesupportedgroups.Oncethehandshakeissuccessful,theevaluatorshallcausethetestTLSservertosendacertificaterequestandobservethattheTSFprovidesacertificatemessageandcertificateverifymessage.Note:Itmaybenecessarytocompleteastandardhandshakeandsendanew-ticketmessagefromthetestTLSservertoestablishapre-sharedkey,oritmightbepossibletoconfigurethepre-sharedkeymanuallyviaout-of-bandmechanisms.ThiscanbeperformedinconjunctionwithothertestingthatisnottestedaspartofthisSFR.ItisnotrequiredatthistimetosupportemergingstandardsonestablishingPSK,butassuchstandardsarefinalized,thisFPmaybeupdatedtorequiresuchsupport.TLSmessagesafterthehandshakeareencryptedsoitmaynotbepossibletoobservethecertificateandcertificateverifymessagessentbytheTSFdirectly.TheevaluatormayneedtoconfigurethetestTLSservertouseanapplicationthatrequirespost-handshakeclientauthenticationandterminatesthesessionorotherwisehasanobservableeffectifthecertificateisnotprovided.Test5.3.2:TheevaluatorshallattempttoconfiguretheTSFtosendearlydata.IfthereisnoindicationfromtheTSFthatthisisblocked,theevaluatorshallrepeattest5.3.1withtheTSFsoconfiguredandobservethattheTSFdoesnotsend
applicationdatapriortoreceivingtheserverhello.
Note:EarlydatawillbeencryptedunderthePSKandreceivedbythetestTLSserverpriortoitsendingaserverhellomessage.
Test6:(corruptfinishedmessage)Foreachsupportedversion,theevaluatorshallinitiateaTLSsessionfromtheTOEtoatestTLSserverthatsendsacompliantsetofserverhandshakemessages,exceptforsendingamodifiedfinishedmessage(modifyabyteofthefinishedmessagethatwouldhavebeensentbyacompliantserver).TheevaluatorshallobservethattheTSFterminatesthesessionanddoesnotcompletethehandshakebyobservingthattheTSFdoesnotsendapplicationdataprovidedtotheTLSchannel.Test7:(missingfinishedmessage)Foreachsupportedversion,theevaluatorshallinitiateasessionfromtheTOEtoatestTLSserverprovidingacomplianthandshake,exceptforsendingarandomTLSmessage(thefivebyteheaderindicatesacorrectTLSmessageforthenegotiatedversion,butnotindicatingafinishedmessage)asthefinalmessage.TheevaluatorshallobservethattheTSFterminatesthesessionanddoesnotsendapplicationdata.Note:ItispreferredthattheTSFsendsafatalerroralertmessage(e.g.,decryptionerror)inresponsetothis,butitisacceptablethattheTSFterminatestheconnectionsilently(i.e.,withoutsendingafatalerroralert).ForTLS1.2,themodifiedmessageissentafterthechange_cipher_specmessage.ForTLS1.3,themodifiedmessageissentasthelastmessageoftheserver’ssecondflightofmessages.Test8:(unexpected/corruptsignatureswithinhandshake)Theevaluatorshallperformthefollowingtests,accordingtotheversionssupported.
Test8.1:(TLS1.2only)[conditional]IftheSTindicatessupportforECDSAorDSAciphersuites,theevaluatorshallinitiateaTLSsessionwithacomplianttestTLSserverandmodifythesignatureintheserverkeyexchange.TheevaluatorshallobservethattheTSFterminatesthesessionwithafatalalertmessage(e.g.,decrypterror,handshakeerror).Test8.2:[conditional]IftheSTindicatessupportforTLS1.3,theevaluatorshallinitiateaTLSsessionbetweentheTOEandatestTLSserverthatisconfiguredtosendacompliantserverhellomessage,encryptedextensionmessage,andcertificatemessage,butwillsendacertificateverifymessagewithaninvalidsignature(e.g.,bymodifyingabytefromavalidsignature).TheevaluatorshallconfirmthattheTSFterminatesthesessionwithafatalerroralertmessage(e.g.,badcertificate,decrypterror,handshakeerror).Test8.3:(TLS1.2only)[conditional]IftheSTindicatessupportforbothRSAandECDSAmethodsinthesignature_algorithm(or,ifsupported,thesignature_algorithms_cert)extension,andiftheSTindicatesoneormoreTLS1.2ciphersuitesindicatingeachoftheRSAandECDSAmethodsinitssignaturecomponents,theevaluatorshallchoosetwociphersuites:oneindicatinganRSAsignature(cipher1)andoneindictainganECDSAsignature(cipher2).TheevalutorshallthenestablishestablishtwocertificatesthataretrustedbytheTOE:onerepresentingthetestTLS1.2serverusinganRSAsignature(cert1)andonerepresentingthetestTLS1.2serverusinganECDSAsignature(cert2).TheevaluatorshallinitiateaTLSsessionbetweentheTOEandthetestTLS1.2serverthatisconfiguredtoselectcipher1andtosendcert2.TheevaluatorshallverifythattheTSFterminatesthisTLSsession.TheevaluatorshalltheninitiateaTLSsessionbetweentheTOEandthetest1.2serverthatisconfiguredtoselectcipher2andtosendcert1.TheevaluatorshallverifythattheTSFalsoterminatesthisTLSsession.Note:ItispreferredthattheTSFsendsafatalerroralertmessage(e.g.,badcertificate,decryptionerror,handshakefailure)inresponsetothis,butitisacceptablethattheTSFterminatestheconnectionsilently(i.e.,withoutsendingafatalerroralert).
Test9:[conditional]IftheTSFsupportscertificate-basedserverauthentication,thenforeachsupportedversion,theevaluatorwillinitiateaTLSsessionfromtheTOEtothecomplianttestTLSserverconfiguredtonegotiatethetestedversion,andtoauthenticateusingacertificatetrustedbytheTSFasspecifiedinthefollowing:
Test9.1:(certificateextendedkeyusagepurpose)TheevaluatorshallsendaservercertificatethatcontainstheServerAuthenticationpurposeintheextendedKeyUsageextensionandverifythataconnectionisestablished.TheevaluatorshallrepeatthistestusingadifferentcertificatethatisotherwisevalidandtrustedbutlackstheServerAuthenticationpurposeintheextendedKeyUsageextensionandobservetheTSSterminatesthesession.Note:Thistestmaybeperformedaspartofcertificatevalidationtesting(FIA_X509_EXT.1).ItispreferredthattheTSFsendsafatalerroralertmessage(e.g.,badcertificate,decryptionerror,handshakefailure)inresponsetothis,butitisacceptablethattheTSFterminatestheconnectionsilently(i.e.,withoutsendingafatalerroralert).
Ideally,thetwocertificatesshouldbesimilarinregardstostructure,thetypesofidentifiersused,andthechainoftrust.Test9.2:(certificateidentifiers)Foreachsupportedmethodofmatchingpresentedidentifiers,andforeachnametypeforwhichtheTSFparsesthepresentedidentifiersfromtheservercertificateforthemethod,theevaluatorshallestablishavalidcertificatetrustedbytheTSFtorepresentthetestserverusingonlythetestednametype.Theevaluatorshallperformthefollowingsub-tests:
Test9.2.1:TheevaluatorshallpreparetheTSFasnecessarytousethematchingmethodandestablishreferenceidentifiersforthetestserverforthetestednametype.TheevaluatorshallensurethetestTLSserversendsacertificatewithamatchingnameofthetestednametypeandobservethattheTSFcompletestheconnection.Test9.2.2:TheevaluatorshallpreparetheTSFasnecessarytousethematchingmethodandestablishreferenceidentifiersthatdonotmatchthenamerepresentingthetestserver.TheevaluatorshallensurethetestTLSserversendsacertificatewithanameofthetypetested,andobservetheTSFterminatesthesession.
Note:ItispreferredthattheTSFsendsafatalerroralertmessage(e.g.,badcertificate,unknowncertificate)inresponsetothis,butitisacceptablethattheTSFterminatestheconnectionsilently(i.e.,withoutsendingafatalerroralert).
Test9.3:(mixedidentifiers)[conditional]IftheTSFsupportsanamematchingmethodwheretheTSFperformsmatchingofbothCN-encodednametypesandSANnamesofthesametype,thenforeachsuchmethod,andforeahsuchnametype,theevaluatorshallestablishavalidcertificatetrustedbytheTSFtorepresentthetestserverusingonenamefortheCN-encodednametypeandadifferentnamefortheSANnametypeTheevaluatorshallperformthefollowingtests:
Test9.3.1:TheevaluatorshallfollowtheoperationalguidancetoconfiguretheTSFtousethenamematchingmethodandestablishreferenceidentifiersmatchingonlytheSAN.TheevaluatorshallensurethatthetestserversendsthecertificatewiththematchingSANandnon-matchingCN-encodedname,andobservethattheTSFcompletestheconnection.
Note:ConfigurationoftheTSFmaydependontheapplicationusingTLS.Test9.3.2:TheevaluatorshallfollowtheoperationalguidancetoconfiguretheTSFtousethenamematchingmethodandestablishreferenceidentifiersmatchingonlytheCN-encodedname.TheevaluatorshallensurethatthetestserversendsthecertificatewiththematchingSANnameandnon-matchingCN-encodedname,andobservethattheTSFterminatesthesession.ItispreferredthattheTSFsendsafatalerroralertmessage(e.g.,badcertificate,unknowncertificate)inresponsetothis,butitisacceptablethattheTSFterminatestheconnectionsilently(i.e.,withoutsendingafatalerroralert).
Test9.4:(emptycertificate)TheevaluatorshallconfigurethetestTLSservertosupplyanemptycertificatemessageandverifythattheTSFterminatesthesession.Note:ItispreferredthattheTSFsendsafatalerroralertmessage(e.g.,badcertificate,unknowncertificate)inresponsetothis,butitisacceptablethattheTSFterminatestheconnectionsilently(i.e.,withoutsendingafatalerroralert).Test9.5:(invalidcertificate)[conditional]Ifvalidityexceptionsaresupported,thenforeachexceptionforcertificatevaliditysupported,theevaluatorshallconfiguretheTSFtoallowtheexceptionandensurethetestTLSserversendsacertificatethatisvalidandtrusted,exceptfortheallowedexception.TheevaluatorshallobservethattheTSFcompletesthesession.WithoutmodifyingtheTSFconfiguration,theevaluatorshallinitiateanewsessionwiththetestTLSserverthatincludesanadditionalvalidationerror,andobservethattheTSFterminatesthesession.Note:ItispreferredthattheTSFsendsafatalerroralertmessage(e.g.,decodeerror,badcertificate)inresponsetothis,butitisacceptablethattheTSFterminatestheconnectionsilently(i.e.,withoutsendingafatalerroralert).Theintentofthistestistoverifythescopeoftheexceptionprocessing.Ifverifyingcertificatestatusinformationisclaimedasanexception,thenthistestwillverifythataTLSsessionsucceedswhenallsupportedmethodsforobtainingcertificatestatusinformationisblockedfromtheTSF,toincluderemovinganystatusinformationthatmightbecachedbytheTSF.Iftheexceptionislimitedtospecificcertificates(e.g.,onlyleafcertificatesareexempt,oronlycertainleafcertificatesareexempt)theadditionalvalidationerrorcouldbeunavailablerevocationinformationforanon-exemptcertificate(e.g.,revocationstatusinformationfromanintermediateCAisblockedfortheissuingCAofanexemptleafcertificate,orrevocationinformationfromtheissuingCAisblockedforanon-exemptleafcertificate).Iftheonlyoptionfortheexceptionisforallrevocationinformationforallcertificates,anothervalidationerror
fromFIA_X509_EXT.1(e.g.,certificateexpiration,extendedkeyusage,etc.)maybeused.
FCS_TLSC_EXT.2TLSClientSupportforMutualAuthentication
Theinclusionofthisselection-basedcomponentdependsuponselectioninFCS_TLSC_EXT.1.1.
FCS_TLSC_EXT.2.1TheTSFshallsupportmutualauthenticationusingX.509v3certificatesduringthehandshakeand[selection:insupportofpost-handshakeauthenticationrequests,atnoothertime],inaccordancewith[selection:RFC5246,section7.4.4,RFC8446,section4.3.2].
ApplicationNote:ClientsthatsupportTLS1.3andpost-handshakeauthenticationclaim‘insupportofpost-handshakeauthenticationrequests’inthefirstselection.The‘atnoothertime’selectionisclaimedforclientsonlysupportingTLS1.2orforTLS1.3clientsthatdonotsupportpost-handshakeauthentication.
Thecertificaterequestsentbytheserverspecifiesthesignaturealgorithmsandcertificationauthoritiessupportedbytheserver.Iftheclientdoesnotpossessamatchingcertificate,itsendsanemptycertificatemessage.ThestructureofthecertificaterequestmessageischangedinTLS1.3tousethesignature_algorithm,signature_algorithms_cert,andcertificate_authoritiesextensions,andRFC8446allowsforTLS1.2implementationstousethenewmessagestructure.The"RFC8446,section4.3.2"optionisclaimedinthesecondselectionifTLS1.3issupportedoriftheRFC8446methodissupportedforTLS1.2servers.The"RFC5246,section7.4.4"optionisclaimediftheRFC5246methodissupportedforinteroperabilitywithTLS1.2serversthatdonotadopttheRFC8446method.Whenmutualauthenticationissupported,atleastoneofthesemethodsmustbeclaimed,pertheselection.
ThisSFRisclaimedif"mutualauthentication"isselectedinFCS_TLSC_EXT.1.1.
EvaluationActivities
FCS_TLSC_EXT.2TSSTheevaluatorshallensurethattheTSSdescriptionrequiredperFIA_X509_EXT.2.1includestheuseofclient-sidecertificatesforTLSmutualauthentication.TheevaluatorshallalsoensurethattheTSSdescribesanyfactorsbeyondconfigurationthatarenecessaryinorderfortheclienttoengageinmutualauthenticationusingX.509v3certificates.
GuidanceTheevaluatorshallensurethattheoperationalguidanceincludesanyinstructionsnecessarytoconfiguretheTOEtoperformmutualauthentication.TheevaluatoralsoshallverifythattheoperationalguidancerequiredperFIA_X509_EXT.2.1includesinstructionsforconfiguringtheclient-sidecertificatesforTLSmutualauthentication.
TestsForeachsupportedTLSversion,theevaluatorshallperformthefollowingtests:
Test10:TheevaluatorshallestablishaTLSconnectionfromtheTSFtoatestTLSserverthatnegotiatesthetestedversionandwhichisnotconfiguredformutualauthentication(i.e.,doesnotsendaServer’sCertificateRequest(type13)message).TheevaluatorobservesnegotiationofaTLSchannelandconfirmsthattheTOEdidnotsendaClient’sCertificatemessage(type11)duringhandshake.Test11:TheevaluatorshallestablishaconnectiontoatestTLSserverwithasharedtrustedrootthatisconfiguredformutualauthentication(i.e.,itsendsaServer’sCertificateRequest(type13)message).TheevaluatorobservesnegotiationofaTLSchannelandconfirmsthattheTOErespondswithanon-emptyClient’sCertificatemessage(type11)andCertificateVerify(type15)message.Test12:[conditional]IftheTSFsupportspost-handshakeauthentication,theevaluatorshallestablishapre-sharedkeybetweentheTSFandatestTLS1.3server.TheevaluatorshallinitiateaTLSsessionusingthepre-sharedkeyandconfirmtheTSFandtestTLS1.3serversuccessfullycompletetheTLShandshakeandbothsupportpost-handshakeauthentication.Afterthesessionissuccessfullyestablished,theevaluatorshallinitiateacertificaterequestmessagefromthetestTLS1.3server.TheevaluatorshallobservethattheTSFreceivesthatauthenticationrequestandshalltakenecessaryactions,in
accordancewiththeoperationalguidance,tocompletetheauthenticationrequest.TheevaluatorshallconfirmthatthetestTLS1.3serverreceivescertificateandcertificateverificationmessagesfromtheTSFoverthechannelthatauthenticatestheclient.
Note:TLS1.3certificaterequestsfromthetestserverandclientcertificateandcertificateverifymessagesareencrypted.TheevaluatorconfirmsthattheTSFsendstheappropriatemessagesbyexaminingthemessagesreceivedatthetestTLS1.3serverandbyinspectinganyrelevantserverlogs.TheevaluatormayalsotakeadvantageofthecallingapplicationtodemonstratethattheTOEreceivesdataconfiguredatthetestTLSserver.
FCS_TLSC_EXT.3TLSClientDowngradeProtection
Theinclusionofthisselection-basedcomponentdependsuponselectioninFCS_TLSC_EXT.1.1.
FCS_TLSC_EXT.3.1TheTSFshallnotestablishaTLSchanneliftheserverhellomessageincludes[selection:TLS1.2downgradeindicator,TLS1.1orbelowdowngradeindicator]intheserverrandomfield.
ApplicationNote:TheSTauthorclaimsthe“TLS1.2downgradeindicator”whenFCS_TLSC_EXT.1indicatessupportforbothTLS1.3andsupplementaldowngradeprotection.ThisoptionisnotclaimedifTLS1.3isnotsupported.The“TLS1.1orbelowdowngradeindicator”optionmaybeclaimedregardlessofsupportforTLS1.3,butshouldonlybeclaimediftheTSFiscapableofdetectingtheindicator.AsindicatedinFCS_TLSC_EXT.1.1,thisFPrequirestheclienttoterminateTLS1.1orbelowsessions.ItisacceptablefortheTSFtoalwaysterminateTLS1.1sessionsbasedontheserverhellonegotiatedversionfieldandignoreanydowngradeindicator.However,aproductthatiscapableofdetectingtheTLS1.1orbelowdowngradeindicatormaytakedifferentactionsdependingonwhethertheTLS1.1orbelowdowngradeindicatorisset.
ThisSFRisclaimedif"supplementaldowngradeprotection"isselectedinFCS_TLSS_EXT.1.1.
EvaluationActivities
FCS_TLSC_EXT.3TSSTheevaluatorshallreviewtheTSSandconfirmthatthedescriptionoftheTLSclientprotocolincludesthedowngradeprotectionmechanisminaccordancewithRFC8446andidentifiesanyconfigurablefeaturesoftheTSFneededtomeettherequirements.IftheSTclaimsthattheTLS1.1andbelowindicatorisprocessed,theevaluatorshallconfirmthattheTSSindicateswhichconfigurationsallowprocessingofthedowngradeindicatorandthespecificresponseoftheTSFwhenitreceivesthedowngradeindicatorasopposedtosimplyterminatingthesessionfortheunsupportedversion.
GuidanceTheevaluatorshallreviewtheoperationalguidanceandconfirmthatanyinstructionstoconfiguretheTSFtomeettherequirementsareincluded.
TestsTheevaluatorshallperformthefollowingteststoconfirmtheresponsetodowngradeindicatorsfromatestTLS1.3server:
Test13:[conditional]IftheTSFsupportsTLS1.3,theevaluatorshallinitiateaTLS1.3sessionwithatestTLS1.3serverconfiguredtosendacompliantTLS1.2serverhello(notincludinganyTLS1.3extensions)butincludingtheTLS1.2downgradeindicator‘444F574E47524401’inthelasteightbytesoftheserverrandomfield.TheevaluatorshallconfirmthattheTSFterminatesthesession.
Note:ItispreferredthattheTSFsendafatalerroralertmessage(e.g.,illegalparameter),butitisacceptablethattheTSFterminatethesessionwithoutsendinganerroralert.Test14:[conditional]IftheTSFsupportstheTLS1.1orbelowdowngradeindicatorandiftheSTindicatesaconfigurationwheretheindicatorisprocessed,theevaluatorshallfollowoperationalguidanceinstructionstoconfiguretheTSFsoitparsesaTLS1.1handshaketodetectandprocesstheTLSdowngradeindicator.TheevaluatorshallinitiateaTLSsessionbetweentheTOEandatestTLSserverthatisconfiguredtosendaTLS1.1serverhellomessagewiththedowngradeindicator‘444F574E47524400’inthelasteightbytesoftheserverrandomfield,butwhichisotherwisecompliantwithRFC4346.TheevaluatorshallobservethattheTSFterminatesthesessionasdescribedintheST.
Note:ItispreferredthattheTSFsendafatalerroralertmessage(illegalparameterorunsupportedversion),butitisacceptablethattheTSFterminatethesessionwithoutsendinganerroralert.UseoftheTLS1.1andbelowindicatorasaredundantmechanismwherethereisnoconfigurationthatactuallyprocessesthevaluedoesnotrequireadditionaltesting,sincethiswouldbeaddressedbyTest2.1forFCS_TLSC_EXT.1.1.ThistestisonlyrequirediftheTSFrespondsdifferently(e.g.,adifferenterroralert)whenthedowngradeindicatorispresentthanwhenTLS1.1orbelowisnegotiatedandthedowngradeindicatorisnotpresent.
FCS_TLSC_EXT.4TLSClientSupportforRenegotiation
Theinclusionofthisselection-basedcomponentdependsuponselectioninFCS_TLS_EXT.1.1.
FCS_TLSC_EXT.4.1TheTSFshallsupportsecurerenegotiationthroughuseof[selection:the“renegotiation_info”TLSextension,theTLS_EMPTY_RENEGOTIATION_INFO_SCSVsignalingciphersuitesignalingvalue]inaccordancewithRFC5746,andshallterminatethesessionifanunexpectedserverhelloisreceivedand[selection:hellorequestmessageisreceived,innoothercase].
ApplicationNote:AclientallowingTLS1.2connectionsmaypresenteitherthe"renegotiation_info"extensionorthesignalingciphersuitevalueTLS_EMPTY_RENEGOTIATION_INFO_SCSVintheinitialclienthellomessagetoindicatesupportforsecurerenegotiation.TheSTauthorclaimsthemethodssupported.TheTLS_EMPTY_RENEGOTIATION_INFO_SCSVisthepreferredmechanismforTLS1.2protectionagainstinsecurerenegotiationwhentheclientdoesnotrenegotiate.TheSTauthorwillclaimthe‘hellorequestmessageisreceived’optioninthesecondselectiontoindicatesupportforthismechanism.
RFC5746allowstheclienttoacceptconnectionswithserversthatdonotsupporttheextension;thisFPrefinesRFC5746andrequirestheclienttoterminatesessionswithsuchservers.Thus,unexpectedserverhellomessagesincludeaninitialserverhellonegotiatingTLS1.2thatdoesnotcontainarenegotiation_infoextension,aninitialserverhellonegotiatingTLS1.2thathasarenegotiation_infothatisnon-empty,asubsequentserverhellonegotiatingTLS1.2thatdoesnotcontainarenegotiation_infoextension,andasubsequentserverhellonegotiatingTLS1.2thathasarenegotiation_infoextensionwithanincorrectrenegotiated_connectionvalue.
TLS1.3providesprotectionagainstinsecurerenegotiationbynotallowingrenegotiation.IfTLS1.3isclaimedinFCS_TLSC_EXT.1.1,theclientreceivesaserverhellothatattemptstonegotiateTLS1.3,andtheserverhelloalsocontainsarenegotiation_infoextension;theclientwillterminatetheconnection.
ThisSFRisclaimedif"TLSasaclient"isselectedinFCS_TLS_EXT.1.1.
EvaluationActivities
FCS_TLSC_EXT.4TSSTheevaluatorshallexaminetheSTtoensurethatTLSrenegotiationprotectionsaredescribedinaccordancewiththerequirements.Theevaluatorshallensurethatanyconfigurablefeaturesoftherenegotiationprotectionsareidentified.
GuidanceTheevaluatorshallexaminetheoperationalguidancetoconfirmthatinstructionsforanyconfigurablefeaturesoftherenegotiationprotectionmechanismsareincluded.
TestsTheevaluatorshallperformthefollowingtestsasindicated.OneorbothofTests1or2isrequired,dependingonwhethertheTSFisconfigurabletorejectrenegotiationorsupportssecurerenegotiationmethodsdefinedforTLS1.2.IfTLS1.3issupported,Test2isrequired.
Test15:[conditional]IftheTSFsupportsaconfigurationtoacceptrenegotiationrequestsforTLS1.2,theevaluatorshallfollowanyoperationalguidancetoconfiguretheTSF.Theevaluatorshallperformthefollowingtests:
Test15.1:TheevaluatorshallinitiateaTLSconnectionwithatestserverconfiguredto
negotiateacompliantTLS1.2handshake.TheevaluatorshallinspectthemessagesreceivedbythetestTLS1.2server.Theevaluatorshallobservethateitherthe“renegotiation_info”fieldortheSCSVciphersuiteisincludedintheClientHellomessageduringtheinitialhandshake.Test15.2:Foreachofthefollowingsub-tests,theevaluatorshallinitiateanewTLSconnectionwithatestTLS1.2serverconfiguredtosendarenegotiation_infoextensionasspecified,butotherwisecompleteacompliantTLS1.2session:
Test15.2.1:TheevaluatorshallconfigurethetestTLS1.2servertosendarenegotiation_infoextensionwhosevalueindicatesanon-zerolength.TheevaluatorshallconfirmthattheTSFterminatestheconnection.Note:ItispreferredthattheTSFsendsafatalerroralertmessage(e.g.,illegalparameter)inresponsetothis,butitisacceptablethattheTSFterminatestheconnectionsilently(i.e.,withoutsendingafatalerroralert).Test15.2.2:TheevaluatorshallconfigurethetestTLS1.2servertosendacompliantrenegotiation_infoextensionandobservetheTSFsuccessfullycompletestheTLS1.2connection.Test15.2.3:TheevaluatorshallinitiateasessionrenegotiationaftercompletingasuccessfulhandhakewithatestTLS1.2serverthatcompletesasuccessfulTLS1.2handshake(asinTest1.1)andthensendsahelloresetrequestfromthetestTLSserverwitha“renegotiation_info”extensionthathasanunexpected“client_verify_data”or“server_verify_data”value(modifyabytefromacompliantresponse).TheevaluatorshallverifythattheTSFterminatestheconnection.
Note:ItispreferredthattheTSFsendsafatalerroralertmessage(e.g.,illegalparameter,handshakeerror)inresponsetothis,butitisacceptablethattheTSFterminatestheconnectionsilently(i.e.,withoutsendingafatalerroralert).
Test16:[conditional]iftheTSFsupportsaconfigurationthatpreventsrenegotiation,theevaluatorshallperformthefollowingtests:
Test16.1:(TLS1.2)[conditional]IftheTLSsupportsaconfigurationtorejectTLS1.2renegotiation,theevaluatorshallfollowtheoperationalguidanceasnecessarytopreventrenegotiation.TheevaluatorshallinitiateaTLSsessionbetweentheso-configuredTSFandatestTLS1.2serverthatisconfiguredtoperformacomplianthandshake,followedbyahelloresetrequest.TheevaluatorshallconfirmthattheTSFcompletestheinitialhandshakesuccessfullybutterminatestheTLSsessionafterreceivingthehelloresetrequest.Note:ItispreferredthattheTSFsendsafatalerroralertmessage(e.g.,unexpectedmessage)inresponsetothis,butitisacceptablethattheTSFterminatestheconnectionsilently(i.e.,withoutsendingafatalerroralert).Test16.2:[conditional]IftheTSFsupportsTLS1.3,theevaluatorshallinitiateaTLSsessionbetweentheTSFandatestTLS1.3serverthatcompletesacompliantTLS1.3handshake,followedbyahelloresetmessage.TheevaluatorshallobservethattheTSFcompletestheinitialTLS1.3handshakesuccessfully,butterminatesthesessiononreceivingthehelloresetmessage.ItispreferredthattheTSFsendsafatalerroralertmessage(e.g.,unexpectedmessage)inresponsetothis,butitisacceptablethattheTSFterminatestheconnectionsilently(i.e.,withoutsendingafatalerroralert).
FCS_TLSC_EXT.5TLSClientSupportforSessionResumption
Theinclusionofthisselection-basedcomponentdependsuponselectioninFCS_TLSC_EXT.1.1.
FCS_TLSC_EXT.5.1TheTSFshallsupportsessionresumptionasaclientviatheuseof[selection:sessionIDinaccordancewithRFC5246,ticketsinaccordancewithRFC5077,PSKandticketsinaccordancewithRFC8446].
ApplicationNote:TheSTauthorindicateswhichsessionresumptionmechanismsaresupported.Oneorbothofthefirsttwooptions,"sessionIDinaccordancewithRFC5246"and"ticketsinaccordancewithRFC5077"areclaimedforTLS1.2resumption.IfresumptionofTLS1.3sessionsissupported,"PSKandticketsinaccordancewithRFC8446"isselected,andtheselection-basedSFRFCS_TLSC_EXT.6mustalsobeclaimed.
WhileitispossibletoperformsessionresumptionusingPSKciphersuitesinTLS1.2,thisisuncommon.ValidationofkeyexchangeandsessionnegotiationrulesforPSKciphersuitesisindependentofthesourceofthepre-sharedkeyandis
coveredinFCS_TLSC_EXT.1.
ThisSFRisclaimedif"sessionresumption"isselectedinFCS_TLSC_EXT.1.1.
EvaluationActivities
FCS_TLSC_EXT.5TSSTheevaluatorshallexaminetheSTandconfirmthattheTLSclientprotocoldescriptionincludesadescriptionofthesupportedresumptionmechanisms.
GuidanceTheevaluatorshallensuretheoperationalguidancedescribesinstructionsforanyconfigurablefeaturesoftheresumptionmechanism.
TestsTheevaluatorshallperformthefollowingtests:
Test17:ForeachsupportedTLSversionandforeachsupportedresumptionmechanismthatissupportedforthatversion,theevaluatorshallestablishanewTLSsessionbetweentheTSFandacomplianttestTLSserverthatisconfiguredtonegotiatetheindicatedversionandperformresumptionusingtheindicatedmechanism.TheevaluatorshallconfirmthattheTSFcompletestheinitialTLShandshakeandshallcausetheTSFtoclosethesessionnormally.TheevaluatorshallthencausetheTSFtoresumethesessionwiththetestTLSserverusingtheindicatedmethodandobservethattheTSFsuccessfullyestablishesthesession.
Note:Foreachmethod,successfulestablishmentreferstoproperuseofthemechanism,toincludecompliantextensionsandbehavior,asindicatedinthereferencedRFC.Test18:(TLS1.3sessionidecho)[conditional]IftheTSFsupportsTLS1.3,theevaluatorshallinitiateanewTLS1.3sessionwithatestTLSserver.TheevaluatorshallcausethetestTLSservertosendaTLS1.3serverhellomessage(orahelloretryrequestiftheTSFdoesn’tincludethekeyshareextension)thatcontainsadifferentvalueinthelegacy_session_idfield,andobservethattheTSFterminatesthesession.Note:ItispreferredthattheTSFsendsafatalerroralertmessage(e.g.,illegalparameter)inresponsetothis,butitisacceptablethattheTSFterminatestheconnectionsilently(i.e.,withoutsendingafatalerroralert).
FCS_TLSC_EXT.6TLSClientTLS1.3ResumptionRefinements
Theinclusionofthisselection-basedcomponentdependsuponselectioninFCS_TLSC_EXT.5.1.
FCS_TLSC_EXT.6.1TheTSFshallsendapsk_key_exchange_modeextensionwiththevaluepsk_dhewhenTLS1.3sessionresumptionisoffered.
FCS_TLSC_EXT.6.2TheTSFshallnotsendearlydatainTLS1.3sessions.
ApplicationNote:ThisSFRisclaimedwhensessionresumptionissupportedforTLS1.3.RFC8446allowspre-sharedkeystobeuseddirectlyandalsoallowsearlydatatobeprotectedusingonlythepre-sharedkey.ThisSFRrefinestheRFCtousePSKonlywithasupplementalDHEorECDHEkeyexchangetoensureperfectforwardsecrecyforallsessions.
ThisSFRisclaimedif"PSKandticketsinaccordancewithRFC8446"isselectedinFCS_TLSC_EXT.5.1.
EvaluationActivities
FCS_TLSC_EXT.6TSSTheevaluatorshallexaminetheTSStoverifythattheTLSclientprotocoldescriptionindicatesthatthePSKexchangerequiresDHEmodeandprohibitssendingearlydata.TheevaluatorshallexaminetheTSStoverifyitlistsallapplicationsthatcanbesecuredbyTLS1.3usingpre-sharedkeysanddescribeshoweachTLS1.3clientapplicationensuresdatafortheapplicationisnotsentusingearlydata.
GuidanceTheevaluatorshallexaminetheoperationalguidancetoverifythatinstructionsforanyconfigurablefeaturesthatarerequiredtomeettherequirementareincluded.TheevaluatorshallensuretheoperationalguidanceincludesanyinstructionsrequiredtoconfigureapplicationssotheTLS1.3clientimplementationdoesnotsendearlydata.
Tests[conditional]ForeachapplicationthatisabletobesecuredviaTLS1.3usingPSK,theevaluatorshallfollowoperationalguidancetoconfiguretheapplicationnottosendearlydata.TheevaluatorshallcausetheapplicationtoinitiatearesumedTLS1.3sessionbetweentheTSFandacomplianttestTLS1.3serverasinTest1ofFCS_TLSC_EXT.5.TheevaluatorshallobservethattheTSFclienthelloforTLS1.3includesthepsk_modeextensionwiththevaluePSK_DHEandsendsakeysharevalueforasupportedgroup.TheevaluatorshallconfirmthatearlydataisnotreceivedbythetestTLSserver.Note:IfnoapplicationssupportedbytheTOEprovidedatatoTLS1.3thatcanbesentusingPSK,thistestisomitted.
FCS_TLSS_EXT.1TLSServerProtocol
Theinclusionofthisselection-basedcomponentdependsuponselectioninFCS_TLS_EXT.1.1.
FCS_TLSS_EXT.1.1TheTSFshallimplementTLS1.2(RFC5246)and[selection:TLS1.3(RFC8446),nootherTLSversion]asaserverthatsupportsadditionalfunctionalityforsessionrenegotiationprotectionand[selection:
mutualauthenticationsupplementaldowngradeprotectionsessionresumptionnooptionalfunctionality
]andshallrejectconnectionattemptsfromclientssupportingonlyTLS1.1,TLS1.0,orSSLversions.
ApplicationNote:TheserequirementswillberevisitedasnewTLSversionsarestandardizedbytheIETF.
If"mutualauthentication"isselected,thentheSTmustadditionallyincludetherequirementsfromFCS_TLSS_EXT.2.IftheTOEimplementsmutualauthentication,thisselectionmustbemade.
If"sessionrenegotiationprotection"isselected,thentheSTmustadditionallyincludetherequirementsfromFCS_TLSS_EXT.4.IftheTOEimplementssessionrenegotiation,orifTLS1.3issupported,thisselectionmustbemade.
If"supplementaldowngradeprotection"isselected,thentheSTmustadditionallyincludetherequirementsfromFCS_TLSS_EXT.3.IftheTOEprovidesdowngradeprotectionasindicatedinRFC8446,inparticular,ifTLS1.3issupported,thisselectionmustbemade.
If"sessionresumption"isselected,thentheSTmustadditionallyincludetherequirementsfromFCS_TLSS_EXT.5.
FCS_TLSS_EXT.1.2TheTSFshallbeabletosupportthefollowingTLS1.2ciphersuites:[selection:
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384asdefinedinRFC5289,RFC8422TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384asdefinedinRFC5289,RFC8422TLS_RSA_WITH_AES_256_GCM_SHA384asdefinedinRFC5288TLS_DHE_RSA_WITH_AES_256_GCM_SHA384asdefinedinRFC5288TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384asdefinedinRFC5289TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384asdefinedinRFC5289TLS_RSA_WITH_AES_256_CBC_SHA256asdefinedinRFC5246TLS_DHE_RSA_WITH_AES_256_CBC_SHA256asdefinedinRFC5246TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256asdefinedinRFC5289TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256asdefinedinRFC5289TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256asdefinedinRFC5289TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256asdefinedinRFC5289TLS_RSA_WITH_AES_128_CBC_SHA256asdefinedinRFC5246TLS_DHE_RSA_WITH_AES_128_CBC_SHA256asdefinedinRFC5246
TLS_RSA_WITH_AES_128_CBC_SHAasdefinedinRFC5246PP-specificciphersuitesusingpre-sharedsecretsincluding[selection:
TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384asdefinedinRFC8442TLS_DHE_PSK_WITH_AES_256_GCM_SHA384asdefinedinRFC5487TLS_RSA_PSK_WITH_AES_256_GCM_SHA384asdefinedinRFC5487TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256asdefinedinRFC8442TLS_DHE_PSK_WITH_AES_128_GCM_SHA256asdefinedinRFC5487TLS_RSA_PSK_WITH_AES_128_GCM_SHA256asdefinedinRFC5487
]thefollowingTLS1.3ciphersuites:[selection:
TLS_AES_256_GCM_SHA384asdefinedinRFC8446TLS_AES_128_GCM_SHA256asdefinedinRFC8446[assignment:otherTLS1.3ciphersuites]]
]]usingapreferenceorderbasedon[selection:RFC9151priority,clienthelloordering,[assignment:additionalpriority]]
ApplicationNote:TheSTauthorshouldselecttheciphersuitesthataresupportedandmustselectatleastoneciphersuiteforeachTLSversionsupported.Itisnecessarytolimittheciphersuitesthatcanbeusedinanevaluatedconfigurationadministrativelyontheserverinthetestenvironment.Ifadministrativestepsneedtobetakensothattheciphersuitesnegotiatedbytheimplementationarelimitedtothoseinthisrequirement,thentheappropriateinstructionsneedtobecontainedintheguidance.
ThefinalselectionindicatestheTOE’spreferencefornegotiatingaciphersuite.RFC9151indicatestherequiredciphersuitesforNSSsystemsand‘RFC9151priority’isclaimedifthoseciphersuitesareselectedwheneverofferedbytheclient.Ingeneral,itispreferredthatGCMciphersuitesareselectedoverCBCciphersuites,ECDHEisselectedoverRSAandDHE,andSHA256orSHA384isselectedoverSHA1.
The‘clienthelloordering’optionisclaimedifclientpriorityisconsidered;ifbothareclaimed,theSTauthorshouldindicatewhichisprimaryandwhichissecondary,andwhetherthepriorityschemeisconfigurable.Ifotherpriorityschemesoriftertiarypriorityisused,theSTauthorwillclaimthethirdoptionanddescribetheschemeintheST.
SupportforTLS_RSA_WITH_AES_128_CBC_SHAisnotrequireddespitebeingmandatedbyRFC5246.
FCS_TLSS_EXT.1.3TheTSFshallnotestablishaconnectionwithaclientthatdoesnotindicatesupportforatleastoneofthesupportedciphersuites.
FCS_TLSS_EXT.1.4TheTSFshallbeabletoprocessthefollowingTLSclienthellomessageextensions:
signature_algorithmsextension(RFC8446)indicatingsupportfor[selection:
ecdsa-secp384r1_sha384(RFC8446)rsa_psks1_sha384(RFC8446)
],and[selection:rsa_pss_pss_sha384(RFC8603)rsa_pss_rsae_sha384(RFC8603)[assignment:othernon-deprecatedsignaturealgorithms]noothersignaturealgorithms
]extended_master_secretextension(RFC7627)enforcingclientsupportthefollowingotherextensions:[selection:
signature_algorithms_certextension(RFC8446)indicatingsupportfor[selection:
ecdsa-secp384r1_sha384(RFC8446)rsk_psks1_sha384(RFC8446)
],and[selection:rsa_pss_pss_sha384(RFC8603)rsa_pss_rsae_sha384(RFC8603)rsa_pkcs1_sha256(RFC8446)
rsa_pss_rsae_sha256(RFC8446)[assignment:othernon-deprecatedsignaturealgorithms]noothersignaturealgorithms
]supported_versionsextension(RFC8446)indicatingsupportforTLS1.3supported_groupsextension(RFC7919,RFC8446)indicatingsupportfor[selection:
secp256r1secp384r1secp521r1ffdhe2048(256)ffdhe3072(257)ffdhe4096(258)ffdhe6144(259)ffdhe8192(260)
]key_shareextension(RFC8446)nootherextensions
].
ApplicationNote:IfsupportforTLS1.3isclaimedinFCS_TLSS_EXT.1.1,theselectionsforsupported_versions,supported_groups,andkey_shareareclaimed.EvenifsupportforTLS1.3isnotclaimed,ifECDHEciphersuitesareclaimedinFCS_TLSS_EXT.1.4,theentryforsupported_groupsisclaimed.Supportforadditionalextensionsisacceptable.Forsignature_algorithmsandsignature_algorithms_certs(ifsupported),atleastoneofthesignatureschemespresentedinthefirstsub-selectionisclaimed.
FCS_TLSS_EXT.1.5TheTSFshallperformkeyestablishmentforTLSusing[selection:
RSAwithsize[selection:2048bits,3072bits,4096bits]andnoothersizesDiffie-Hellmanparameterswithsize[selection:2048bits,3072bits,4096bits,6144bits,8192bits]andnoothersizesDiffie-Hellmangroups[selection:ffdhe2048,ffdhe3072,ffdhe4096,ffdhe6144,ffdhe8192]andnoothergroups,consistentwiththeclient'ssupportedgroupsextensionand[selection:keyshare,noother]extensionECDHEparametersusingellipticcurves[selection:secp256r1,secp384r1,secp521r1]andnoothercurves,consistentwiththeclient'ssupportedgroupsextensionand[selection:keyshare,noother]extensionandusingnon-compressedformattingforpoints
].
ApplicationNote:TLS1.2andTLS1.3performkeyexchangeusingdifferentmechanisms.InTLS1.2,therequirementsapplytothekeyexchangemessagesreceivedbytheserverandoptionally(forDHEorECDHEciphersuites)sentbytheserver.InTLS1.3,therequirementsapplytothevaluesofthekeyshareextensioncontainedintheclientandserverhellomessages.Theoptionsdependonthesupportedciphersuites.Foreachsession,thekeyexchangemethodisconsistentwiththeselectedciphersuite(TLS1.2),thesupportedgroupsextension(TLS1.3andconditionally,TLS1.2),orthekeyshareextension(TLS1.3).
IftheSTlistsanRSAciphersuiteinFCS_TLSS_EXT.1.1,theSTmustincludetheRSAselectionintherequirement.
IftheSTlistsaDHEciphersuiteinFCS_TLSS_EXT.1.2,theSTmustincludetheDiffie-Hellmanselectionforparametersofacertainsize,theDiffie-HellmangroupsselectioninsupportofTLS1.2exchanges,orboth.Theselectionfor"Diffie-Hellmanparameters"referstothemethoddefinedbyRFC5246,section7.4.3wheretheserverprovidesDiffie-Hellmanparameterstotheclient.The“Diffie-Hellmangroups”selectionindicateskeyexchangenegotiationinaccordancewithRFC7919usingthesupportedgroupsextension.RFC7919identifiesparticularDiffie-Hellmangroups,whicharelistedinthefollowingselection.ThisoptionisthepreferredmechanismforTLS1.2,andmustbeclaimedifTLS1.3DHEciphersuitesaresupported.
IftheSTlistsanECDHEciphersuiteinFCS_TLSS_EXT.1.2,theSTmustincludetheselectionforECDHEusingellipticcurvesintherequirement,consistentwiththesupportindicatedforthesupportedgroupsextensioninFCS_TLSS_EXT.1.4.
WhenTLS1.3isnegotiated(ifsupported),thesupportedgroupnegotiated(asupportedDHEorECDHEgroup)agreeswithoneoftheclient’ssupportedgroupsandthesuppliedkeyshareelement,andtheproduct’skeyshareelementisamemberoftheselectedgroup.IftheTLS1.3clientdoesnotinitiallyprovideakeyshareelementforagroupsupportedbyboththeproductandtheclient,theTOEisexpectedtosendahelloretryrequestmessageindicatingtheselectedgroup;therequirementformatchingthegroupindicatedintheclient’shellomessageappliestotheclient’shellomessagereceivedinresponsetothehelloretryrequestmessage.
ThisSFRisclaimedif"TLSasaserver"isselectedinFCS_TLS_EXT.1.1.
EvaluationActivities
FCS_TLSS_EXT.1TSSTheevaluatorshallcheckthedescriptionoftheimplementationofthisprotocolintheTSStoensurethesupportedTLSversions,features,ciphersuites,andextensions,arespecifiedinaccordancewithRFC5246(TLS1.2)andRFC8446(TLS1.3andupdatestoTLS1.2)asappropriate.TheevaluatorshallcheckthedescriptiontoseeifbetaTLS1.3versionsaresupported.TheevaluatorshallverifythatciphersuitesindicatedinFCS_TLSS_EXT.1.2areincludedinthedescription,andthatnoneofthefollowingciphersuitesaresupported:ciphersuitesindicating'NULL,''RC2,''RC4,''DES,''IDEA,'or'TDES'intheencryptionalgorithmcomponent,indicating'anon,'orindicatingMD5orSHAinthemessagedigestalgorithmcomponent.TheevaluatorshallverifythattheTLSimplementationdescriptionincludestheextensionsasrequiredinFCS_TLSS_EXT.1.4.TheevaluatorshallconfirmthattheTLSdescriptionincludesthenumberandtypesofcertificatesthatcanbeinstalledtorepresenttheTOE.
GuidanceTheevaluatorshallchecktheoperationalguidancetoensurethatitcontainsinstructionsonconfiguringtheproductsothattheTSFconformstotherequirements.IftheSTindicatesthatbetaversionsofTLS1.3aresupportedforbackwardcompatibility,theevaluatorshallensurethattheoperationalguidanceprovidesinstructionsfordisablingtheseversions.TheevaluatorshallreviewtheoperationalguidancetoensureinstructionsoninstallingcertificatesrepresentingtheTOEareprovided.
TestsTheevaluatorshallperformthefollowingtests:
Test19:(supportedTLS1.2configurations)Theevaluatorshallperformthefollowingtests:Test19.1:ForeachsupportedTLS1.2ciphersuite,theevaluatorshallsendacompliantTLS1.2clienthellowiththehighestversionorlegacyversionof1.2(value'0303'),asingleentryintheciphersuitesfieldconsistingofthespecificciphersuite,andnosupportedversionextensionorkeyshareextension.TheevaluatorshallobservetheTSF’sserverhelloindicatesTLS1.2inthehighestversionorlegacyversionfield,doesnotincludeasupportedversionorkeyshareextension,andindicatesthespecificciphersuiteintheciphersuitefield.Iftheciphersuiterequirescertificate-basedauthentication,theevaluatorshallobservethattheTSFsendsavalidcertificaterepresentingtheTOEandsuccessfullycompletestheTLShandshake.Note:TheciphersuitesTLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384asdefinedinRFC8442,TLS_DHE_PSK_WITH_AES_256_GCM_SHA384asdefinedinRFC5487,TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256asdefinedinRFC8442,andTLS_DHE_PSK_WITH_AES_128_GCM_SHA256asdefinedinRFC5487,ifsupported,donotrequirecertificate-basedauthenticationoftheserver.Test19.2:(TLS1.2supportforTLS1.3clients)[conditional]IftheTSFisconfigurabletosupportonlyTLS1.2(orifTLS1.3isnotsupported),andiftheTSFsupportsDHEorECDHEciphersuites,theevaluatorshallfollowanyoperationalguidanceinstructionsnecessarytoconfiguretheTSFtoonlysupportTLS1.2.ForeachsupportedTLS1.2ciphersuitewithDHEorECDHEindicatedasthekeyexchangemethod,theevaluatorshallsendaclienthellowiththehighestversionorlegacyversionof1.2(value'0303'),alistofciphersuitesconsistingofoneormoreTLS1.3ciphersuitesfollowedbythespecificTLS1.2ciphersuiteandnootherTLS1.2ciphersuitesintheciphersuitesfield,andincludingaTLS1.3supportedgroupandkeyshareextensionwithconsistentvalues.TheevaluatorshallobservethattheTSF’sserverhelloindicatesTLS1.2inthehighestversionorlegacyversionfield,doesnotincludeasupportedversionorkeyshareextension,andindicatesthespecificTLS1.2ciphersuiteintheciphersuitefield.TheevaluatorshallobservethattheTSFcompletestheTLS1.2handshakesuccessfully.
Note:SupportedciphersuitesusingRSAkeyexchangeshouldnotbeincludedinthistest.ThesupportedgroupsextensionsentbythetestTLSclientshouldbeconsistentwiththeTLS1.2ciphersuite(e.g.,itshouldbeanECgroupiftheciphersuiteisECDHE).Test19.3:(TLS1.3support)[conditional]IftheTSFsupportsTLS1.3,thenforeachsupportedTLS1.3ciphersuiteandkeyexchangegroup,theevaluatorshallsendacompliantTLS1.3clienthelloindicatingalistofoneormoreTLS1.2ciphersuitesfollowedbythespecificTLS1.3ciphersuiteandnootherciphersuitesintheciphersuitesfield,asupportedversionextensionindicatingTLS1.3(value'0304')only,asupportedgroupsextensionindicatingtheselectedgroup,andakeyshareextensioncontainingavaluerepresentinganelementofthespecificgroup.TheevaluatorshallobservetheTSF’sserverhellocontainsthesupportedversionsextensionindicatingTLS1.3,thespecificciphersuiteintheselectedciphersuitefield,andakeyshareextensioncontaininganelementofthespecificsupportedgroup.TheevaluatorshallobservethattheTSFcompletestheTLS1.3handshakesuccessfully.
Note:TheconnectionsinTest1maybeestablishedaspartoftheestablishmentofahigher-levelprotocol,e.g.,aspartofanEAPsession.Itissufficienttoobservethesuccessfulnegotiationofaciphersuitetosatisfytheintentofthetest;itisnotnecessarytoexaminethecharacteristicsoftheencryptedtrafficinanattempttodiscerntheciphersuitebeingused(forexample,thatthecryptographicalgorithmis128-bitAESandnot256-bitAES).Itisnotnecessarytopaireverysupportedciphersuitewitheverysupportedgroup.Itissufficienttouseasetofciphersuiteandsupportedgrouppairssuchthateachciphersuiteandeachsupportedgroupareincludedinthisset.TLS1.3includesthesupported_groupsextensionintheencrypted_extensionsmessage.Thismessagemaybeobservedatthetestclientafteritisdecryptedtohelpverifythekey_shareisactuallyamemberofthesupportedgrouprequested.Test20:(obsoleteversions)Theevaluatorshallperformthefollowingtests:
Test20.1:ForeachofSSLversion2,SSLversion3,TLSversion1.0,andTLSversion1.1,theevaluatorshallsendaclienthellototheTSFindicatingtheselectedversionasthehighestversion.TheevaluatorshallobservetheTSFterminatestheconnection.Note:ItispreferredthattheTSFsendsafatalerroralertmessage(e.g.,protocolversion,insufficientsecurity)inresponsetothis,butitisacceptablethattheTSFterminatestheconnectionsilently(i.e.,withoutsendingafatalerroralert).Test20.2:TheevaluatorshallfollowtheoperationalguidancetoconfiguretheTSFtoensureanysupportedbetaTLS1.3versionsaredisabled,asnecessary.TheevaluatorshallsendtheTSFaclienthellomessageindicatingthesupportedversion(referredtoasthelegacyversionforTLS1.3)withthevalue'0304'andobservethattheTSFrespondswithaserverhelloindicatingthehighestversionsupported.Note:Test2.2isintendedtotesttheTSFresponsetonon-standardversions,includingbetaversionsofTLS1.3.IftheTSFsupportssuchbetaversions,theevaluatorshallfollowtheoperationalguidanceinstructionstodisablethempriortoconductingTest2.2.SomeTLS1.3implementationsignorethelegacyversionfieldandonlycheckforthesupported_versionsextensiontodetermineTLS1.3supportbyaclient.Itispreferredthatthelegacyversionfieldshouldstillbesettoastandardversion('0303')intheserverhello,butitisacceptablethatpresenceofthesupported_versionsindicatingTLS1.3(value'0304')overridesthelegacy_versionindicationtodeterminehighestsupportedversion.
Test21:(ciphersuites)TheevaluatorshallperformthefollowingtestsonhandlingunexpectedciphersuitesusingatestTLSclientsendinghandshakemessagescompliantwiththenegotiatedversionexceptasindicatedinthetest:
Test21.1:(ciphersuitenotsupported)Foreachsupportedversion,theevaluatorshallfollowtheoperationalguidance,ifavailable,toconfiguretheTSFtodisableasupportedciphersuite.TheevaluatorshallsendacompliantclienthellototheTSFindicatingsupportforthespecificversionandaciphersuitesfieldcontainingthissingledisabledciphersuite.TheevaluatorshallobservethattheTOErejectstheconnection.Note:ItispreferredthattheTSFsendsafatalerroralertmessage(e.g.,handshakefailure)inresponsetothis,butitisacceptablethattheTSFterminatestheconnectionsilently(i.e.,withoutsendingafatalerroralert).IftheTSF’sciphersuitesarenotconfigurable,itisacceptabletouseanamedciphersuitefromtheIANATLSprotocolsassociatedwiththetestedversion.Additionalspecialcasesofthistestforspecialciphersuitesareperformedseparately.Test21.2:(versionconfusion)Foreachsupportedversion,theevaluatorshallsendaclienthellothatiscompliantforthespecificversionthatincludesalistofciphersuitesconsistingofasingleciphersuitenotassociatedwiththatversion.Theevaluatorshall
observethattheTOErejectstheconnection.
Note:ItispreferredthattheTSFsendsafatalerroralertmessage(e.g.,handshakefailure)inresponsetothis,butitisacceptablethattheTSFterminatestheconnectionsilently(i.e.,withoutsendingafatalerroralert).ItispreferredthatTest3.2useTLS1.3ciphersuitesforaservernegotiatingTLS1.2.IfTLS1.3issupported,Test3.2alsoincludesaservernegotiatingTLS1.3withaTLS1.2ciphersuite–inthiscase,thenegotiatedciphersuiteshouldbechosentobeonesupportedbytheTOEifnegotiatingTLS1.2.IftheTOEisconfigurabletoallowbothTLS1.2andTLS1.3clients(ordoessobydefault),thisconfigurationisusedforboththeTLS1.2andTLS1.3iterationofthistest;otherwisetheTOEisconfiguredtosupportthenegotiatedversionineachiteration.Test21.3:(nullciphersuite)Foreachsupportedversion,theevaluatorshallsendaclienthelloindicatingsupportfortheversionandincludeaciphersuitelistconsistingofonlythenullciphersuite(TLS_NULL_WITH_NULL_NULL,withthevalue'0000')andobservethattheTOErejectstheconnection.Note:ItispreferredthattheTSFsendsafatalerroralertmessage(e.g.,handshakefailure,insufficientsecurity)inresponsetothis,butitisacceptablethattheTSFterminatestheconnectionsilently(i.e.,withoutsendingafatalerroralert).Test21.4:(anonciphersuite)TheevaluatorshallsendtheTSFaTLS1.2handshakethatiscompliant,exceptthattheciphersuitesfieldincludesaciphersuitelistconsistingonlyofciphersuitesusingtheanonymousserverauthenticationmethodandobservethattheTOErejectstheconnection.
Note:ItispreferredthattheTSFsendsafatalerroralertmessage(e.g.,handshakefailure,insufficientsecurity)inresponsetothis,butitisacceptablethattheTSFterminatestheconnectionsilently(i.e.,withoutsendingafatalerroralert).SeeIANATLSparametersforavailableciphersuitestobeincludedintheclienthello.Thetestciphersuiteslistshouldincludeciphersuitesusingsupportedcryptographicalgorithmsinasmanyoftheothercomponentsaspossible.Forexample,iftheTSFsupportstheciphersuiteTLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,theevaluatorshouldincludeTLS_DH_ANON_WITH_AES_256_GCM_SHA_384.Test21.5:(deprecatedencryptionalgorithm)TheevaluatorshallsendtheTSFaTLS1.2clienthellothatiscompliant,exceptthattheciphersuitesfieldisalistconsistingonlyofciphersuitesindicatingadeprecatedencryptionalgorithm,includingatleastoneeachofNULL,RC2,RC4,DES,IDEA,andTDES.TheevaluatorshallobservethattheTOErejectstheconnection.Note:ItispreferredthattheTSFsendsafatalerroralertmessage(e.g.,handshakefailure,insufficientsecurity)inresponsetothis,butitisacceptablethattheTSFterminatestheconnectionsilently(i.e.,withoutsendingafatalerroralert).SeeIANATLSparametersforavailableciphersuitestobeincluded.Thetestciphersuiteshouldusesupportedcryptographicalgorithmsforasmanyoftheothercomponentsaspossible.Forexample,iftheTSFsupportsTLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,thetestcouldincludeTLS_ECDHE_PSK_WITH_NULL_SHA_384,TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_DHE_DSS_WITH_DES_CBC_SHA,TLS_RSA_WITH_IDEA_CBC_SHA,andTLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA.
Test22:(extensions)Test22.1:(signaturealgorithms)[conditional]IftheTSFsupportscertificate-basedauthentication,thenforeachsupportedsignaturealgorithmindicatedintheST,theevaluatorshallperformthefollowingsub-testswithcertificatesthatrepresenttheTOE.Foreachsub-test,theevaluatorshallestablishato-be-signedcertificaterepresentingtheTOEusingapublic-privatekeypairsuitableforthespecificsignaturealgorithmvalue,andrequestthatthecertificatefromacertificationauthoritythatusesthesamesignaturealgorithm,inaccordancewithFIA_X509_EXT.3.thereferencetoFIA_X509_EXT.3impliesthatanyPPormodulethatusesthispackagemusthavetheabilitytogenerateitsownCSRs(eitheraspartoftheTOEoritsunderlyingplatform),unsureifthisisintendedorifitwillbepermissibletoloadacertissuedbyaCA.IftheTSFalsosupportsthesignature_algorithms_certextension,thenforeachvalueofthesignature_algorithms_certextension,theevaluatorshallrepeatthesub-testsusingato-be-signedcertificateusingakeypairconsistentwiththesignaturealgorithm,withacertificateobtainedfromacertificationauthoritythatsignscertificatesusingthespecificvalueofthesignature_algorithms_certextension.Note:TheTSFsupportscertificate-basedserverauthenticationiftheTLS1.2supportedciphersuitesincludeciphersuitesotherthanTLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384asdefinedinRFC8442,TLS_DHE_PSK_WITH_AES_256_GCM_SHA384asdefinedinRFC5487,
TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256asdefinedinRFC8442,andTLS_DHE_PSK_WITH_AES_128_GCM_SHA256asdefinedinRFC5487.Ifthesearetheonlysupportedciphersuites,thistestisomitted.ForTLS1.3,certificate-basedserverauthentication,theclienthelloshouldnotincludethePSKextension.TheevaluatorshallfollowoperationalguidanceinstructionstoprovisiontheTSFwithoneormoreofthesecertificatesasindicatedinthefollowingsub-tests:
Test22.1.1:(TLS1.2)Foreachsupportedvalueofthesignature_algorithmextension,theevaluatorshallprovisionacertificatewithakeypaircompatiblewiththespecificsignature_algorithmvalueandsendtheTSFaTLS1.2clienthellothatindicatesallsupportedciphersuitesandhasasignature_algorithmextensionconsistingofasinglevaluematchingthespecificsignaturealgorithm.IftheTSFsupportssignature_algorithms_certextension,theclienthelloalsocontainsthevalueconsistentwiththeprevisionedcertificate.TheevaluatorshallobservethattheTSFnegotiatesTLS1.2withaTLS1.2ciphersuitethatiscompatiblewiththesignaturealgorithm,andthatitsendsacertificatemessagecontainingtheprovisionedcertificatewithakeypairthatisconsistentwiththespecificsignature_algorithmvalue(andsignedusingthesignature_algorithms_certextensionvalue,ifsupported).Note:ForTLS1.2,theciphersuitedescribesthesignaturealgorithmasRSAorECDSAandiscompatiblewiththecertificateusedifthesignaturealgorithmcomponentoftheciphersuiteisofthesametypeasthesignaturevalueofthesignature_algorithmextension.Test22.1.2:[conditional]IftheTSFsupportsTLS1.3,thenforeachsupportedvalueofthesignature_algorithm,theevaluatorshallprovisionacertificatewithakeypairthatiscompatiblewiththespecificsignature_algorithmvalue,sendaTLS1.3clienthellothatindicatesasupportedciphersuiteandhasasignature_algorithmextensionconsistingofasinglevaluematchingthespecificsignaturealgorithm.IftheTSFsupportsthesignature_algorithms_certextension,theclienthelloalsocontainsasignature_algorithms_certextensionwithavalueconsistentwiththeprovisionedcertificate.TheevaluatorshallobservethattheTSFsendsacertificatemessagecontainingtheprovisionedcertificateconsistentwiththespecificsignature_algorithmvalue(andsignedusingthesignature_algorithms_certextensionvalue)andacertificateverifymessageusingthesignature_algorithmextensionvalue.
Note:ForTLS1.3,thecertificatemessageandcertificateverifyisencrypted.TheevaluatorconfirmsthevaluesofthesemessagesasreceivedatthetestTLSclient,usinglogs,orusingatestTLSclientdesignedtoexposethecertificatesaftertheyaredecrypted.Itisnotnecessarytomanuallyverifythesignatureusedinthekeyexchangemessage(TLS1.2)orcertificateverifymessage(TLS1.3).Test22.1.3:[conditional]IftheSTindicatesthattheTSFsupportsprovisioningofmultiplecertificates,theevaluatorshallrepeatTest4.1.1withboththeprovisionedcertificateindicatedforTest4.1.1(and4.1.2ifTLS1.3issupported)andacertificatethatdoesnotmatchthesignature_algorithmvalue.Theevaluatorshallobservethatthecertificatemessage(forTLS1.2)doesnotincludethecertificatethatdoesnotmatchthesignature_algorithmvalue(andsignature_algorithms_certvalueifsupported)intheclienthello.[JF]PerSME,thistesthasissueswithTLS1.3andwillneedupdatesTest22.1.4:(TLS1.2)TheevaluatorshallprovisionacertificateasinTest4.1.1butshallsendaclienthellothatonlyoffersciphersuiteswhosesignaturecomponentdoesnotmatchthevalueofthesignature_algorithmextension.TheevaluatorshallobservethattheTSFterminatesthehandshake.
Note:ItispreferredthattheTSFsendsafatalerroralertmessage(e.g.,handshakefailure,illegalparameter)inresponsetothis,butitisacceptablethattheTSFterminatestheconnectionsilently(i.e.,withoutsendingafatalerroralert).
Test22.2:(extendedmastersecret):TheevaluatorshallinitiateaTLS1.2sessionwiththeTSFfromatestTLSclientforwhichtheclienthellodoesnotincludetheextendedmastersecretextensionandobservethattheTSFterminatesthesession.
Note:ItispreferredthattheTSFsendsafatalerroralertmessage(e.g.,handshakeerror)inresponsetothis,butitisacceptablethattheTSFterminatestheconnectionsilently(i.e.,withoutsendingafatalerroralert).
Test23:(keyexchange)Theevaluatorshallperformthefollowingteststoconfirmcompliantkeyexchange:
Test23.1:(TLS1.2RSAkeyexchange)[conditional]IfanyofthesupportedTLS1.2
ciphersuitesintheSTincludesRSAforthekeyexchangemethod,theevaluatorshallperformthefollowingsub-tests:
Test23.1.1:ForeachsupportedRSAkeysize,theevaluatorshallprovisiontheTSFwithavalidcertificatethathasanRSApublickeyofthatsize.TheevaluatorshallinitiateavalidTLS1.2handshakefromacomplianttestTLS1.2clientandobservethattheservercertificatemessagematchestheprovisionedcertificate.Test23.1.2:ForeachsupportedRSAkeysize,theevaluatorshallsendtheTSFacompliantTLS1.2clienthello,butinplaceoftheclient’skeyexchangemessage,theevaluatorshallsendtheTSFa(non-compliant)KeyExchangemessagethatisproperlyformattedbutusesaninvalidEncryptedPreMasterSecretfieldintheTLShandshake(e.g.,modifyabyteofaproperlycomputedvalue).TheevaluatorshallattempttocompletethehandshakeusingcompliantclientchangecipherspecandfinishedmessagesandverifythattheTSFterminatesthehandshakeinamannerthatisindistinguishablefromafinishedmessageerroranddoesnotsendapplicationdata.Note:MitigationsfororacleattacksdescribedinRFC5246AppendixDrequiretheTSFtoexhibitthesamebehaviorforkeyexchangefailuresasitdoesforfinishedmessagefailures.ItispreferredthattheTSFsendafataldecryptfailureerroralertattheendofthehandshakeinboththiscaseandforafinishedmessageerror,butitisacceptablethattheTSFterminatethesessionwithanothererroralert,orwithoutsendinganerroralertineithercase.Ifthefailureerroralertisnotforadecryptionfailure,theevaluatorshallnotethattheTSF’sresponseagreeswiththeresponseobservedintheTLS1.2iterationofTest5.2.
Test23.2:Foreachsupportedversion,theevaluatorshallinitiateacomplianthandshakeupthroughthe(impliedforTLS1.3)changecipherspecmessage.Theevaluatorshallthensenda(non-compliant)clientfinishedhandshakemessagewithaninvalid‘verifydata’valueandverifythattheserverterminatesthesessionanddoesnotsendanyapplicationdata.Note:TLS1.2handshakesincludeexplicitchangecipherspecmessages,butTLS1.3omitsthechangecipherspecmessage.IfTLS1.3issupported,themodifiedfinishedmessageissentasthefinalmessagefromtheclientafterreceivingtheserver’ssecondflightofhandshakemessages{encryptedextensions,(newticket),(certificate,certificateverify),(certificaterequest)}.ItispreferredthattheTSFsendafataldecryptionfailureerroralert,butitisacceptablethattheTSFterminatethesessionusinganothererroralertorwithoutsendinganerroralert.Thefinishedmessageisencrypted.Theinvalid‘verifydata’canbeconstructedbymodifyingabyteofacompliantfinishedmessagepayload.Test23.3:(TLS1.2DHEorECDHEkeyexchange)[conditional]IftheSTindicatessupportforDHEorECDHEciphersuitesforTLS1.2,thentheevaluatorshallperformthefollowingsub-tests:
Test23.3.1:[conditional]IftheTSFsupportsDHEciphersuitesandsupportsDHEparametersthatarenotspecifiedinthesupportedgroupsextension,thenforeachsupportedDHEparameterset,theevaluatorshallfollowtheoperationalguidancetoconfiguretheTSFtousetheDHEparametersinitskeyexchange.TheevaluatorshalltheninitiateaTLS1.2handshakefromatestclientwithaclienthelloindicatingasingleDHEciphersuite.TheevaluatorshallobservethattheTSFkeyexchangemessageindicatestheconfiguredparametersandensurethattheclientkeyexchangeisavalidpointfortheparameterset.TheevaluatorshallconfirmthattheTSFsuccessfullycompletesthesession.Theevaluatorshallclosethesessionandresendtheclienthello.AftertheTSFrespondswithavalidkeyexchangemessage,theevaluatorshallsendanemptyclientkeyexchangemessageandobservethattheTSFterminatesthesession.Note:ItispreferredthattheTSFsendsafatalerroralertmessage(e.g.,decryptionfailure,illegalparameter,handshakeerror)inresponsetothis,butitisacceptablethattheTSFterminatestheconnectionsilently(i.e.,withoutsendingafatalerroralert).Test23.3.2:[conditional]IftheTSFsupportsDHEciphersuitesandsupportsDHEgroupsinthesupportedgroupsextension,thenforeachsupportedDHEgroup,theevaluatorshallsendtheTSFacompliantTLS1.2clienthelloindicatingasingleciphersuitethatiscompatiblewiththegroupandindicatingthegroupinthesupportedgroupsextension.TheevaluatorshallobservethattheTSFnegotiatesTLS1.2usingtheindicatedciphersuiteandthattheserverkeyexchangemessageindicatesthespecificgroup.TheevaluatorshallsendtheTOEaclientkeyexchangewithavalidpointinthegroupandobservethattheTSFsuccessfullycompletesthesession.Theevaluatorshallclosethesessionandresendtheclienthello.AftertheTSFrespondswithavalidkeyexchangemessage,theevaluatorshallsendtheTSFa
clientkeyexchangewiththepublickeyvalue'0.'TheevaluatorshallobservethattheTSFterminatesthesession.TheevaluatorshallsendanewclienthelloincludingthesameciphersuitebutindicatingagroupnotsupportedbytheTSFinthesupportedgroupsextension.TheevaluatorshallobservethattheTSFterminatesthesession.Note:ItispreferredthattheTSFsendsafatalerroralertmessage(e.g.,decryptionfailure,illegalparameter,handshakeerror)inresponsetothis,butitisacceptablethattheTSFterminatestheconnectionsilently(i.e.,withoutsendingafatalerroralert).Test23.3.3:[conditional]IftheTSFsupportsECDHEciphersuites(andthereforesupportsECDHEgroupsinthesupportedgroupsextension),theevaluatorshallsendaclienthellomessageindicatingasinglesupportedECDHEciphersuiteandincludingthesupportedECDHEgroupinthesupportedgroupsextension.TheevaluatorshallobservethattheTSFsendsakeyexchangemessagewithavalidpointofthespecifiedgroup.TheevaluatorshallsendtheTSFaclientkeyexchangemessagetotheTSFconsistingofavalidelementinthesupportedgroupandobservethattheTSFsuccessfullycompletesthesession.Theevaluatorshallclosethesessionandresendtheclienthello.AftertheTSFsendsthevalidkeyexchangemessage,theevaluatorshallsendaclientkeyexchangemessageconsistingofaninvalidelementofthesupportedgroupandobservethattheTSFterminatesthehandshake.TheevaluatorshallsendathirdclienthellototheTSFindicatingthesupportedECDHEciphersuiteandincludinganECDHEgroupthatisnotsupported.TheevaluatorshallobservethattheTSFterminatesthesession.
Note:ItispreferredthattheTSFsendsafatalerroralertmessage(e.g.,decryptionfailure,illegalparameter,handshakeerror,insufficientsecurity)inresponsetothis,butitisacceptablethattheTSFterminatestheconnectionsilently(i.e.,withoutsendingafatalerroralert).AninvalidECDSApointconsistsofproperlyformattedxandycomponents,butforwhichtheequationofthecurveisnotsatisfied.Toobtainaninvalidpoint,theevaluatorcanmodifyabyteoftheycoordinatevalueofavalidpointandconfirmthatthepointisnotonthecurve.TheIANATLSparameterswebsitelistsregisteredECDHEgroupsforuseinselectinganon-supportedgroup.IftheTSFsupportsallregisteredECDHEgroups,itisacceptabletosendtheclienthellowithoutasupportedgroupsextension.TheTSFshouldrejectsuchaclienthello,butitisacceptablefortheTSFtodefaulttoasupportedgroup.Inthiscase,theTSFpassesthetest.
Test23.4:(TLS1.3keyexchange)[conditional]IftheTSFsupportsTLS1.3,thenforeachsupportedgrouptheevaluatorshallperformthefollowingsub-tests:
Test23.4.1:TheevaluatorshallsendtheTSFacompliantTLS1.3clienthelloindicatingasinglekeysharevaluefromthesupportedgroupandshallobservethattheserverhelloincludesvalidelementsofthesupportedgroup.Test23.4.2:TheevaluatorshallsendtheTSFaTLS1.3clienthelloindicatingasupportedgroupsvaluesupportedbytheTSFbutcontainingakeyshareextensionindicatinganelementclaimingtobeinthesupportedgroupthatdoesnotrepresentavalidelementofthegroup.TheevaluatorshallobservethattheTSFterminatesthesession.
Note:ItispreferredthattheTSFsendsafatalerroralertmessage(e.g.,illegalparameter,handshakefailure,decryptionfailure)inresponsetothis,butitisacceptablethattheTSFterminatestheconnectionsilently(i.e.,withoutsendingafatalerroralert).ForDHEgroups,theinvalidelementmaybeofthewronglength;forECDHEgroups,theinvalidelementhascoordinates(xandy)thatdonotsatisfytheequationoftheellipticcurve.ToobtainaninvalidECDHEpoint,theevaluatorcanmodifyabyteoftheycoordinatevalueofavalidpointandconfirmthatthepointisnotonthecurve.
Test23.5:Foreachsupportedversion,theevaluatorshallinitiateaTLShandshakefromatestTLSclientwithcomplianthandshakemessagesnegotiatingtheversionandsupportedparameterstoincludethechangecipherspecmessage(impliedforTLS1.3),butwhichomitsthefinishedmessageandinsteadsendsanapplicationmessagecontainingrandomdata.TheevaluatorshallobservethattheTSFterminatestheconnection.Note:ItispreferredthattheTSFsendsafatalerroralertmessage(e.g.,decryptionfailure)inresponsetothis,butitisacceptablethattheTSFterminatestheconnectionsilently(i.e.,withoutsendingafatalerroralert).ApplicationdataisindicatedbytheTLSCipherTextContentTypefieldhavingvalue23(applicationdata).Thelegacyrecordversion'0303'andlengthfieldsshouldmatcha
validTLSCipherTextmessageofthesamesize.
FCS_TLSS_EXT.2TLSServerSupportforMutualAuthentication
Theinclusionofthisselection-basedcomponentdependsuponselectioninFCS_TLSS_EXT.1.1.
FCS_TLSS_EXT.2.1TheTSFshallsupportauthenticationofTLSclientsusingX.509v3certificatesduringtheTLShandshakeand[selection:duringpost-handshakerequests,atnoothertime]usingthecertificatetypesindicatedintheclient’ssignature_algorithmsand[selection:signature_algorithms_cert,noother]extension.
ApplicationNote:TLS1.3supportsauthenticationaftercompletingtheabbreviatedhandshakewithpre-sharedkeys.Aservermaysendaclientacertificaterequestafterthefinishedmessagewhenevertheclientincludesthepost-handshakeauthenticationextension.TheSTauthorclaims‘duringpost-handshakerequest’ifthisfeatureissupported.IfTLS1.3isnotsupported,oriftheTLSpost-handshakerequestextensionisnotrecognizedinaTLS1.3handshake,theSTauthorselects‘atnoothertime’.
FCS_TLSS_EXT.2.2TheTSFshallsupportauthenticationofTLSclientsusingX.509v3certificatesinaccordancewithFIA_X509_EXT.1.
FCS_TLSS_EXT.2.3TheTSFshallbeabletorejecttheestablishmentofatrustedchanneliftherequestedclientcertificateisinvalidand[selection:
continueestablishmentofaserver-onlyauthenticatedTLSchannelinaccordancewithFCS_TLSS_EXT.1insupportof[selection:allapplications,[assignment:listofcallingapplicationsthatacceptbothauthenticatedandunauthenticatedclientsessions]]whenanemptycertificatemessageisprovidedbytheclientcontinueestablishmentofamutuallyauthenticatedTLSchannelwhenrevocationstatusinformationforthe[selection:client'sleafcertificate,[assignment:specificintermediateleafCAcertificates],anynon-truststorecertificateinthecertificatechain]isnotavailableinsupportof[selection:allapplications,[assignment:listofcallingapplicationsconfigurabletoperformcertificatestatusinformationbypassprocessing]]as[selection:configuredbyanadministrator,confirmedbytheapplicationuser,asadefaultfor[assignment:subsetofapplications]]nootherprocessingoptionsformissingorinvalidclientcertificates
].
ApplicationNote:TheSTauthorclaimsanycertificateprocessingexceptionsthatareallowedforspecificcallingapplications.The‘continueestablishmentofaserver-onlyauthenticatedTLSchannel…’selectionisclaimediftheTLSproductsupportsapplicationsthatcanprovideservicestounauthenticatedusersiftheuserdoesnotpossessanappropriatecertificate.Withinthisselection,theSTauthorindicateswhichapplicationsareabletosupportbothauthenticatedandunauthenticatedusers.
TheSTauthorclaims‘continueestablishmentofamutuallyauthenticatedTLSchannel…’ifthereisanadministratorconfigurationoruserconfirmationthatrevocationstatusinformationisnotavailableforoneormoreofthecertificatesintheclient’scertificatechain.Ifclaimed,theSTauthorwilldescribeintheassignmentforintermediatevalueswhichCAcertificatesareincludedintheexception(forexample,“allintermediatesbuttheissuingCA”or“specificend-entitycertificatesasconfigured”).Withinthisselection,theSTauthorspecifieswhichapplicationsareimpactedandwhichauthorizeduserisallowedtoapprovecontinuingwiththesessionwhenrevocationinformationisnotavailable.Ifanadministratorconfigureswhetherausermayacceptacertificatewithoutstatusinformation,bothselectionsareclaimed.The‘asadefault’shouldonlybeselectedforapplicationsthatdonothaveaccesstorevocationinformation.MethodsforobtainingrevocationinformationareincludedinFIA_X509_EXT.1.
FCS_TLSS_EXT.2.4TheTSFshallbeableto[selection:
notestablishaTLSsessionifanentryoftheDistinguishedNameora
[selection:rfc822_name,dns_name,[assignment:supportednametypes]]intheSubjectAlternateNameextensioncontainedintheclientcertificatedoesnotmatchoneoftheexpectedidentifiersfortheclientinaccordancewith[selection:RFC2822,RFC6125,RFC5280,[assignment:RFCforthesupportednametype]]matchingrulespassthe[selection:validatedcertificate,RFC822namenormalizedaccordingtoRFC822,DNSnamenormalizedaccordingtoRFC6125,[assignment:listofRFC5280nametypesandnormalizationrules],[assignment:listof'other'nametypesandstandardnormalizationrules]]to[assignment:listofcallingapplicationscapableofmakingaccessdecisions]
].
ApplicationNote:AuthorizationforservicesprovidedbytheapplicationsthatareprotectedbytheTLSsessionisdeterminedeitherbytheapplicationestablishingasetofreferenceidentifiersorbypassingthereceivedidentifierstotheapplication.TheSTauthorindicatesthemethodssupportedand,foreachmethodsupported,indicatesallnametypessupported;atleastonenametypeisrequired.Intheassignmentofthefirstoption,theSTauthorindicatesallnametypesandthecorrespondingmethodformatchinginthesub-selections.Inthesecondmethodoption,theSTauthorindicateswhichnametypenormalizationstheproductsupports.Iftheproductpassestheentirevalidatedcertificatetotheapplication,nonormalizationofthenamescontainedinthecertificateisexpected.
Ifnamenormalizationisclaimed,careshouldbetakenregardingwildcardsandIPaddresses.IPaddressesembeddedinDNShostnamesandinDirectoryNameCNcomponentshavebeenobservedtoincludenon-standardwildcarddesignationsincludingthe‘*’character.AnyembeddedIPaddressesshouldusestandardCIDRnotationandshouldnotincludenonstandardencoding.
ThisSFRisclaimedif"mutualauthentication"isselectedinFCS_TLSS_EXT.1.1.
EvaluationActivities
FCS_TLSS_EXT.2TSSTheevaluatorshallensurethattheTSSdescriptionrequiredperFIA_X509_EXT.2.1includestheuseofclient-sidecertificatesforTLSmutualauthentication,andthatthedescriptionincludesanycertificatevalidationexceptionrulesandthenametypessupportedformatchingtoreferenceidentifiersforallapplicationsthatuseTLS.TheevaluatorshallexaminetheTSStoensurethatanyCN-embeddednametypesthatareusedincludeadescriptionoftheencodingandmatchingrules.
GuidanceTheevaluatorshallverifythattheoperationalguidanceincludesinstructionsforconfiguringtruststoresforclient-sidecertificatesusedinTLSmutualauthentication.Theevaluatorshallensurethattheoperationalguidanceincludesinstructionsforconfiguringtheservertorequiremutualauthenticationofclientsusingthesecertificatesandforconfiguringanycertificatevalidationexceptionrules.TheevaluatorshallensurethattheoperationalguidanceincludesinstructionsforconfiguringreferenceidentifiersnormalizedormatchedbytheTSFandmatchingrulesforthesupportednametypes.
TestsTheevaluatorshalluseTLSasafunctiontoverifythatthevalidationrulesinFIA_X509_EXT.1areadheredtoandshallperformthetestslistedbelow.TheevaluatorshallapplytheoperationalguidancetoconfiguretheservertorequireTLSmutualauthenticationofclientsforthesetestsunlessoverriddenbyinstructionsinthetestactivity.Note:TLS1.3isafundamentallydifferentprotocolthanTLS1.2,soeventhoughthecertificatevalidationandnamecheckingtestsareidenticalforbothversions,itislikelythatearlydeploymentsofTLS1.3mayuseadifferentcode-basethatwarrantsindependenttesting.IfTLS1.3issupportedandtheevaluatorcanverifythattheTSFusesthesamecode-baseforcertificatevalidationandnamecheckingforbothTLS1.3andTLS1.2,itisacceptablethattestingbeperformedforonlyoneversionforthesetests.
Test24:Foreachsupportedversion,theevaluatorshallfollowtheoperationalguidancetoconfiguretheTOEtorequirevalidclientauthenticationwithnoexceptionsandinitiateaTLSsessionfromacompliantTLStestclientsupportingthatversion.Theevaluatorshallensurethatthetestclientsendsacertificate_liststructurewhichhasalengthofzero.TheevaluatorshallverifytheTSFterminatesthesessionandnoapplicationdataflows.
Note:ItispreferredthattheTSFsendsafatalerroralertmessage(e.g.,handshakefailure,badcertificaate,unknowncertificate,unknownCA)inresponsetothis,butitisacceptable
thattheTSFterminatestheconnectionsilently(i.e.,withoutsendingafatalerroralert).Test25:[conditional]IftheSTindicatesthattheTSFsupportsestablishmentofaTLSsessionformissingorinvalidcertificates,thenforeachsupportedversion,andforeachsupportedresponseoptionforamissingorinvalidcertificateindicatedinFCS_TLSS_EXT.2.3,theevaluatorshallconfiguretheTSFaccordingtotheoperationalguidancetorespondasindicatedforthecallingapplication.TheevaluatorshallsendclienthandshakemessagesfromatestTLSclientasindicatedforeachsub-test.Theevaluatorshallperformthefollowingsub-tests:
Test25.1:[conditional]:IftheTSFsupportsnon-authenticatedsessionestablishmentwhenreceivinganemptycertificatemessage,theevaluatorshallinitiateaTLShandshakefromacomplianttestTLSclientsupportingtheversionandprovidingacertificatemessagecontainingacertificate_liststructureoflengthzero.TheevaluatorshallconfirmthattheTSFnotifiesthecallingapplicationthattheuserisunauthenticated.Note:Specificproceduresfordeterminingthatthecallingapplicationisnotifiedwillvarybasedontheapplication.IfanAPItothecallingapplicationisnotavailable,theevaluatormayattempttoconfigurethecallingapplicationtoprovideadifferentresponse(e.g.,requireauthenticationforflaggeddata)forauthenticatedandnon-authenticatedusersandmakearequestatthetestclientthatresultsinaresponseindicatingtheapplicationistreatingtheclientasnon-authenticated.Test25.2:[conditional]IftheTSFsupportsexceptionsforwhenrevocationstatusinformationisunavailable,thentheevaluatorshallfollowtheoperationalguidancetoattempttoestablishanarrowlydefinedexceptionforwhichbothexemptandnon-exemptcertificatescanbeestablished.Theevaluatorshallestablishaprimarycertificatechainforthetestclientthatonlyexhibitstheallowedexceptionandoneormorealternatecertificatechainsforthetestclientthatdonotpasstheexceptionrule,asnecessarytotesttheboundariesoftheexceptionrules.Theevaluatorshallfollowtheoperationalguidancetoremoveanycachedrevocationstatusinformationforthetestclient’sprimarycertificatechain.TheevaluatorshallinitiateavalidTLSsessionfromthetestclientthatpresentstheprimarycertificateforthetestclient,provideanyfeedbackrequestedbytheTSFtoconfirmtheexception,andobservethattheTSFallowsthecertificateandcompletestheTLShandshakesuccessfully.Foreachalternatecertificatechain,theevaluatorshallrepeatthesessioninitiationfromthetestclientbutpresentthealternatecertificatechainandobservethattheTSFterminatesthesession.
Note:ItispreferredthattheTSFsendsafatalerroralertmessage(e.g.,badcertificate,unknowncertificate,accessdenied,handshakeerror)inresponsetothis,butitisacceptablethattheTSFterminatestheconnectionsilently(i.e.,withoutsendingafatalerroralert).Thealternatecertificatechainsareintendedtotesttheboundariesoftheexceptionrules.Forexample,iftheexceptionruleindicatesthatonlyleafcertificatesareexempt,theevaluatorwillincludeanalternatecertificatechainforwhichaCAcertificate’srevocationinformationisadvertisedbutisnotavailable;iftheexceptioncanbeconfiguredforanexplicitleafcertificate,orparticularsubjects,analternatechainwillbeincludedthatdoesnotincludeanexceptedcertificateorsubject.Iftheexceptionrulescanbeconfiguredforallcertificateshavingadvertisedrevocationinformation,analternatecertificatechaincanincludeanexpiredcertificate–onlyoneadditionalvalidityfailure(e.g.,expiredcertificate)isrequiredinthiscase.MorecomprehensivevalidityfailurehandlingisaddressedbytestingforFIA_X509_EXT.1.
Test26:Foreachsupportedversion,theevaluatorshallconfiguretheTSFtonegotiatetheversionandrequireclientauthenticationandperformthefollowingsteps:
ForeachsupportednamematchingmethodindicatedintheouterselectionofFCS_TLSS_EXT.2.4,andforeachnametypesupportedbythematchingmethodasindicatedintheinner-selectionsclaimedineachouterselection,theevaluatorshallestablishavalidprimarycertificatechainwithsinglenamesforatestclientcontainingonlythesupportednametypesandavalidalternatecertificatechainwithsinglenamesindicatingadifferentnameofthesametype.[conditional]IfanyofthesupportednametypesincludeCNencodingofanametypealsosupportedasaSANentry,theevaluatorshallestablishadditionalcertificatechainsasfollows:[JF]ThiswasupdatedbasedonSMEfeedbackbutunsureiffurtherupdatesareneeded
Theevaluatorshallestablishaprimarycertificatechainwithmultiplenames,toincludealeafcertificatewith:
aSANentrythatmatchesthenameintheprimarycertificatechainwithsinglenames,ofthesameSANnametype;andaCNentryencodingthesameSANtypewhichmatchesthenameinthealternatecertificatechainwithsinglenamesoftheCNencodingofthesameSANnametype.
Theevaluatorshallestablishanalternatecertificatechainwithmultiplenames,toincludealeafcertificatewith:
aSANentrythatmatchesthenameinthealternatecertificatechainwithsinglenames,ofthesameSANnametype;andaCNentryencodingthesameSANtypewhichmatchesthenameintheprimarycertificatechainwithsinglenames,oftheCNencodingofthesameSANnametype.
Inthiscase,theevaluatorshallalsoobtainanalternatecertificatechainwithmultiplenamesincludingaCNencodingofthenamematchingthatinthecorrespondingprimarycertificatecontainingonlytheCNencodingandaSANentryofthesametypethatmatchesthenameinthealternatecertificatechainhavingthesameSANtype.[conditional]IfanyofthesupportednametypesincludeCNencoding,theevaluatorshallfollowtheoperationalguidancetoconfiguretheTSF,establishingtrustintherootCAforallprimaryandalternatecertificatechains.TheevaluatorshallconfiguretheTSFandanyrelevantTOEapplicationsthatuseTLSforclientauthenticationasnecessarytoestablishreferenceidentifiersthatmatchthenamesintheclient’sprimarycertificatechainswithsinglenames,butnotmatchinganyofthenamesinthealternatecertificatechainswithsinglenames.Foreachprimarycertificatechain(withsingleormultiplenames),theevaluatorshallinitiateaTLSsessionfromthetestTLSclientthatisconfiguredtopresenttheprimarycertificatechaininacertificatemessageandavalidcertificateverifymessageinresponsetotheserver’scertificaterequestmessage.TheevaluatorshallconfirmthattheTSFacceptsthecertificateandcompletestheauthenticatedTLSsessionsuccessfully.Foreachalternatecertificatechain(withsingleormultiplenames),theevaluatorshallinitiateaTLSsessionfromthetestTLSclientthatisconfiguredtopresentthealternatecertificatechaininacertificatemessageandavalidcertificateverifymessageinresponsetotheserver’scertificaterequestmessage.TheevaluatorshallconfirmthattheTSFterminatesthesession.
Note:ItispreferredthattheTSFsendsafatalerroralertmessage(e.g.,accessdenied)inresponsetothis,butitisacceptablethattheTSFterminatestheconnectionsilently(i.e.,withoutsendingafatalerroralert).TheintentofthistestistoconfirmthatforeachmethodthattheTSFusestomatchnametypespresentedinvalidatedcertificates,itisabletorecognizebothmatchingandnon-matchingnames.NamesofspecialtypesimplicitlyencodedintheCNentryofthecertificatesubjectnameareespeciallypronetoerrorsincetheymayonlybevalidatedbytheissuingCAasadirectoryname(RDN)type,especiallyiftheissuingCAisunawareoftheintendedencodingasadifferentnametype.ItisabestpracticethatwhentheCNisinterpretedasanembeddednametypeotherthanRDN,anexplicitlyencodedSANentryshouldtakeprecedence.
FCS_TLSS_EXT.3TLSServerDowngradeProtection
Theinclusionofthisselection-basedcomponentdependsuponselectioninFCS_TLSS_EXT.1.1.
FCS_TLSS_EXT.3.1TheTSFshallsettheserverhelloextensiontoarandomvalueconcatenatedwiththeTLS1.2downgradeindicatorwhennegotiatingTLS1.2asindicatedinRFC8446section4.1.3.
ApplicationNote:ThisSFRisclaimediftheTSFsupportsTLS1.3.RFC8446requiresboththeTLS1.2downgradeindicatoraswellasanindicatorforTLS1.1andbelow.ThisFPrequirestheservertorejectattemptstoestablishTLS1.1andbelow,makingthismechanismredundant.However,productsmaystillimplementbothindicatorstobecompliantwiththeRFC.
ThisSFRisclaimedif"supplementaldowngradeprotection"isselectedinFCS_TLSS_EXT.1.1.
EvaluationActivities
FCS_TLSS_EXT.3TSSTheevaluatorshallexaminetheSTandconfirmthattheTLSdescriptionincludesdetailsonthesessiondowngradeprotectionsthataresupported.
GuidanceTheevaluatorshallexaminetheoperationalguidancetoconfirmthatinstructionsareincluded
toconfiguretheTSFtosupportonlyTLS1.3andtoprovidetheassociateddowngradeindications.
TestsTheevaluatorshallfollowtheoperationalguidanceasnecessarytoconfiguretheTSFtonegotiateonlyTLS1.3andtoprovidetheassociateddowngradeindications.TheevaluatorshallsendaTLSclienthellototheTOEthatindicatessupportforonlyTLS1.2.TheevaluatorshallobservethattheTSFsendsaserverhellowiththelasteightbytesoftheserverrandomvalueequalto444F574E47524401.
FCS_TLSS_EXT.4TLSServerSupportforRenegotiation
Theinclusionofthisselection-basedcomponentdependsuponselectioninFCS_TLS_EXT.1.1.
FCS_TLSS_EXT.4.1TheTSFshallsupportsecurerenegotiationthroughtheuseof[selection:the"renegotiation_info"TLSextension,notallowingsessionrenegotiation]inaccordancewithRFC5746.
FCS_TLSS_EXT.4.2TheTSFshall,whennegotiatingaTLS1.2session,[selection:includetherenegotiation_infoextensioninServerHellomessageswhenaclienthellowiththerenegotiation_infoextensionisreceivedandshallterminateasessionifneitheroftherenegotiation_infoorTLS_EMPTY_RENEGOTIATION_INFO_SCSVsignalingciphersuitesareindicatedintheclienthello,notallowrenegotiation].
FCS_TLSS_EXT.4.3TheTSFshallterminatethesessionifanunexpectedclienthelloisreceivedduringanactiveTLSsession.
ApplicationNote:RFC5746definesanextensiontoTLS1.2thatbindsrenegotiationhandshakestothecryptographyintheoriginalhandshake.AsarefinementoftheRFC,serversthatsupportrenegotiationandnegotiatingTLS1.2willterminateasessionifneitherofthemethodsdescribedinRFC5746areofferedbytheclient.RFC5746indicatesthataservernegotiatingTLS1.2isrequiredtoterminatethesessioniftheconditionsforsecurerenegotiationarenotmet.Alternatively,aTLSservermaynegotiateTLS1.2withoutanyRFC5746clientrenegotiationindicatorsifitalwaysterminatesanexistingsessionwhenanewclienthelloisreceived,similartotheimplementationofTLS1.3.
TLS1.3doesnotallowrenegotiation.Termination,asindicatedinFCS_TLSS_EXT.4.3,coversTLS1.3sessionsaswellasTLS1.2sessionswheretheclienthelloreceiveddoesnotcomplywithRFC5746,orwhenconfiguredtorejectrenegotiation(iftheproductisconfigurable).
ThisSFRisclaimedif"TLSasaserver"isselectedinFCS_TLS_EXT.1.1.
EvaluationActivities
FCS_TLSS_EXT.4TSSTheevaluatorshallexaminetheSTtoconfirmthattheTLSdescriptionincludesdetailsonsessionrenegotiationprotectionmethodssupported,toincludewhenrenegotiationisprohibited.
GuidanceTheevaluatorshallexaminetheoperationalguidancetoconfirmthatanyinstructionsthatareneededtomeettherequirementsareincluded.IfsupportforTLS1.2isconfigurabletouseRFC5746methodsortodenyrenegotiation,theevaluatorshallensurethattheoperationalguidanceincludesinstructionsforconfiguringtheTSFinthismanner.
TestsTheevaluatorshallperformthefollowingtests,asindicatedforeachversionsupported,usingatestTLSclientabletoconstructtheindicatedmessagesandexposemessagesreceivedfromtheTSF:
Test27:(RFC5746compliantTLS1.2initialhandshake)[conditional]IftheTSFsupportsrenegotiation,theevaluatorshallfollowtheoperationalguidanceasnecessarytoconfiguretheTSFtoenforceRFC5746methods.TheevaluatorshallinitiateaTLS1.2sessionfromatestTLSclientforeachofthefollowingsub-tests:
Test27.1:Theevaluatorshallsendaninitialclienthellowithouttherenegotiation_infoextensionandwithoutincludingthesignalingciphersuitevalue,
TLS_EMPTY_RENEGOTIATION_INFO_SCSV.TheevaluatorshallobservethattheTSFterminatesthesession.
Note:ItispreferredthattheTSFsendsafatalerroralertmessage(e.g.,handshakefailure)inresponsetothis,butitisacceptablethattheTSFterminatestheconnectionsilently(i.e.,withoutsendingafatalerroralert).Test27.2:Theevaluatorshallsendaninitialclienthellowiththerenegotiation_infoextensionindicatingarenegotiated_connectionlengthgreaterthanzero.TheevaluatorshallobservethattheTSFterminatesthesession.
Note:ItispreferredthattheTSFsendsafatalerroralertmessage(e.g.,handshakefailure)inresponsetothis,butitisacceptablethattheTSFterminatestheconnectionsilently(i.e.,withoutsendingafatalerroralert).
Test28:(renegotiationattempt)Foreachofthefollowingsub-tests,theevaluatorshallestablishacompliantTLSchannelwithaninitialhandshakethatusestheindicatedsecurerenegotiationmethodfortheversionindicated.Withoutclosingthesession,theevaluatorshallsendasecondclienthellowithinthechannelspecifictotheversionasindicated:
Test28.1:[conditional]IftheTSFallowsrenegotiation,theevaluatorshallconfiguretheTSFtosupportRFC5746methods,sendaninitialhandshakewithavalidrenegotiationextension,sendanewTLS1.2clienthelloontheTLS1.2channelcontainingtherenegotiation_infoextensionindicatingvalidclient_verify_data,andobservetheTSFsuccessfullycompletesthehandshake.Test28.2:[conditional]IftheTSFallowsrenegotiation,theevaluatorshallsendaninitialclienthellocontainingavalidrenegotiationextension,sendanewTLS1.2clienthelloontheTLS1.2channelwiththesignalingciphersuitevalue,TLS_EMPTY_RENEGOTIATION_INFO_SCSV,andobservethattheTSFterminatesthesession.
Note:ItispreferredthattheTSFsendsafatalerroralertmessage(e.g.,handshakefailure)inresponsetothis,butitisacceptablethattheTSFterminatestheconnectionsilently(i.e.,withoutsendingafatalerroralert).Test28.3:[conditional]IftheTSFallowsrenegotiation,foreachTLS1.2renegotiationmethodclaimedinaccordancewithRFC5746,theevaluatorshallsendaninitialclienthelloindicatingthemethod,sendanewTLS1.2clienthelloontheTLS1.2channelwithoutarenegotiation_infoextension,andobservethattheTSFterminatesthesession.
Note:ItispreferredthattheTSFsendsafatalerroralertmessage(e.g.,unexpectedmessage)inresponsetothis,butitisacceptablethattheTSFterminatestheconnectionsilently(i.e.,withoutsendingafatalerroralert).Test28.4:[conditional]:IftheTSFallowsrenegotiation,foreachTLS1.2renegotiationmethodclaimedinaccordancewithRFC5746,theevaluatorshallsendaninitialclienthelloindicatingthemethod,sendanewTLS1.2clienthelloontheTLS1.2channelwitharenegotiation_infoextensionindicatinganinvalidclient_verify_datavalue(modifyabyteofavalidvalue),andobservethattheTSFterminatesthesession.
Note:ItispreferredthattheTSFsendsafatalerroralertmessage(e.g.,unexpectedmessage)inresponsetothis,butitisacceptablethattheTSFterminatestheconnectionsilently(i.e.,withoutsendingafatalerroralert).Test28.5:[conditional]IftheTSFsupportsTLS1.3,oriftheTSFrejectsrenegotiationforTLS1.2,thenforeachsuchversion,theevaluatorshallfollowtheoperationalguidanceasnecessarytoconfiguretheTSFtonegotiatetheversionandrejectrenegotiation.Theevaluatorshallinitiateavalidinitialsessionforthespecifiedversion,sendavalidclienthelloonthenon-renegotiableTLSchannel,andobservethattheTSFterminatesthesession.Note:ItispreferredthattheTSFsendsafatalerroralertmessage(e.g.,unexpectedmessage)inresponsetothis,butitisacceptablethattheTSFterminatestheconnectionsilently(i.e.,withoutsendingafatalerroralert).
FCS_TLSS_EXT.5TLSServerSupportforSessionResumption
Theinclusionofthisselection-basedcomponentdependsuponselectioninFCS_TLSS_EXT.1.1.
FCS_TLSS_EXT.5.1TheTSFshallsupportsessionresumptionasaserverviatheuseof[selection:sessionIDinaccordancewithRFC5246,ticketsinaccordancewithRFC5077,PSKandticketsinaccordancewithRFC8446].
ApplicationNote:TheSTauthorindicateswhichsessionresumption
mechanismsaresupported.Oneorbothofthefirsttwooptions,"sessionIDinaccordancewithRFC5246"and"ticketsinaccordancewithRFC5077"areclaimedforTLS1.2resumption.IfresumptionofTLS1.3sessionsissupported,"PSKandticketsinaccordancewithRFC8446"isselected,andtheselection-basedSFRFCS_TLSS_EXT.6mustalsobeclaimed.
WhileitispossibletoperformsessionresumptionusingPSKciphersuitesinTLS1.2,thisisuncommon.ValidationofkeyexchangeandsessionnegotiationrulesforPSKciphersuitesisindependentofthesourceofthepre-sharedkeyandiscoveredinFCS_TLSS_EXT.1.
ThisSFRisclaimedif"sessionresumption"isselectedinFCS_TLSS_EXT.1.1.
EvaluationActivities
FCS_TLSS_EXT.5TSSTheevaluatorshallexaminetheSTandconfirmthattheTLSserverprotocoldescriptionincludesadescriptionofthesupportedresumptionmechanisms.
GuidanceTheevaluatorshallensuretheoperationalguidancedescribesinstructionsforanyconfigurablefeaturesoftheresumptionmechanism.
TestsTheevaluatorshallperformthefollowingtests:
Test29:Foreachsupportedversion,andforeachsupportedresumptionmethodforthatversion,theevaluatorshallestablishacompliantinitialTLSsessionwiththeTOEfortheversionusingthespecifiedmethod.Theevaluatorshallclosethesuccessfulsessionandinitiateresumptionusingthespecifiedmechanism.TheevaluatorshallobservethattheTSFsuccessfullyestablishestheresumedsessioninaccordancewiththerequirements.Test30:Foreachsupportedversionandeachsupportedresumptionmethodfortheversion,theevaluatorshallsendacompliantclienthellomessagesupportingonlythespecificversionandindicatingsupportfortheresumptionmethod.TheevaluatorshallallowtheTOEandtestclienttocontinuewiththecomplianthandshakeuntilresumptioninformationisestablishedbutthencauseafatalerrortoterminatethesession.TheevaluatorshallthensendanewclienthelloinanattempttoresumethesessionwiththeresumptioninformationprovidedandverifythattheTSFdoesnotresumethesession,butinsteadeitherterminatesthesessionorcompletesafullhandshake,ignoringtheresumptioninformation.
Note:ForTLS1.2,resumptioninformationshouldbeestablishedatthepointtheTSFsendsaserverhello,eitheracknowledgingthesession-basedresumptionoracknowledgingsupportforticket-basedresumptionandsendinganew_ticketmessage.ATLS1.2sessioncanthenbeterminatedbysendingamodifiedfinishedmessage.ForTLS1.3,thenew_ticketmessageissentafterthefinishedmessage;oncereceivedbytheclient,thesessioncanbeterminatedbymodifyingabyteoftheencryptedapplicationdata.
FCS_TLSS_EXT.6TLSServerTLS1.3ResumptionRefinements
Theinclusionofthisselection-basedcomponentdependsuponselectioninFCS_TLSS_EXT.5.1.
FCS_TLSS_EXT.6.1TheTSFshallsupportTLS1.3resumptionusingPSKwithpsk_key_exchange_modeextensionwiththevaluepsk_dhe.
FCS_TLSS_EXT.6.2TheTSFshallignoreearlydatareceivedinTLS1.3sessions.
ApplicationNote:ThisSFRisclaimedwhensessionresumptionissupportedforTLS1.3.RFC8446allowspre-sharedkeystobeuseddirectlyandalsoallowsearlydatatobeprotectedusingonlythepre-sharedkey.ThisSFRrefinestheRFCtousePSKonlywithasupplementalDHEorECDHEkeyexchangetoensureperfectforwardsecrecyforallsessions.
ThisSFRisclaimedif"PSKandticketsinaccordancewithRFC8446"isselectedinFCS_TLSS_EXT.5.1.
EvaluationActivities
FCS_TLSS_EXT.6TSSTheevaluatorshallexaminetheSTtoconfirmthattheTLSdescriptionincludesdetailsonsessionresumptionforTLS1.3,describeseachapplicationcapableofusingTLS1.3withPSK,anddescribeshowtheTSFandapplicationrespondtoclientattemptstouseearlydata(includingvialoggingorobservableresponses).TheevaluatorshallconfirmthattheTLSdescriptionshowsthatonlythepsk_dhe_kepsk_key_exchange_modeissupportedandthatearlyinformationisignored.
GuidanceTheevaluatorshallexaminetheoperationalguidancetoverifythatinstructionsforanyconfigurablefeaturesthatarerequiredtomeettherequirementareincluded.
TestsTheevaluatorshallfollowtheoperationalguidancetoconfiguretheTSFtonegotiateTLS1.3andshallperformthefollowingtests:
Test31:Theevaluatorshallattemptaresumedsession(asforFCS_TLSS_EXT.5Test1)butusingpsk_kemodeasthevalueforthepsk_key_exchange_modeintheresumptionclienthello.TheevaluatorshallobservethattheTSFrefusestoresumethesession,eitherbycompletingafullTLS1.3handshakeorbyterminatingthesession.
Note:ItispreferredthattheTSFsendsafatalerroralertmessage(e.g.,illegalparameter)inresponsetothis,butitisacceptablethattheTSFterminatestheconnectionsilently(i.e.,withoutsendingafatalerroralert).Test32:Theevaluatorshallinitiatearesumedsession(asforFCS_TLSS_EXT.5Test1)withatestTLS1.3clientattemptingtoprovideearlydatathatprovokesaknownreactionattheTOEifreceived.TheevaluatorshallobservethattheTSFdoesnotreacttotheearlydata,indicatingthatthedatawasignored.
Note:ThespecificearlydatausedmaydependontheapplicationscallingtheTLSsessionandshouldbeselectedtoinitiateanobservableresponseintheTSForcallingapplicationasdescribedintheST.ForHTTPS,forexample,theearlydatacanbeanHTTPPOSTthatupdatesdataattheTOE,whichcanthenbeobservedviaauserinterfacefortheapplicationifthedatawaspostedorviaapplicationloggingindicatingthattheoperationfailed.
FCS_DTLSC_EXT.1DTLSClientProtocol
Theinclusionofthisselection-basedcomponentdependsuponselectioninFCS_TLS_EXT.1.1.
FCS_DTLSC_EXT.1.1TheproductshallimplementDTLS1.2(RFC6347)and[selection:DTLS1.0(RFC4347),noearlierDTLSversions]asaclientthatsupportstheciphersuites[selection:
TLS_RSA_WITH_AES_128_CBC_SHAasdefinedinRFC5246TLS_RSA_WITH_AES_128_CBC_SHA256asdefinedinRFC5246TLS_RSA_WITH_AES_256_CBC_SHA256asdefinedinRFC5246TLS_RSA_WITH_AES_256_GCM_SHA384asdefinedinRFC5288TLS_DHE_RSA_WITH_AES_128_CBC_SHA256asdefinedinRFC5246TLS_DHE_RSA_WITH_AES_256_CBC_SHA256asdefinedinRFC5246TLS_DHE_RSA_WITH_AES_256_GCM_SHA384asdefinedinRFC5288TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256asdefinedinRFC5289TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256asdefinedinRFC5289TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384asdefinedinRFC5289TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384asdefinedinRFC5289TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256asdefinedinRFC5289TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256asdefinedinRFC5289TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384asdefinedinRFC5289TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384asdefinedinRFC5289
]andalsosupportsfunctionalityfor[selection:mutualauthenticationnone
].
ApplicationNote:IfanyECDHEorDHEciphersuitesareselected,thenFCS_TLSC_EXT.5isrequired.
Ifmutualauthenticationisselected,thentheSTmustadditionallyincludetherequirementsfromFCS_DTLSC_EXT.2.IftheTOEimplementsmutualauthentication,thisselectionmustbemade.
DifferencesbetweenDTLS1.2andTLS1.2areoutlinedinRFC6347;otherwisetheprotocolsarethesame.AllapplicationnoteslistedforFCS_TLSC_EXT.1.1thatarerelevanttoDTLSapplytothisrequirement.
FCS_DTLSC_EXT.1.2TheproductshallverifythatthepresentedidentifiermatchesthereferenceidentifieraccordingtoRFC6125.
ApplicationNote:TheTLSCelementhaschanged.Notsureifthisnotemakessense.AllapplicationnoteslistedforFCS_TLSC_EXT.1.5thatarerelevanttoDTLSapplytothisrequirement.
FCS_DTLSC_EXT.1.3Theproductshallnotestablishatrustedchanneliftheservercertificateisinvalid[selection:withnoexceptions,exceptwhenoverrideisauthorized].
ApplicationNote:AllapplicationnoteslistedforFCS_TLSC_EXT.1.6thatarerelevanttoDTLSapplytothisrequirement.
FCS_DTLSC_EXT.1.4Theproductshall[selection,chooseoneof:terminatetheDTLSsession,silentlydiscardtherecord]ifamessagereceivedcontainsaninvalidMACorifdecryptionfailsinthecaseofGCMandotherAEADciphersuites.
EvaluationActivities
FCS_DTLSC_EXT.1TestsTheevaluatorshallperformtheevaluationactivitieslistedforFCS_TLSC_EXT.1.6.FCS_DTLSC_EXT.1.1TestsTheevaluatorshallperformtheevaluationactivitieslistedforFCS_TLSC_EXT.1.1,butensuringthatDTLS(andnotTLS)isusedineachevaluationactivity.
Fortestswhichinvolveversionnumbers,notethatinDTLStheon-the-wirerepresentationisthe1'scomplementofthecorrespondingtextualDTLSversionnumbers.ThisisdescribedinSection4.1ofRFC6347andRFC4347.Forexample,DTLS1.0isrepresentedbythebytes0xfe0xff,whiletheundefinedDTLS1.4wouldberepresentedbythebytes0xfe0xfb.FCS_DTLSC_EXT.1.2TestsTheevaluatorshallperformtheevaluationactivitieslistedforFCS_TLSC_EXT.1.5.FCS_DTLSC_EXT.1.4TSSTheevaluatorshallverifythattheTSSdescribestheactionsthattakeplaceifamessagereceivedfromtheDTLSServerfailstheMACintegritycheck.
TestsTheevaluatorshallestablishaconnectionusingaserver.Theevaluatorwillthenmodifyatleastonebyteinarecordmessage,andverifythattheclientdiscardstherecordorterminatestheDTLSsession.
FCS_DTLSC_EXT.2DTLSClientSupportforMutualAuthentication
Theinclusionofthisselection-basedcomponentdependsuponselectioninFCS_DTLSC_EXT.1.1.
FCS_DTLSC_EXT.2.1TheproductshallsupportmutualauthenticationusingX.509v3certificates.
ApplicationNote:AllapplicationnoteslistedforFCS_TLSC_EXT.2.1thatarerelevanttoDTLSapplytothisrequirement.
EvaluationActivities
FCS_DTLSC_EXT.2TestsTheevaluatorshallperformtheevaluationactivitieslistedforFCS_TLSC_EXT.2.1.
FCS_DTLSS_EXT.1DTLSServerProtocol
Theinclusionofthisselection-basedcomponentdependsuponselectioninFCS_TLS_EXT.1.1.
FCS_DTLSS_EXT.1.1TheproductshallimplementDTLS1.2(RFC6347)and[selection:DTLS1.0(RFC4347),noearlierDTLSversions]asaserverthatsupportstheciphersuites[selection:
TLS_RSA_WITH_AES_128_CBC_SHAasdefinedinRFC5246TLS_RSA_WITH_AES_256_CBC_SHAasdefinedinRFC5246TLS_RSA_WITH_AES_128_CBC_SHA256asdefinedinRFC5246TLS_RSA_WITH_AES_256_CBC_SHA256asdefinedinRFC5246TLS_RSA_WITH_AES_128_GCM_SHA256asdefinedinRFC5288TLS_RSA_WITH_AES_256_GCM_SHA384asdefinedinRFC5288TLS_DHE_RSA_WITH_AES_128_CBC_SHA256asdefinedinRFC5246TLS_DHE_RSA_WITH_AES_256_CBC_SHA256asdefinedinRFC5246TLS_DHE_RSA_WITH_AES_128_GCM_SHA256asdefinedinRFC5288TLS_DHE_RSA_WITH_AES_256_GCM_SHA384asdefinedinRFC5288TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256asdefinedinRFC5289TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256asdefinedinRFC5289TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384asdefinedinRFC5289TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384asdefinedinRFC5289TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256asdefinedinRFC5289TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256asdefinedinRFC5289TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384asdefinedinRFC5289TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384asdefinedinRFC5289
]andnootherciphersuites,andalsosupportsfunctionalityfor[selection:mutualauthenticationnone
].
ApplicationNote:Ifmutualauthenticationisselected,thentheSTmustadditionallyincludetherequirementsfromFCS_DTLSS_EXT.2.IftheTOEimplementsmutualauthentication,thisselectionmustbemade.
AllapplicationnoteslistedforFCS_TLSS_EXT.1.1thatarerelevanttoDTLSapplytothisrequirement.
FCS_DTLSS_EXT.1.2Theproductshalldenyconnectionsfromclientsrequesting[assignment:listofDTLSprotocolversions].
ApplicationNote:AnyspecificDTLSversionnotselectedinFCS_DTLSS_EXT.1.1shouldbeassignedhere.ThisversionoftheFPdoesnotrequiretheservertodenyDTLS1.0,andiftheTOEsupportsDTLS1.0then"none"canbeassigned.InafutureversionofthisFP,DTLS1.0willberequiredtobedenied.
FCS_DTLSS_EXT.1.3TheproductshallnotproceedwithaconnectionhandshakeattemptiftheDTLSClientfailsvalidation.
ApplicationNote:TheprocesstovalidatetheIPaddressofaDTLSclientisspecifiedinsection4.2.1ofRFC6347(DTLS1.2)andRFC4347(DTLS1.0).TheservervalidatestheDTLSclientduringConnectionEstablishment(Handshaking)andpriortosendingaServerHellomessage.AfterreceivingaClientHello,theDTLSServersendsaHelloVerifyRequestalongwithacookie.Thecookieisasignedmessageusingakeyedhashfunction.TheDTLSClientthensendsanotherClientHellowiththecookieattached.IftheDTLSserversuccessfullyverifiesthesignedcookie,theClientisnotusingaspoofedIPaddress.
FCS_DTLSS_EXT.1.4TheproductshallperformkeyestablishmentforDTLSusing[selection:
RSAwithsize[selection:2048bits,3072bits,4096bits,noothersizes]Diffie-Hellmanparameterswithsize[selection:2048bits,3072bits,4096bits,6144bits,8192bits,noothersize]Diffie-Hellmangroups[selection:ffdhe2048,ffdhe3072,ffdhe4096,ffdhe6144,ffdhe8192,noothergroups]ECDHEparametersusingellipticcurves[selection:secp256r1,secp384r1,secp521r1]andnoothercurvesnootherkeyestablishmentmethods
].
ApplicationNote:IftheSTlistsanRSAciphersuiteinFCS_DTLSS_EXT.1.1,theSTmustincludetheRSAselectionintherequirement.IftheSTlistsaDHEciphersuiteinFCS_DTLSS_EXT.1.1,theSTmustincludeeithertheDiffie-Hellmanselectionforparametersofacertainsize,orforparticularDiffie-Hellmangroups.IftheSTlistsanECDHEciphersuiteinFCS_DTLSS_EXT.1.1,theSTmustincludetheNISTcurvesselectionintherequirement.
FCS_DTLSS_EXT.1.5Theproductshall[selection,chooseoneof:terminatetheDTLSsession,silentlydiscardtherecord]ifamessagereceivedcontainsaninvalidMACorifdecryptionfailsinthecaseofGCMandotherAEADciphersuites.
EvaluationActivities
FCS_DTLSS_EXT.1.1TestsTheevaluatorshallperformtheevaluationactivitieslistedforFCS_TLSS_EXT.1.1,butensuringthatDTLS(andnotTLS)isusedineachstageoftheevaluationactivities.
Fortestswhichinvolveversionnumbers,notethatinDTLStheon-the-wirerepresentationisthe1'scomplementofthecorrespondingtextualDTLSversionnumbers.ThisisdescribedinSection4.1ofRFC6347andRFC4347.Forexample,DTLS1.0isrepresentedbythebytes0xfe0xff,whiletheundefinedDTLS1.4wouldberepresentedbythebytes0xfe0xfb.FCS_DTLSS_EXT.1.2Thefollowingevaluationactivitiesshallbeconductedunless"none"isassigned.TSSTheevaluatorshallverifythattheTSScontainsadescriptionofthedenialofoldDTLSversionsconsistentrelativetoselectionsinFCS_DTLSS_EXT.1.2.
GuidanceTheevaluatorshallverifythattheoperationalguidanceincludesanyconfigurationnecessarytomeetthisrequirement.
TestsTest33:TheevaluatorshallsendaClientHellorequestingaconnectionwitheachversionofDTLSspecifiedintheselectionandverifythattheserverdeniestheconnection.
FCS_DTLSS_EXT.1.3TSSTheevaluatorshallverifythattheTSSdescribeshowtheDTLSClientIPaddressisvalidatedpriortoissuingaServerHellomessage.
TestsModifyatleastonebyteinthecookiefromtheServer'sHelloVerifyRequestmessage,andverifythattheServerrejectstheClient'shandshakemessage.FCS_DTLSS_EXT.1.4TestsTheevaluatorshallperformtheevaluationactivitieslistedforFCS_TLSS_EXT.1.5.FCS_DTLSS_EXT.1.5TSSTheevaluatorshallverifythattheTSSdescribestheactionsthattakeplaceifamessagereceivedfromtheDTLSclientfailstheMACintegritycheck.
TestsTheevaluatorshallestablishaconnectionusingaclient.Theevaluatorwillthenmodifyatleastonebyteinarecordmessage,andverifythattheserverdiscardstherecordorterminatestheDTLSsession.
FCS_DTLSS_EXT.2DTLSServerSupportforMutualAuthentication
Theinclusionofthisselection-basedcomponentdependsuponselectioninFCS_DTLSS_EXT.1.1.
FCS_DTLSS_EXT.2.1TheproductshallsupportmutualauthenticationofDTLSclientsusingX.509v3certificates.
ApplicationNote:AllapplicationnoteslistedforFCS_TLSS_EXT.2.1thatarerelevanttoDTLSapplytothisrequirement.
FCS_DTLSS_EXT.2.2Theproductshallnotestablishatrustedchanneliftheclientcertificateisinvalid.
ApplicationNote:ThisusedtopointtoFCS_TLSS_EXT.2.2whichdoesn'texist.
FCS_DTLSS_EXT.2.3TheproductshallnotestablishatrustedchanneliftheDistinguishedName(DN)orSubjectAlternativeName(SAN)containedinacertificatedoesnotmatchoneoftheexpectedidentifiersfortheclient.
ApplicationNote:ThisusedtopointtoFCS_TLSS_EXT.2.3,butwordingchanged
EvaluationActivities
FCS_DTLSS_EXT.2.1TestsTheevaluatorshallperformtheevaluationactivitieslistedforFCS_TLSS_EXT.2.1.FCS_DTLSS_EXT.2.2TestsThisusedtopointtoFCS_TLSS_EXT.2.2whichdoesn'texist.FCS_DTLSS_EXT.2.3TestsThisusedtopointtoFCS_TLSS_EXT.2.3,butwordingchanged
AppendixC-Acronyms
Acronym Meaning
AES AdvancedEncryptionStandard
Base-PP BaseProtectionProfile
CA CertificateAuthority
CBC CipherBlockChaining
CC CommonCriteria
CEM CommonEvaluationMethodology
CN CommonName
cPP CollaborativeProtectionProfile
DHE Diffie-HellmanEphemeral
DN DistinguishedName
DNS DomainNameServer
DTLS DatagramTransportLayerSecurity
EAP ExtensibleAuthenticationProtocol
ECDHE EllipticCurveDiffie-HellmanEphemeral
ECDSA EllipticCurveDigitalSignatureAlgorithm
EP ExtendedPackage
FP FunctionalPackage
GCM Galois/CounterMode
HTTP HypertextTransferProtocol
IETF InternetEngineeringTaskForce
IP InternetProtocol
NIST NationalInstituteofStandardsandTechnology
OE OperationalEnvironment
PP ProtectionProfile
PP-Configuration ProtectionProfileConfiguration
PP-Module ProtectionProfileModule
RFC RequestforComment(IETF)
RSA RivestShamirAdelman
SAN SubjectAlternativeName
SAR SecurityAssuranceRequirement
SCSV SignalingciphersuiteValue
SFR SecurityFunctionalRequirement
SHA SecureHashAlgorithm
ST SecurityTarget
TCP TransmissionControlProtocol
TLS TransportLayerSecurity
TOE TargetofEvaluation
TSF TOESecurityFunctionality
TSFI TSFInterface
TSS TOESummarySpecification
UDP UserDatagramProtocol
URI UniformResourceIdentifier
URL UniformResourceLocator
AppendixD-Bibliography
Identifier Title
[CC] CommonCriteriaforInformationTechnologySecurityEvaluation-Part1:IntroductionandGeneralModel,CCMB-2017-04-001,Version3.1Revision5,April2017.Part2:SecurityFunctionalComponents,CCMB-2017-04-002,Version3.1Revision5,April2017.Part3:SecurityAssuranceComponents,CCMB-2017-04-003,Version3.1Revision5,April2017.