TD0174: Optional Ciphersuites for TLS
Publication Date
2017.04.10
Protection Profiles
PP_APP_v1.2, PP_MD_v3.0, PP_NDCPP_APP_AUTHSVR_EP_V1.0
Other References
FCS_TLSC_EXT.1.1, FCS_EAP-TLS_EXT.1.1,
Issue Description
05/03/2017: Updating TD as it now also applies to the Authentication Server EP. The list of ciphersuites included in the TLS requirement in the SW App PP does not match the list in the MDFPP. This could result in conflict when “invoke platform-provided TLS 1.2” is selected. Resolution
The following replaces the Optional Ciphersuites in the FCS_TLSC_EXT.1.1 SFR in PP_MD_v3.0 and PP_APP_v1.2 and the FCS_EAP-TLS_EXT.1.1 SFR in PP_NDCPP_APP_AUTHSVR_EP_V1.0 • Optional Ciphersuites: [selection: ο TLS_RSA_WITH_AES_128_CBC_SHA256 as defined in RFC 5246 ο TLS_RSA_WITH_AES_256_CBC_ SHA256 as defined in RFC 5246 ο TLS_RSA_WITH_AES_256_GCM_SHA384 as defined in RFC 5288 ο TLS_DHE_RSA_WITH_AES_128_CBC_ SHA256 as defined in RFC 5246 ο TLS_DHE_RSA_WITH_AES_256_CBC_ SHA256 as defined in RFC 5246 ο TLS_DHE_RSA_WITH_AES_256_GCM_ SHA384 as defined in RFC 5288 ο TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 as defined in RFC 5289 ο TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 as defined in RFC 5289 ο TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 as defined in RFC 5289 ο TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 as defined in RFC 5289 ο TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 as defined in RFC 5289 ο TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 as defined in RFC 5289 ο TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 as defined in RFC 5289 ο TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 as defined in RFC 5289
ο no other ciphersuite.] Justification
This change removes the inconsistency between the MDF and App Protection Profiles. |