NIAP: View Details
NIAP/CCEVS
  NIAP  »»  Protection Profiles  »»  Technical Decisions  »»  View Details  
TD0241:  Removal of Test 4.1 in FCS_TLSS_EXT.1.1
Publication Date
  09/29/2017
References
FCS_TLSS_EXT.1.1, PP_APP_v1.2
Issue Description

In the Application Software PP (PP_APP_v1.2), FCS_TLSS_EXT.1.1 Test 4.1 tests the client's behavior instead of the server's behavior.

Resolution

Test 4.1 for of FCS_TLSS_EXT.1.1 in the App SW PP (PP_APP_v1.2 ) is modified as follows:

 

Test 4: The evaluator shall perform the following modifications to the traffic:

 

o   Test 4.1: Change the TLS version selected by the server in the Server Hello to a non-supported TLS version (for example 1.3 represented by the two bytes 03 04) and verify that the client rejects the connection.

 

o   Test 4.2: Modify at least one byte in the client’s nonce in the Client Hello handshake message, and verify that the server rejects the client's Certificate Verify handshake message (if using mutual authentication) or that the server denies the client's Finished handshake message.

 

o   Test 4.3: Modify the signature block in the Client’s Key Exchange handshake message, and verify that the server rejects the client's Certificate Verify handshake message (if using mutual authentication) or that the server denies the client's Finished handshake message.

 

o   Test 4.4: Modify a byte in the Clint Finished handshake message, and verify that the server rejects the connection and does not send any application data.

 

o   Test 4.5: After generating a fatal alert by sending a Finished message from the client before the client send a ChangeCipherSpec message, send a Client Hello with the session identifier from the previous test, and verify that the server denies the connection.

 

o   Test 4.6: Send a garbled message from the client after the client has issued the ChangeCipherSpec message and verify that the Server denies the connection.

 

Justification

The Assurance Activity does not exercise the server functionality and does not apply to TLS server requirements.



 
Site Map              Contact Us              Home