Archived TD0004: FCS_TLS_EXT Man-in-the-Middle Tests
PP_ND_V1.1, FCS_TLS_EXT.1.1, NDPP Errata #2; PP_MD_V1.1, FCS_TLS_EXT.1, FCS_TLS_EXT.2
The man-in-the-middle testing in FCS_TLS_EXT requires tools that can sniff the TCP traffic and modify the packets on the fly. Currently, no tools have been identified that will allow these test to be performed practically, reliably, and repeatedly.
Remove the FCS_TLS_EXT man-in-the-middle tests for the NDPP (FCS_TLS_EXT.1.1, Test 2) and the MDFPP (FCS_TLS_EXT.1, Test 5, FCS_TLS_EXT.2, Test 5)
New TLS requirements and assurance activities are being drafted to address 112-bit security strengths and those changes would likely involve splitting client requirements from server requirements.
CCEVS expects to develop tests similar to these that address the required elements of the TLS RFCs and will consider the providing tools or additional guidance to the labs regarding how these tests are performed as we draft them. Once incorporated in the PPs, the man-in-the-middle testing will be mandatory.