NIAP: View Technical Decision Details
NIAP/CCEVS
  NIAP  »»  Protection Profiles  »»  Technical Decisions  »»  View Details  
TD0156:  NIT Technical Decision for SSL/TLS Version Testing in the NDcPP v1.0 and FW cPP v1.0

Publication Date
2017.03.15

Protection Profiles
CPP_FW_V1.0, CPP_ND_V1.0, PP_SV_V1.1

Other References
ND SD V1.0, FCS_TLSS_EXT1.2, FCS_TLSS_EXT.2.2

Issue Description

The Network Interpretations Team (NIT) has issued a technical decision regarding SSL/TLS Version testing in NDcPP v1.0 and FW cPP v1.0

Resolution

To align with NIT interpretation # 201664, the following changes are made:

SSL 1.0 shall not be part of FCS_TLSS_EXT.1.2 and FCS_TLSS_EXT.2.2. FCS_TLSS_EXT.1.2 and FCS_TLSS_EXT.2.2 shall therefore be rewritten as follows:

"The TSF shall deny connections from clients requesting SSL 2.0, SSL 3.0, TLS 1.0, and [selection: TLS 1.1, TLS 1.2, none]."

The Test activities for FCS_TLSS_EXT.1.2 and FCS_TLSS_EXT.2.2 in the ND SD shall be rewritten as follows:

"The evaluator shall send a Client Hello requesting a connection for all mandatory and selected protocol versions in the SFR (e.g. by enumeration of protocol versions in a test client) and verify that the server denies the connection for each attempt."

For further information, please see the NIT interpretation at: https://www.niap-ccevs.org/Documents_and_Guidance/ccevs/NITDecisionRfi201664.pdf

UPDATE: SSL v1.0 is also removed from FCS_TLSS_EXT.1.2 in the Protection Profile for Server Virtualization V1.1.

Justification

See issue description.

 
 
Site Map              Contact Us              Home