The Network Interpretations Team (NIT) has issued a technical decision regarding TLS testing and when garbled messages should be sent in the NDcPP v1.0 and FW cPP v1.0.

To align with the NIT interpretation #21, NIAP supports the interpretation written below.  For further information, please see the NIT interpretation at:

https://www.niap-ccevs.org/Documents_and_Guidance/ccevs/NITDecisionRfI21.pdf.

As part of completing negotiation of the TLS tunnel, a Finished message is sent (after ChangeCipherSpec) which contains a hash of the previous messages exchanged. The tunnel should be set up only if this hash is correctly verified. By sending a garbled message (before Finished message is sent) it can be verified that the TLS implementation waits for Finished message and verifies the hash before sending data. So for the purpose of this test the garbled messaged shall be sent before the Finished message is sent.

See Issue Description