This SFR is claimed if "DTLS as a client" is selected in FCS_TLS_EXT.1.1.

The ST author will claim DTLS 1.3 functionality if supported, and optional functionality as appropriate for the claimed versions.

Session renegotiation protection is required for both DTLS 1.2 and DTLS 1.3, and the ST must include the requirements from FCS_DTLSC_EXT.4. Within FCS_DTLSC_EXT.4, options for implementation of secure session renegotiation for DTLS 1.2 or rejecting renegotiation requests are claimed.

If "mutual authentication" is selected, then the ST must additionally include the requirements from FCS_DTLSC_EXT.2. If the TOE implements mutual authentication, this selection must be made.

If "supplemental downgrade protection" is selected, then the ST must additionally include the requirements from FCS_DTLSC_EXT.3. This is claimed if DTLS 1.3 is supported, or if the product supports TLS 1.1 or below downgrade protection using the mechanism described in RFC 8446. Note that TLS 1.1 or below downgrade protection in DTLS is used to notify a client that the server is capable of supporting DTLS 1.2 or DTLS 1.3, but that it received a client hello indicating maximum support for DTLS 1.0 (there is no DTLS version 1.1).

If "session resumption" is selected, then the ST must additionally include the requirements from FCS_DTLSC_EXT.5.

DTLS version numbers are denoted on the wire as the 1’s complement of the corresponding textual DTLS versions as described in RFC 6347, Section 4.1. DTLS version 1.2 is 0xfefd; DTLS version 1.3 is 0xfefc.

DTLS uses TLS ciphersuites. The ST author should select the ciphersuites that are supported, and must select at least one ciphersuite for each DTLS version supported – TLS 1.2 ciphersuites for DTLS 1.2 and TLS 1.3 ciphersuites for DTLS 1.3.

The application note for FCS_TLSC_EXT.1.2 applies to this requirement, with ‘FCS_TLSC_EXT.1.1’ replaced by ‘FCS_DTLSC_EXT.1.1.’

All supported responses are claimed; at least one option is claimed.

This SFR is claimed if "mutual authentication" is selected in FCS_DTLSC_EXT.1.1.

All application notes for FCS_TLSC_EXT.2.1 apply to this requirement, with references to TLS replaced by the equivalent reference to DTLS.

This SFR is claimed if "supplemental downgrade protection" is selected in FCS_DTLSC_EXT.1.1.

DTLS uses the TLS downgrade indicators. The application notes listed for FCS_TLSC_EXT.3 also apply to this requirement, with references to TLS replaced by the equivalent reference to DTLS.

This SFR is claimed if "DTLS as a client" is selected in FCS_TLS_EXT.1.1.

The application notes listed for FCS_TLSC_EXT.4 apply to this requirement, with references to TLS replaced by the equivalent reference to DTLS.

This SFR is claimed if "session resumption" is selected in FCS_DTLSC_EXT.1.1.

The ST author indicates which session resumption mechanisms are supported. One or both of the first two options, "session ID in accordance with RFC 5246" and "tickets in accordance with RFC 5077" are claimed for DTLS 1.2 resumption. If resumption of DTLS 1.3 sessions is supported, "PSK and tickets in accordance with RFC 8446" is selected, and the selection-based SFR FCS_DTLSC_EXT.6 must also be claimed.

While it is possible to perform session resumption using PSK ciphersuites in DTLS 1.2, this is uncommon. Validation of key exchange and session negotiation rules for PSK ciphersuites is independent of the source of the pre-shared key and is covered in FCS_DTLSC_EXT.1.

This SFR is claimed if "PSK and tickets in accordance with RFC 8446" is selected in FCS_DTLSC_EXT.5.1.

The application notes listed for FCS_TLSC_EXT.6 also apply to this requirement, with references to TLS replaced by the equivalent reference to DTLS.

This SFR is claimed if "DTLS as a server" is selected in FCS_TLS_EXT.1.1.

The ST author will claim DTLS 1.3 functionality if supported, and optional functionality as appropriate for the claimed versions.

Session renegotiation protection is required for both DTLS 1.2 and DTLS 1.3, and the ST must include the requirements from FCS_DTLSS_EXT.4. Within FCS_DTLSS_EXT.4, options for implementation of secure session renegotiation for DTLS 1.2, or rejecting renegotiation requests are claimed.

If "mutual authentication" is selected, then the ST must additionally include the requirements from FCS_DTLSS_EXT.2. If the TOE implements mutual authentication, this selection must be made.

If "supplemental downgrade protection" is selected, then the ST must additionally include the requirements from FCS_DTLSS_EXT.3. If the TOE provides downgrade protection as indicated in RFC 8446, in particular, if DTLS 1.3 is supported, this selection must be made.

If "session resumption" is selected, then the ST must additionally include the requirements from FCS_DTLSS_EXT.5.

DTLS version numbers are denoted on the wire as the 1’s complement of the corresponding textual DTLS versions as described in RFC 6347, Section 4.1. DTLS version 1.2 is 0xfefd; DTLS version 1.3 is 0xfefc.

This SFR is claimed if "mutual authentication" is selected in FCS_DTLSS_EXT.1.1.

All application notes for FCS_TLSS_EXT.2.1 apply to this requirement, with references to TLS replaced by the equivalent reference to DTLS.

This SFR is claimed if "supplemental downgrade protection" is selected in FCS_DTLSS_EXT.1.1.

The application notes listed for FCS_TLSS_EXT.3 also apply to this requirement, with references to TLS replaced by the equivalent reference to DTLS.

This SFR is claimed if "DTLS as a server" is selected in FCS_TLS_EXT.1.1.

The application notes listed for FCS_TLSS_EXT.4 apply to this requirement, with references to TLS replaced by the equivalent reference to DTLS.

This SFR is claimed if "session resumption" is selected in FCS_DTLSS_EXT.1.1.

The application notes listed for FCS_TLSS_EXT.5 apply to this requirement, with references to TLS replaced by the equivalent reference to DTLS.

If resumption of DTLS 1.3 sessions is supported, "PSK and tickets in accordance with RFC 8446" is selected, and the selection-based SFR FCS_DTLSS_EXT.6 must also be claimed.

This SFR is claimed if "PSK and tickets in accordance with RFC 8446" is selected in FCS_DTLSS_EXT.5.1.

The application notes listed for FCS_TLSS_EXT.6 also apply to this requirement, with references to TLS replaced by the equivalent reference to DTLS.

This SFR is claimed if "TLS as a client" is selected in FCS_TLS_EXT.1.1.

Session renegotiation protection is required for both TLS 1.2 and TLS 1.3, and the ST must include the requirements from FCS_TLSC_EXT.4. Within FCS_TLSC_EXT.4, options for implementation of secure session renegotiation for TLS 1.2, or rejecting renegotiation requests are claimed.

The ST author will claim TLS 1.3 functionality if supported, and optional functionality as appropriate for the claimed versions.

If "mutual authentication" is selected, then the ST must additionally include the requirements from FCS_TLSC_EXT.2. If the TOE implements mutual authentication, this selection must be made.

If "supplemental downgrade protection" is selected, then the ST must additionally include the requirements from FCS_TLSC_EXT.3. This is claimed if TLS 1.3 is supported, or if the product supports TLS 1.1 or below downgrade protection using the mechanism described in RFC 8446.

If "session resumption" is selected, then the ST must additionally include the requirements from FCS_TLSC_EXT.5.

The ST author should select the ciphersuites that are supported, and must select at least one ciphersuite for each TLS version supported. The ciphersuites to be tested in the evaluated configuration are limited by this requirement. However, this requirement does not restrict the TOE's ability to propose additional non-deprecated ciphersuites beyond the ones listed in this requirement in its client hello message as indicated in the ST. That is, the TOE may propose any ciphersuite not excluded by this element, but the evaluation will only test ciphersuites from the above list. It is necessary to limit the ciphersuites that can be used in an evaluated configuration administratively on the server in the test environment.

TLS 1.3 ciphersuites are claimed if support for TLS 1.3 is claimed in FCS_TLSC_EXT.1.1. The assignment of preference order provides an ordered list of all supported ciphersuites with the most preferred ciphersuites listed first. Ciphersuites listed in RFC 9151, “Commercial National Security Algorithm (CNSA) Suite Profile for TLS and DTLS 1.2 and 1.3” are preferred over all other ciphersuites, GCM ciphersuites are preferred over CBC ciphersuites, ECDHE preferred over RSA and DHE, and SHA-256 or SHA-384 over SHA-1.

If TLS 1.3 is claimed in FCS_TLSC_EXT.1.1, supported_versions, supported_groups, and key_share extensions are claimed in accordance with RFC 8446. If TLS 1.3 is not claimed, supported_versions and key_share extensions are not claimed. Other extensions may be supported; certain extensions may need to be claimed based on other SFR claims made.

If ECDHE ciphersuites are claimed in FCS_TLSC_EXT.1.2, the supported_groups extension is claimed here with appropriate secp groups claimed. If DHE ciphersuites are claimed in FCS_TLSC_EXT.1.2, it is preferred that the appropriate ffdhe groups be claimed here. In a subsequent version of this FP, support for ffdhe groups will be required whenever DHE ciphersuites are claimed.

When ‘other non-deprecated signature algorithms’ is claimed, the assignment will describe the standard signature and hash algorithms supported. MD5 and SHA-1 hashes are deprecated and are not included in the signature_algorithms or signature_algorithms_cert extensions.

The rules for verification identity are described in RFC 6125, Section 6 and RFC 5280, Section 7. The reference identifier is established by the user (e.g., entering a URL into a web browser or clicking a link), by configuration (e.g., configuring the name of a mail or authentication server), or by an application (e.g., a parameter of an API) depending on the product service. The client establishes all acceptable reference identifiers and interfaces with the TLS implementation to provide acceptable reference identifiers, or to accept the presented identifiers as validated in the server’s certificate. If the product performs matching of the reference identifiers to the identifiers provided in the server’s certificate, the first option is claimed and all supported name types are claimed; if the product presents the certificate, or the presented identifiers from the certificate to the application, the second option is claimed.

In most cases where TLS servers are represented by DNS-type names, the preferred method for verification is the Subject Alternative Name using DNS, URI, or Service Names. Verification using a conversion of the Common Name relative distinguished name from a DNS name type in the subject field is allowed for the purposes of backward compatibility.

The client should avoid constructing reference identifiers using wildcards. However, if the presented identifiers include wildcards, the client must follow the best practices regarding matching; these best practices are captured in the evaluation activity. If the TSF supports wildcards, and allows names with DNS portions containing internationalized names, the internationalized name does not match any wildcard, in accordance with RFC 6125, Section 7.2.

Support for other name types is rare, but may be claimed for specific applications. If specified, the assignment includes both the RFC describing normalization and matching rules, and any refinements necessary to resolve options available in the RFC.

A certificate used in a manner that does not support revocation checking should not advertise revocation information locations. Common methods to address this include revoking the issuing CA, resetting certificate pinning mechanisms, or removing entries from trust stores. Thus, a certificate that does not advertise revocation status information is considered to be not revoked and does not need to be processed via override mechanisms. Override mechanisms are for use with certificates with published revocation status information that is not accessible, whether temporarily or because the information cannot be accessed during the state of the TOE (e.g., for verifying signatures on boot code). The circumstances should be described by the ST author, who should indicate the override mechanism and conditions that apply to the override, including system state, user or admin actions, etc.

This SFR is claimed if "mutual authentication" is selected in FCS_TLSC_EXT.1.1.

Clients that support TLS 1.3 and post-handshake authentication claim ‘in support of post-handshake authentication requests’ in the first selection. The ‘at no other time’ selection is claimed for clients only supporting TLS 1.2 or for TLS 1.3 clients that do not support post-handshake authentication.

The certificate request sent by the server specifies the signature algorithms and certification authorities supported by the server. If the client does not possess a matching certificate, it sends an empty certificate message. The structure of the certificate request message is changed in TLS 1.3 to use the signature_algorithm, signature_algorithms_cert, and certificate_authorities extensions, and RFC 8446 allows for TLS 1.2 implementations to use the new message structure. The "RFC 8446, Section 4.3.2" option is claimed in the second selection if TLS 1.3 is supported or if the RFC 8446 method is supported for TLS 1.2 servers. The "RFC 5246, Section 7.4.4" option is claimed if the RFC 5246 method is supported for interoperability with TLS 1.2 servers that do not adopt the RFC 8446 method. When mutual authentication is supported, at least one of these methods must be claimed, per the selection.

This SFR is claimed if "supplemental downgrade protection" is selected in FCS_TLSC_EXT.1.1.

The ST author claims the “TLS 1.2 downgrade indicator” when FCS_TLSC_EXT.1 indicates support for both TLS 1.3 and supplemental downgrade protection. This option is not claimed if TLS 1.3 is not supported. The “TLS 1.1 or below downgrade indicator” option may be claimed regardless of support for TLS 1.3, but should only be claimed if the TSF is capable of detecting the indicator. As indicated in FCS_TLSC_EXT.1.1, this FP requires the client to terminate TLS 1.1 or below sessions. It is acceptable for the TSF to always terminate TLS 1.1 sessions based on the server hello negotiated version field and ignore any downgrade indicator. However, a product that is capable of detecting the TLS 1.1 or below downgrade indicator may take different actions depending on whether the TLS 1.1 or below downgrade indicator is set.

This SFR is claimed if "TLS as a client" is selected in FCS_TLS_EXT.1.1.

A client allowing TLS 1.2 connections may present either the "renegotiation_info" extension or the signaling ciphersuite value TLS_EMPTY_RENEGOTIATION_INFO_SCSV in the initial client hello message to indicate support for secure renegotiation. The ST author claims the methods supported. The TLS_EMPTY_RENEGOTIATION_INFO_SCSV is the preferred mechanism for TLS 1.2 protection against insecure renegotiation when the client does not renegotiate. The ST author will claim the ‘hello request message is received’ option in the second selection to indicate support for this mechanism.

RFC 5746 allows the client to accept connections with servers that do not support the extension; this FP refines RFC 5746 and requires the client to terminate sessions with such servers. Thus, unexpected server hello messages include an initial server hello negotiating TLS 1.2 that does not contain a renegotiation_info extension, an initial server hello negotiating TLS 1.2 that has a renegotiation_info that is non-empty, a subsequent server hello negotiating TLS 1.2 that does not contain a renegotiation_info extension, and a subsequent server hello negotiating TLS 1.2 that has a renegotiation_info extension with an incorrect renegotiated_connection value.

TLS 1.3 provides protection against insecure renegotiation by not allowing renegotiation. If TLS 1.3 is claimed in FCS_TLSC_EXT.1.1, the client receives a server hello that attempts to negotiate TLS 1.3, and the server hello also contains a renegotiation_info extension; the client will terminate the connection.

This SFR is claimed if "session resumption" is selected in FCS_TLSC_EXT.1.1.

The ST author indicates which session resumption mechanisms are supported. One or both of the first two options, "session ID in accordance with RFC 5246" and "tickets in accordance with RFC 5077" are claimed for TLS 1.2 resumption. If resumption of TLS 1.3 sessions is supported, "PSK and tickets in accordance with RFC 8446" is selected, and the selection-based SFR FCS_TLSC_EXT.6 must also be claimed.

While it is possible to perform session resumption using PSK ciphersuites in TLS 1.2, this is uncommon. Validation of key exchange and session negotiation rules for PSK ciphersuites is independent of the source of the pre-shared key and is covered in FCS_TLSC_EXT.1.

This SFR is claimed if "PSK and tickets in accordance with RFC 8446" is selected in FCS_TLSC_EXT.5.1.

This SFR is claimed when session resumption is supported for TLS 1.3. RFC 8446 allows pre-shared keys to be used directly and also allows early data to be protected using only the pre-shared key. This SFR refines the RFC to use PSK only with a supplemental DHE or ECDHE key exchange to ensure perfect forward secrecy for all sessions.

This SFR is claimed if "TLS as a server" is selected in FCS_TLS_EXT.1.1.

These requirements will be revisited as new TLS versions are standardized by the IETF.

Session renegotiation protection is required for both TLS 1.2 and TLS 1.3, and the ST must include the requirements from FCS_TLSS_EXT.4. Within FCS_TLSS_EXT.4, options for implementation of secure session renegotiation for TLS 1.2 or rejecting renegotiation requests are claimed.

If "mutual authentication" is selected, then the ST must additionally include the requirements from FCS_TLSS_EXT.2. If the TOE implements mutual authentication, this selection must be made.

If "supplemental downgrade protection" is selected, then the ST must additionally include the requirements from FCS_TLSS_EXT.3. If the TOE provides downgrade protection as indicated in RFC 8446, in particular, if TLS 1.3 is supported, this selection must be made.

If "session resumption" is selected, then the ST must additionally include the requirements from FCS_TLSS_EXT.5.

The ST author should select the ciphersuites that are supported and must select at least one ciphersuite for each TLS version supported. It is necessary to limit the ciphersuites that can be used in an evaluated configuration administratively on the server in the test environment. If administrative steps need to be taken so that the ciphersuites negotiated by the implementation are limited to those in this requirement, then the appropriate instructions need to be contained in the guidance.

The final selection indicates the TOE’s preference for negotiating a ciphersuite. RFC 9151 indicates the required ciphersuites for NSS systems and ‘RFC 9151 priority’ is claimed if those ciphersuites are selected whenever offered by the client. In general, it is preferred that GCM ciphersuites are selected over CBC ciphersuites, ECDHE is selected over RSA and DHE, and SHA256 or SHA384 is selected over SHA1.

The ‘client hello ordering’ option is claimed if client priority is considered; if both are claimed, the ST author should indicate which is primary and which is secondary, and whether the priority scheme is configurable. If other priority schemes or if tertiary priority is used, the ST author will claim the third option and describe the scheme in the ST.

Support for TLS_RSA_WITH_AES_128_CBC_SHA is not required despite being mandated by RFC 5246.

TLS 1.2 and TLS 1.3 perform key exchange using different mechanisms. In TLS 1.2, the requirements apply to the key exchange messages received by the server and optionally (for DHE or ECDHE ciphersuites) sent by the server. In TLS 1.3, the requirements apply to the values of the key share extension contained in the client and server hello messages. The options depend on the supported ciphersuites. For each session, the key exchange method is consistent with the selected ciphersuite (TLS 1.2), the supported groups extension (TLS 1.3 and conditionally, TLS 1.2), or the key share extension (TLS 1.3).

If the ST lists an RSA ciphersuite in FCS_TLSS_EXT.1.2, the ST must include the RSA selection in the requirement.

If the ST lists a DHE ciphersuite in FCS_TLSS_EXT.1.2, the ST must include the Diffie-Hellman selection for parameters of a certain size, the Diffie-Hellman groups selection in support of TLS 1.2 exchanges, or both. The selection for "Diffie-Hellman parameters" refers to the method defined by RFC 5246, Section 7.4.3 where the server provides Diffie-Hellman parameters to the client. The “Diffie-Hellman groups” selection indicates key exchange negotiation in accordance with RFC 7919 using the supported groups extension. RFC 7919 identifies particular Diffie-Hellman groups, which are listed in the following selection. This option is the preferred mechanism for TLS 1.2, and must be claimed if TLS 1.3 DHE ciphersuites are supported.

If the ST lists an ECDHE ciphersuite in FCS_TLSS_EXT.1.2, the ST must include the selection for ECDHE using elliptic curves in the requirement, consistent with the support indicated for the supported groups extension in FCS_TLSS_EXT.1.4.

When TLS 1.3 is negotiated (if supported), the supported group negotiated (a supported DHE or ECDHE group) agrees with one of the client’s supported groups and the supplied key share element, and the product’s key share element is a member of the selected group. If the TLS 1.3 client does not initially provide a key share element for a group supported by both the product and the client, the TOE is expected to send a hello retry request message indicating the selected group; the requirement for matching the group indicated in the client’s hello message applies to the client’s hello message received in response to the hello retry request message.

This SFR is claimed if "mutual authentication" is selected in FCS_TLSS_EXT.1.1.

TLS 1.3 supports authentication after completing the abbreviated handshake with pre-shared keys. A server may send a client a certificate request after the finished message whenever the client includes the post-handshake authentication extension. The ST author claims ‘during post-handshake request’ if this feature is supported. If TLS 1.3 is not supported, or if the TLS post-handshake request extension is not recognized in a TLS 1.3 handshake, the ST author selects ‘at no other time’.

The ST author claims any certificate processing exceptions that are allowed for specific calling applications. The ‘continue establishment of a server-only authenticated TLS channel…’ selection is claimed if the TLS product supports applications that can provide services to unauthenticated users if the user does not possess an appropriate certificate. Within this selection, the ST author indicates which applications are able to support both authenticated and unauthenticated users.

The ST author claims ‘continue establishment of a mutually authenticated TLS channel…’ if there is an administrator configuration or user confirmation that revocation status information is not available for one or more of the certificates in the client’s certificate chain. If claimed, the ST author will describe in the assignment for intermediate values which CA certificates are included in the exception (for example, “all intermediates but the issuing CA” or “specific end-entity certificates as configured”). Within this selection, the ST author specifies which applications are impacted and which authorized user is allowed to approve continuing with the session when revocation information is not available. If an administrator configures whether a user may accept a certificate without status information, both selections are claimed. The ‘as a default’ should only be selected for applications that do not have access to revocation information. Methods for obtaining revocation information are included in FIA_X509_EXT.1.

Authorization for services provided by the applications that are protected by the TLS session is determined either by the application establishing a set of reference identifiers or by passing the received identifiers to the application. The ST author indicates the methods supported and, for each method supported, indicates all name types supported; at least one name type is required. In the assignment of the first option, the ST author indicates all name types and the corresponding method for matching in the sub-selections. In the second method option, the ST author indicates which name type normalizations the product supports. If the product passes the entire validated certificate to the application, no normalization of the names contained in the certificate is expected.

If name normalization is claimed, care should be taken regarding wildcards and IP addresses. IP addresses embedded in DNS host names and in Directory Name CN components have been observed to include non-standard wildcard designations including the ‘*’ character. Any embedded IP addresses should use standard CIDR notation and should not include nonstandard encoding.

This SFR is claimed if "supplemental downgrade protection" is selected in FCS_TLSS_EXT.1.1.

RFC 8446 requires both the TLS 1.2 downgrade indicator as well as an indicator for TLS 1.1 and below. This FP requires the server to reject attempts to establish TLS 1.1 and below, making this mechanism redundant. However, products may still implement both indicators to be compliant with the RFC.

This SFR is claimed if "TLS as a server" is selected in FCS_TLS_EXT.1.1.

RFC 5746 defines an extension to TLS 1.2 that binds renegotiation handshakes to the cryptography in the original handshake. As a refinement of the RFC, servers that support renegotiation and negotiating TLS 1.2 will terminate a session if neither of the methods described in RFC 5746 are offered by the client. RFC 5746 indicates that a server negotiating TLS 1.2 is required to terminate the session if the conditions for secure renegotiation are not met. Alternatively, a TLS server may negotiate TLS 1.2 without any RFC 5746 client renegotiation indicators if it always terminates an existing session when a new client hello is received, similar to the implementation of TLS 1.3.

TLS 1.3 does not allow renegotiation. Termination, as indicated in FCS_TLSS_EXT.4.3, covers TLS 1.3 sessions as well as TLS 1.2 sessions where the client hello received does not comply with RFC 5746, or when configured to reject renegotiation (if the product is configurable).

This SFR is claimed if "session resumption" is selected in FCS_TLSS_EXT.1.1.

The ST author indicates which session resumption mechanisms are supported. One or both of the first two options, "session ID in accordance with RFC 5246" and "tickets in accordance with RFC 5077" are claimed for TLS 1.2 resumption. If resumption of TLS 1.3 sessions is supported, "PSK and tickets in accordance with RFC 8446" is selected, and the selection-based SFR FCS_TLSS_EXT.6 must also be claimed.

While it is possible to perform session resumption using PSK ciphersuites in TLS 1.2, this is uncommon. Validation of key exchange and session negotiation rules for PSK ciphersuites is independent of the source of the pre-shared key and is covered in FCS_TLSS_EXT.1.

This SFR is claimed if "PSK and tickets in accordance with RFC 8446" is selected in FCS_TLSS_EXT.5.1.

RFC 8446 allows pre-shared keys to be used directly and also allows early data to be protected using only the pre-shared key. This SFR refines the RFC to use PSK only with a supplemental DHE or ECDHE key exchange to ensure perfect forward secrecy for all sessions.