FCS_TLSS_EXT.1 requires TLS_RSA_WITH_AES_128_CBC_SHA as a mandatory ciphersuite but allows the selection of an ECDSA ciphersuite which cannot support the mandatory ciphersuite as there is no RSA server certificate.  Additionally, the CSFC selections require AES-256 in either CBC or GCM mode which would prevent the use of TLS_RSA_WITH_AES_128_CBC_SHA.

FCS_TLS_EXT.1.1 is modified as follows:

TLS_RSA_WITH_AES_128_CBC_SHA as defined in RFC 3268 is moved from mandatory to optional.

The following text is removed from the application note:

TLS_RSA_WITH_AES_128_CBC_SHA is required in order to ensure compliance with RFC 5246.

The following text is added to the application note:

It is recognized that RFC 5246 mandates the cipher suite TLS_RSA_WITH_AES_128_CBC_SHA, but use of SHA-1 for digital signature generation is no longer recommended (see NIST SP 800-131A rev-1 and SP 800-78-4). Subsequent revisions of the PP will not include SHA-1.

FCS_TLSS_EXT.1.1 The TSF shall implement [selection: TLS 1.2 (RFC 5246), TLS 1.1 (RFC 4346), TLS 1.0 (RFC 2246)] supporting the following ciphersuites: [selection:

TLS_RSA_WITH_AES_128_CBC_SHA as defined in RFC 3268

TLS_RSA_WITH_AES_256_CBC_SHA as defined in RFC 3268

TLS_DHE_RSA_WITH_AES_128_CBC_SHA as defined in RFC 3268

TLS_DHE_RSA_WITH_AES_256_CBC_SHA as defined in RFC 3268

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA as defined in RFC 4492

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA as defined in RFC 4492

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA as defined in RFC 4492

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA as defined in RFC 4492

TLS_RSA_WITH_AES_128_CBC_SHA256 as defined in RFC 5246

TLS_RSA_WITH_AES_256_CBC_ SHA256 as defined in RFC 5246

TLS_DHE_RSA_WITH_AES_128_CBC_ SHA256 as defined in RFC 5246

TLS_DHE_RSA_WITH_AES_256_CBC_ SHA256 as defined in RFC 5246

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 as defined in RFC 5289

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 as defined in RFC 5289

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 as defined in RFC 5289

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 as defined in RFC 5289

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 as defined in RFC 5289

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 as defined in RFC 5289]

and no other ciphersuites.

Application Note:            The ciphersuites to be tested in the evaluated configuration are limited by this requirement. The ST author should select the ciphersuites that are supported. It is necessary to limit the ciphersuites that can be used in an evaluated configuration administratively on the server in the test environment. The Suite B algorithms listed above (RFC 6460) are the preferred algorithms for implementation.

These requirements will be revisited as new TLS versions are standardized by the IETF.

If any ciphersuites are selected using ECDHE, then FCS_TLSS_EXT.1.5 is required.

In a future version of this PP TLS 1.0 will be removed and TLS v1.2 will be required for all TOEs.

It is recognized that RFC 5246 mandates the cipher suite TLS_RSA_WITH_AES_128_CBC_SHA, but use of SHA-1 for digital signature generation is no longer recommended (see NIST SP 800-131A rev-1 and SP 800-78-4). Subsequent revisions of the PP will not include SHA-1.

It is recognized that RFC 5246 mandates the cipher suite TLS_RSA_WITH_AES_128_CBC_SHA. SHA-1 will be deprecated from most government run CAs by the end of the year, but issued certificates might be valid beyond that. Self-service requests based on those certificates will require a cipher suite using SHA-1 until they expire.