TD0492: TLS-EAP Ciphers and TLS versions for WLAN Client
FCS_TLSC_EXT.1.1/WLAN should no longer mandate TLS v1.0 or the TLS_RSA_WITH_AES_128_CBC_SHA ciphersuite.
FCS_TLSC_EXT.1.6/WLAN limits a vendors ability to provide a superset of the ciphersuites in FCS_TLSC_EXT.1.1/WLAN. It should be acceptable for the client to propose additional ciphersuites and rely on the server to enforce specific ciphersuites from the list.
Test 5 bullet 4 test cannot be performed when a TOE supports only TLS RSA ciphersuites (e.g., TLS_RSA_WITH_AES_128_CBC_SHA).
FCS_TLSC_EXT.1.1/WLAN is replaced as follows:
FCS_TLSC_EXT.1.1/WLAN The TSF shall implement [selection: TLS 1.0 (RFC 2246), TLS 1.1 (RFC 4346), TLS 1.2 (RFC 5246)] in support of the EAP-TLS protocol as specified in RFC 5216 supporting the following ciphersuites: [selection:
TLS_RSA_WITH_AES_128_CBC_SHA as defined in RFC 5246,
TLS_RSA_WITH_AES_256_CBC_SHA as defined in RFC 5246,
TLS_RSA_WITH_AES_128_CBC_SHA256 as defined in RFC 5246,
TLS_RSA_WITH_AES_256_CBC_SHA256 as defined in RFC 5246,
TLS_RSA_WITH_AES_128_GCM_SHA256 as defined in RFC 5288,
TLS_RSA_WITH_AES_256_GCM_SHA384 as defined in RFC 5288,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 as defined in RFC 5246,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 as defined in RFC 5246,
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 as defined in RFC 5288,
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 as defined in RFC 5288,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 as defined in RFC 5289,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 as defined in RFC 5289,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 as defined in RFC 5289,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 as defined in RFC 5289,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 as defined in RFC 5289,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 as defined in RFC 5289,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 as defined in RFC 5289,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 as defined in RFC 5289].
The application Note for FCS_TLSC_EXT.1/WLAN is replaced as follows:
Application Note: The ST author should select the cipher suites that are supported, and must select at least one cipher suite. The ciphersuites to be tested in the evaluated configuration are limited by this requirement; however, this requirement does not restrict the TOE's ability to propose (in its Client Hello) additional ciphersuites beyond the ones listed in this requirement. The TOE may propose any ciphersuite; however, the evaluation will only test the ciphersuites in the above list. It is necessary to limit the cipher suites that can be used in an evaluated configuration administratively on the server in the test environment. GCM cipher suites are preferred over CBC cipher suites, ECDHE preferred over RSA and DHE, and SHA256 or SHA384 over SHA.
TLS_RSA_WITH_AES_128_CBC_SHA is not required despite being mandated by RFC 5246.
TLS 1.2 is the preferred protocol. TLS 1.0 will be removed in the next version of the EP. These requirements will be also revisited as new TLS versions are standardized by the IETF.
If any of the ECDHE ciphersuites are selected by the ST author, it is necessary to include FCS_TLSC_EXT.2/WLAN in the TSF (see Appendix C).
While FCS_TLSC_EXT.1.4/WLAN requires that the TOE perform certain checks on the certificate presented by the authentication server, there are corresponding checks that the authentication server will have to perform on the certificate presented by the client; namely that the extendedKeyUsage field of the client certificate includes "Client Authentication" and that the digital signature bit (for the Diffie-Hellman ciphersuites) or the key encipherment bit (for RSA ciphersuites) be set. Certificates obtained for use by the TOE will have to conform to these requirements in order to be used in the enterprise.
FIA_X509_EXT.1 requirements defined in each of the possible base PPs define requirements that the underlying platform is expected to implement.
FCS_TLSC_EXT.1.6/WLAN is deleted.
Test 5 bullet 4 test is replaced as follows:
[conditional] If DHE or ECDHE cipher suites are supported, modify the signature block in the Server’s Key Exchange handshake message, and verify that the client does not complete the handshake and no application data flows. This test does not apply to cipher suites using RSA key exchange. If a TOE only supports RSA key exchange in conjunction with TLS, then this test shall be omitted.
See issue description.