Archived
TD0156: NIT Technical Decision for SSL/TLS Version Testing in the NDcPP v1.0 and FW cPP v1.0
Publication Date
2017.03.15
Protection Profiles
CPP_FW_V1.0, CPP_ND_V1.0, PP_SV_V1.1
Other References
ND SD V1.0, FCS_TLSS_EXT1.2, FCS_TLSS_EXT.2.2
Issue Description
The Network Interpretations Team (NIT) has issued a technical decision regarding SSL/TLS Version testing in NDcPP v1.0 and FW cPP v1.0 Resolution
To align with NIT interpretation # 201664, the following changes are made: SSL 1.0 shall not be part of FCS_TLSS_EXT.1.2 and FCS_TLSS_EXT.2.2. FCS_TLSS_EXT.1.2 and FCS_TLSS_EXT.2.2 shall therefore be rewritten as follows: "The TSF shall deny connections from clients requesting SSL 2.0, SSL 3.0, TLS 1.0, and [selection: TLS 1.1, TLS 1.2, none]." The Test activities for FCS_TLSS_EXT.1.2 and FCS_TLSS_EXT.2.2 in the ND SD shall be rewritten as follows: "The evaluator shall send a Client Hello requesting a connection for all mandatory and selected protocol versions in the SFR (e.g. by enumeration of protocol versions in a test client) and verify that the server denies the connection for each attempt." For further information, please see the NIT interpretation at: https://www.niap-ccevs.org/Documents_and_Guidance/ccevs/NITDecisionRfi201664.pdf UPDATE: SSL v1.0 is also removed from FCS_TLSS_EXT.1.2 in the Protection Profile for Server Virtualization V1.1. Justification
See issue description. |