Archived TD0156: NIT Technical Decision for SSL/TLS Version Testing in the NDcPP v1.0 and FW cPP v1.0
CPP_FW_V1.0, CPP_ND_V1.0, PP_SV_V1.1
ND SD V1.0, FCS_TLSS_EXT1.2, FCS_TLSS_EXT.2.2
The Network Interpretations Team (NIT) has issued a technical decision regarding SSL/TLS Version testing in NDcPP v1.0 and FW cPP v1.0
To align with NIT interpretation # 201664, the following changes are made:
SSL 1.0 shall not be part of FCS_TLSS_EXT.1.2 and FCS_TLSS_EXT.2.2. FCS_TLSS_EXT.1.2 and FCS_TLSS_EXT.2.2 shall therefore be rewritten as follows:
"The TSF shall deny connections from clients requesting SSL 2.0, SSL 3.0, TLS 1.0, and [selection: TLS 1.1, TLS 1.2, none]."
The Test activities for FCS_TLSS_EXT.1.2 and FCS_TLSS_EXT.2.2 in the ND SD shall be rewritten as follows:
"The evaluator shall send a Client Hello requesting a connection for all mandatory and selected protocol versions in the SFR (e.g. by enumeration of protocol versions in a test client) and verify that the server denies the connection for each attempt."
For further information, please see the NIT interpretation at: https://www.niap-ccevs.org/Documents_and_Guidance/ccevs/NITDecisionRfi201664.pdf
UPDATE: SSL v1.0 is also removed from FCS_TLSS_EXT.1.2 in the Protection Profile for Server Virtualization V1.1.
See issue description.