TD0474: Removal of Mandatory Cipher Suite in FCS_TLS_EXT.1
FCS_TLS_EXT.1 in HCD PP v1.0 currently mandates support for TLS_RSA_WITH_AES_128_CBC_SHA. This cipher suite is being deprecated and future PPs can be expected not to have cipher suites with SHA-1.
Additionally, Test 2a is only applicable to TLS_RSA_WITH... cipher suites and will not verify the behavior on the TOE for DHE and ECDHE cipher suites.
HCD PP v1.0 is modified as follows:
Changes to FCS_TLS_EXT.1
FCS_TLS_EXT.1.1 The TSF shall implement one or more of the following protocols [selection: TLS 1.0 (RFC 2246), TLS 1.1 (RFC 4346), TLS 1.2 (RFC 5246)] supporting the following cipher suites:
The ST author must make the appropriate selections and assignments to reflect the TLS implementation.
The ciphersuites to be tested in the evaluated configuration are limited by this requirement. The ST author should select the
The Suite B algorithms (RFC 5430) listed above are the preferred algorithms for implementation. The TLS requirement may be changed in the next version of the HCD PP to comply with CNSSP 15 and NIST SP 800-131A.
Changes to FCS_TLS_EXT.1 Test 2a
[Conditional: TOE is a server] Modify
See issue description.