rfc9645.original | rfc9645.txt | |||
---|---|---|---|---|
NETCONF Working Group K. Watsen | Internet Engineering Task Force (IETF) K. Watsen | |||
Internet-Draft Watsen Networks | Request for Comments: 9645 Watsen Networks | |||
Intended status: Standards Track 16 March 2024 | Category: Standards Track October 2024 | |||
Expires: 17 September 2024 | ISSN: 2070-1721 | |||
YANG Groupings for TLS Clients and TLS Servers | YANG Groupings for TLS Clients and TLS Servers | |||
draft-ietf-netconf-tls-client-server-41 | ||||
Abstract | Abstract | |||
This document presents four YANG 1.1 modules. Three IETF modules, | This document presents four YANG 1.1 modules -- three IETF modules | |||
and one supporting IANA module. | and one supporting IANA module. | |||
The three IETF modules are: ietf-tls-common, ietf-tls-client, and | The three IETF modules are "ietf-tls-common", "ietf-tls-client", and | |||
ietf-tls-server. The "ietf-tls-client" and "ietf-tls-server" modules | "ietf-tls-server". The "ietf-tls-client" and "ietf-tls-server" | |||
are the primary productions of this work, supporting the | modules are the primary productions of this work, supporting the | |||
configuration and monitoring of TLS clients and servers. | configuration and monitoring of TLS clients and servers. | |||
The IANA module is: iana-tls-cipher-suite-algs. This module defines | The IANA module is "iana-tls-cipher-suite-algs". This module defines | |||
YANG enumerations providing support for an IANA-maintained algorithm | YANG enumerations that provide support for an IANA-maintained | |||
registry. | algorithm registry. | |||
Editorial Note (To be removed by RFC Editor) | ||||
This draft contains placeholder values that need to be replaced with | ||||
finalized values at the time of publication. This note summarizes | ||||
all of the substitutions that are needed. No other RFC Editor | ||||
instructions are specified elsewhere in this document. | ||||
Artwork in this document contains shorthand references to drafts in | ||||
progress. Please apply the following replacements: | ||||
* AAAA --> the assigned RFC value for draft-ietf-netconf-crypto- | ||||
types | ||||
* BBBB --> the assigned RFC value for draft-ietf-netconf-trust- | ||||
anchors | ||||
* CCCC --> the assigned RFC value for draft-ietf-netconf-keystore | ||||
* DDDD --> the assigned RFC value for draft-ietf-netconf-tcp-client- | ||||
server | ||||
* FFFF --> the assigned RFC value for this draft | ||||
Artwork in this document contains placeholder values for the date of | ||||
publication of this draft. Please apply the following replacement: | ||||
* 2024-03-16 --> the publication date of this draft | ||||
The "Relation to other RFCs" section Section 1.2 contains the text | ||||
"one or more YANG modules" and, later, "modules". This text is | ||||
sourced from a file in a context where it is unknown how many modules | ||||
a draft defines. The text is not wrong as is, but it may be improved | ||||
by stating more directly how many modules are defined. | ||||
The "Relation to other RFCs" section Section 1.2 contains a self- | ||||
reference to this draft, along with a corresponding reference in the | ||||
Appendix. Please replace the self-reference in this section with | ||||
"This RFC" (or similar) and remove the self-reference in the | ||||
"Normative/Informative References" section, whichever it is in. | ||||
Tree-diagrams in this draft may use the '\' line-folding mode defined | ||||
in RFC 8792. However, nicer-to-the-eye is when the '\\' line-folding | ||||
mode is used. The AD suggested suggested putting a request here for | ||||
the RFC Editor to help convert "ugly" '\' folded examples to use the | ||||
'\\' folding mode. "Help convert" may be interpreted as, identify | ||||
what looks ugly and ask the authors to make the adjustment. | ||||
The following Appendix sections are to be removed prior to | ||||
publication: | ||||
* Appendix A.1. Initial Module for the "TLS Cipher Suites" Registry | ||||
* Appendix B. Change Log | ||||
Status of This Memo | Status of This Memo | |||
This Internet-Draft is submitted in full conformance with the | This is an Internet Standards Track document. | |||
provisions of BCP 78 and BCP 79. | ||||
Internet-Drafts are working documents of the Internet Engineering | ||||
Task Force (IETF). Note that other groups may also distribute | ||||
working documents as Internet-Drafts. The list of current Internet- | ||||
Drafts is at https://datatracker.ietf.org/drafts/current/. | ||||
Internet-Drafts are draft documents valid for a maximum of six months | This document is a product of the Internet Engineering Task Force | |||
and may be updated, replaced, or obsoleted by other documents at any | (IETF). It represents the consensus of the IETF community. It has | |||
time. It is inappropriate to use Internet-Drafts as reference | received public review and has been approved for publication by the | |||
material or to cite them other than as "work in progress." | Internet Engineering Steering Group (IESG). Further information on | |||
Internet Standards is available in Section 2 of RFC 7841. | ||||
This Internet-Draft will expire on 17 September 2024. | Information about the current status of this document, any errata, | |||
and how to provide feedback on it may be obtained at | ||||
https://www.rfc-editor.org/info/rfc9645. | ||||
Copyright Notice | Copyright Notice | |||
Copyright (c) 2024 IETF Trust and the persons identified as the | Copyright (c) 2024 IETF Trust and the persons identified as the | |||
document authors. All rights reserved. | document authors. All rights reserved. | |||
This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
Provisions Relating to IETF Documents (https://trustee.ietf.org/ | Provisions Relating to IETF Documents | |||
license-info) in effect on the date of publication of this document. | (https://trustee.ietf.org/license-info) in effect on the date of | |||
Please review these documents carefully, as they describe your rights | publication of this document. Please review these documents | |||
and restrictions with respect to this document. Code Components | carefully, as they describe your rights and restrictions with respect | |||
extracted from this document must include Revised BSD License text as | to this document. Code Components extracted from this document must | |||
described in Section 4.e of the Trust Legal Provisions and are | include Revised BSD License text as described in Section 4.e of the | |||
provided without warranty as described in the Revised BSD License. | Trust Legal Provisions and are provided without warranty as described | |||
in the Revised BSD License. | ||||
Table of Contents | Table of Contents | |||
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 5 | 1. Introduction | |||
1.1. Regarding the IETF Modules . . . . . . . . . . . . . . . 5 | 1.1. Regarding the Three IETF Modules | |||
1.2. Relation to other RFCs . . . . . . . . . . . . . . . . . 6 | 1.2. Relation to Other RFCs | |||
1.3. Specification Language . . . . . . . . . . . . . . . . . 8 | 1.3. Specification Language | |||
1.4. Adherence to the NMDA . . . . . . . . . . . . . . . . . . 8 | 1.4. Adherence to the NMDA | |||
1.5. Conventions . . . . . . . . . . . . . . . . . . . . . . . 8 | 1.5. Conventions | |||
2. The "ietf-tls-common" Module . . . . . . . . . . . . . . . . 8 | 2. The "ietf-tls-common" Module | |||
2.1. Data Model Overview . . . . . . . . . . . . . . . . . . . 9 | 2.1. Data Model Overview | |||
2.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 12 | 2.2. Example Usage | |||
2.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 14 | 2.3. YANG Module | |||
3. The "ietf-tls-client" Module . . . . . . . . . . . . . . . . 21 | 3. The "ietf-tls-client" Module | |||
3.1. Data Model Overview . . . . . . . . . . . . . . . . . . . 21 | 3.1. Data Model Overview | |||
3.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 25 | 3.2. Example Usage | |||
3.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 28 | 3.3. YANG Module | |||
4. The "ietf-tls-server" Module . . . . . . . . . . . . . . . . 39 | 4. The "ietf-tls-server" Module | |||
4.1. Data Model Overview . . . . . . . . . . . . . . . . . . . 39 | 4.1. Data Model Overview | |||
4.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 43 | 4.2. Example Usage | |||
4.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 45 | 4.3. YANG Module | |||
5. Security Considerations . . . . . . . . . . . . . . . . . . . 57 | 5. Security Considerations | |||
5.1. Considerations for the "iana-tls-cipher-suite-algs" | 5.1. Considerations for the "iana-tls-cipher-suite-algs" YANG | |||
Module . . . . . . . . . . . . . . . . . . . . . . . . . 57 | Module | |||
5.2. Considerations for the "ietf-tls-common" YANG Module . . 57 | 5.2. Considerations for the "ietf-tls-common" YANG Module | |||
5.3. Considerations for the "ietf-tls-client" YANG Module . . 58 | 5.3. Considerations for the "ietf-tls-client" YANG Module | |||
5.4. Considerations for the "ietf-tls-server" YANG Module . . 59 | 5.4. Considerations for the "ietf-tls-server" YANG Module | |||
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 60 | 6. IANA Considerations | |||
6.1. The "IETF XML" Registry . . . . . . . . . . . . . . . . . 60 | 6.1. The IETF XML Registry | |||
6.2. The "YANG Module Names" Registry . . . . . . . . . . . . 60 | 6.2. The YANG Module Names Registry | |||
6.3. Considerations for the "iana-tls-cipher-suite-algs" | 6.3. Considerations for the "iana-tls-cipher-suite-algs" YANG | |||
Module . . . . . . . . . . . . . . . . . . . . . . . . . 61 | Module | |||
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 62 | 7. References | |||
7.1. Normative References . . . . . . . . . . . . . . . . . . 63 | 7.1. Normative References | |||
7.2. Informative References . . . . . . . . . . . . . . . . . 66 | 7.2. Informative References | |||
Appendix A. Script to Generate IANA-Maintained YANG Modules | ||||
Appendix A. Script to Generate IANA-Maintained YANG Modules . . 69 | Acknowledgements | |||
A.1. Initial Module for the "TLS Cipher Suites" Registry . . . 75 | Contributors | |||
Appendix B. Change Log . . . . . . . . . . . . . . . . . . . . . 149 | Author's Address | |||
B.1. 00 to 01 . . . . . . . . . . . . . . . . . . . . . . . . 149 | ||||
B.2. 01 to 02 . . . . . . . . . . . . . . . . . . . . . . . . 149 | ||||
B.3. 02 to 03 . . . . . . . . . . . . . . . . . . . . . . . . 149 | ||||
B.4. 03 to 04 . . . . . . . . . . . . . . . . . . . . . . . . 149 | ||||
B.5. 04 to 05 . . . . . . . . . . . . . . . . . . . . . . . . 150 | ||||
B.6. 05 to 06 . . . . . . . . . . . . . . . . . . . . . . . . 150 | ||||
B.7. 06 to 07 . . . . . . . . . . . . . . . . . . . . . . . . 150 | ||||
B.8. 07 to 08 . . . . . . . . . . . . . . . . . . . . . . . . 150 | ||||
B.9. 08 to 09 . . . . . . . . . . . . . . . . . . . . . . . . 150 | ||||
B.10. 09 to 10 . . . . . . . . . . . . . . . . . . . . . . . . 151 | ||||
B.11. 10 to 11 . . . . . . . . . . . . . . . . . . . . . . . . 151 | ||||
B.12. 11 to 12 . . . . . . . . . . . . . . . . . . . . . . . . 151 | ||||
B.13. 12 to 13 . . . . . . . . . . . . . . . . . . . . . . . . 152 | ||||
B.14. 12 to 13 . . . . . . . . . . . . . . . . . . . . . . . . 152 | ||||
B.15. 13 to 14 . . . . . . . . . . . . . . . . . . . . . . . . 152 | ||||
B.16. 14 to 15 . . . . . . . . . . . . . . . . . . . . . . . . 152 | ||||
B.17. 15 to 16 . . . . . . . . . . . . . . . . . . . . . . . . 152 | ||||
B.18. 16 to 17 . . . . . . . . . . . . . . . . . . . . . . . . 152 | ||||
B.19. 17 to 18 . . . . . . . . . . . . . . . . . . . . . . . . 153 | ||||
B.20. 18 to 19 . . . . . . . . . . . . . . . . . . . . . . . . 153 | ||||
B.21. 19 to 20 . . . . . . . . . . . . . . . . . . . . . . . . 153 | ||||
B.22. 20 to 21 . . . . . . . . . . . . . . . . . . . . . . . . 154 | ||||
B.23. 21 to 22 . . . . . . . . . . . . . . . . . . . . . . . . 154 | ||||
B.24. 22 to 23 . . . . . . . . . . . . . . . . . . . . . . . . 154 | ||||
B.25. 23 to 24 . . . . . . . . . . . . . . . . . . . . . . . . 154 | ||||
B.26. 24 to 25 . . . . . . . . . . . . . . . . . . . . . . . . 155 | ||||
B.27. 25 to 26 . . . . . . . . . . . . . . . . . . . . . . . . 155 | ||||
B.28. 26 to 27 . . . . . . . . . . . . . . . . . . . . . . . . 155 | ||||
B.29. 27 to 28 . . . . . . . . . . . . . . . . . . . . . . . . 155 | ||||
B.30. 28 to 29 . . . . . . . . . . . . . . . . . . . . . . . . 156 | ||||
B.31. 29 to 30 . . . . . . . . . . . . . . . . . . . . . . . . 156 | ||||
B.32. 30 to 31 . . . . . . . . . . . . . . . . . . . . . . . . 156 | ||||
B.33. 31 to 32 . . . . . . . . . . . . . . . . . . . . . . . . 156 | ||||
B.34. 32 to 33 . . . . . . . . . . . . . . . . . . . . . . . . 156 | ||||
B.35. 33 to 34 . . . . . . . . . . . . . . . . . . . . . . . . 156 | ||||
B.36. 34 to 35 . . . . . . . . . . . . . . . . . . . . . . . . 157 | ||||
B.37. 35 to 36 . . . . . . . . . . . . . . . . . . . . . . . . 157 | ||||
B.38. 36 to 37 . . . . . . . . . . . . . . . . . . . . . . . . 157 | ||||
B.39. 37 to 39 . . . . . . . . . . . . . . . . . . . . . . . . 157 | ||||
B.40. 39 to 40 . . . . . . . . . . . . . . . . . . . . . . . . 158 | ||||
B.41. 40 to 41 . . . . . . . . . . . . . . . . . . . . . . . . 158 | ||||
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 158 | ||||
Contributors . . . . . . . . . . . . . . . . . . . . . . . . . . 158 | ||||
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 158 | ||||
1. Introduction | 1. Introduction | |||
This document presents four YANG 1.1 [RFC7950] modules. Three "IETF" | This document presents four YANG 1.1 [RFC7950] modules -- three IETF | |||
modules and one "IANA" module. | modules and one IANA module. | |||
The three IETF modules are ietf-tls-common (Section 2), ietf-tls- | The three IETF modules are "ietf-tls-common" (Section 2), "ietf-tls- | |||
client (Section 3), and ietf-tls-server (Section 4). The "ietf-tls- | client" (Section 3), and "ietf-tls-server" (Section 4). The "ietf- | |||
client" and "ietf-tls-server" modules are the primary productions of | tls-client" and "ietf-tls-server" modules are the primary productions | |||
this work, supporting the configuration and monitoring of TLS clients | of this work, supporting the configuration and monitoring of TLS | |||
and servers. | clients and servers. | |||
The groupings defined in this document are expected to be used in | The groupings defined in this document are expected to be used in | |||
conjunction with the groupings defined in an underlying transport- | conjunction with the groupings defined in an underlying transport- | |||
level module, such as the groupings defined in | level module, such as the groupings defined in [RFC9643]. The | |||
[I-D.ietf-netconf-tcp-client-server]. The transport-level data model | transport-level data model enables the configuration of transport- | |||
enables the configuration of transport-level values such as a remote | level values such as a remote address, a remote port, a local | |||
address, a remote port, a local address, and a local port. | address, and a local port. | |||
The IANA module is iana-tls-cipher-suite-algs (Appendix A.1). This | The IANA module is "iana-tls-cipher-suite-algs". This module defines | |||
module defines YANG enumerations providing support for an IANA- | YANG enumerations that provide support for an IANA-maintained | |||
maintained algorithm registry. | algorithm registry. | |||
This document assumes that the IANA module exists, and presents a | IANA used the script in Appendix A to generate the "iana-tls-cipher- | |||
script in Appendix A that IANA may use to generate the YANG module. | suite-algs" YANG module. This document does not publish the initial | |||
This document does not publish initial version of this module. IANA | version of the module; it is published and maintained by IANA. | |||
publishes this module. | ||||
1.1. Regarding the IETF Modules | 1.1. Regarding the Three IETF Modules | |||
The three IETF modules define features and groupings to model | The three IETF modules define features and groupings to model | |||
"generic" TLS clients and TLS servers, where "generic" should be | "generic" TLS clients and TLS servers, where "generic" should be | |||
interpreted as "least common denominator" rather than "complete." | interpreted as "least common denominator" rather than "complete." | |||
Basic TLS protocol support is afforded by these modules, leaving | Basic TLS protocol support is afforded by these modules, leaving | |||
configuration of advance features to augmentations made by consuming | configuration of advance features to augmentations made by consuming | |||
modules. | modules. | |||
It is intended that the YANG groupings will be used by applications | It is intended that the YANG groupings will be used by applications | |||
needing to configure TLS client and server protocol stacks. For | needing to configure TLS client and server protocol stacks. For | |||
instance, these groupings are used to help define the data model for | instance, these groupings are used to help define the data model for | |||
HTTPS [RFC2818] and NETCONF over TLS [RFC7589] based clients and | HTTPS [RFC9110] and clients and servers based on the Network | |||
servers in [I-D.ietf-netconf-http-client-server] and | Configuration Protocol (NETCONF) over TLS [RFC7589] in | |||
[I-D.ietf-netconf-netconf-client-server] respectively. | [HTTP-CLIENT-SERVER] and [NETCONF-CLIENT-SERVER], respectively. | |||
The ietf-tls-client and ietf-tls-server YANG modules each define one | The "ietf-tls-client" and "ietf-tls-server" YANG modules each define | |||
grouping, which is focused on just TLS-specific configuration, and | one grouping, which is focused on just TLS-specific configuration, | |||
specifically avoids any transport-level configuration, such as what | and specifically avoid any transport-level configuration, such as | |||
ports to listen-on or connect-to. This affords applications the | what ports to listen on or connect to. This affords applications the | |||
opportunity to define their own strategy for how the underlying TCP | opportunity to define their own strategy for how the underlying TCP | |||
connection is established. For instance, applications supporting | connection is established. For instance, applications supporting | |||
NETCONF Call Home [RFC8071] could use the "tls-server-grouping" | NETCONF Call Home [RFC8071] could use the "tls-server-grouping" | |||
grouping for the TLS parts it provides, while adding data nodes for | grouping for the TLS parts it provides, while adding data nodes for | |||
the TCP-level call-home configuration. | the TCP-level call-home configuration. | |||
Both TLS 1.2 and TLS 1.3 may be configured. TLS 1.2 [RFC5246] is | Both TLS 1.2 and TLS 1.3 may be configured. TLS 1.2 [RFC5246] is | |||
obsoleted by TLS 1.3 [RFC8446] but still in common use, and hence its | obsoleted by TLS 1.3 [RFC8446] but is still in common use, and hence | |||
"feature" statement is marked "status deprecated". | its "feature" statement is marked "status deprecated". | |||
1.2. Relation to other RFCs | 1.2. Relation to Other RFCs | |||
This document presents one or more YANG modules [RFC7950] that are | This document presents four YANG modules [RFC7950] that are part of a | |||
part of a collection of RFCs that work together to, ultimately, | collection of RFCs that work together to ultimately support the | |||
support the configuration of both the clients and servers of both the | configuration of both the clients and servers of the NETCONF | |||
NETCONF [RFC6241] and RESTCONF [RFC8040] protocols. | [RFC6241] and RESTCONF [RFC8040] protocols. | |||
The dependency relationship between the primary YANG groupings | The dependency relationship between the primary YANG groupings | |||
defined in the various RFCs is presented in the below diagram. In | defined in the various RFCs is presented in the diagram below. In | |||
some cases, a draft may define secondary groupings that introduce | some cases, a document may define secondary groupings that introduce | |||
dependencies not illustrated in the diagram. The labels in the | dependencies not illustrated in the diagram. The labels in the | |||
diagram are a shorthand name for the defining RFC. The citation | diagram are shorthand names for the defining RFCs. The citation | |||
reference for shorthand name is provided below the diagram. | references for the shorthand names are provided below the diagram. | |||
Please note that the arrows in the diagram point from referencer to | Please note that the arrows in the diagram point from referencer to | |||
referenced. For example, the "crypto-types" RFC does not have any | referenced. For example, the "crypto-types" RFC does not have any | |||
dependencies, whilst the "keystore" RFC depends on the "crypto-types" | dependencies, whilst the "keystore" RFC depends on the "crypto-types" | |||
RFC. | RFC. | |||
crypto-types | crypto-types | |||
^ ^ | ^ ^ | |||
/ \ | / \ | |||
/ \ | / \ | |||
skipping to change at page 7, line 28 ¶ | skipping to change at line 189 ¶ | |||
| | | | | ^ | | | | | | ^ | |||
| | | +-----+ +---------+ | | | | | +-----+ +---------+ | | |||
| | | | | | | | | | | | | | |||
| +-----------|--------|--------------+ | | | | +-----------|--------|--------------+ | | | |||
| | | | | | | | | | | | | | |||
+-----------+ | | | | | | +-----------+ | | | | | | |||
| | | | | | | | | | | | | | |||
| | | | | | | | | | | | | | |||
netconf-client-server restconf-client-server | netconf-client-server restconf-client-server | |||
+======================+===========================================+ | +========================+==========================+ | |||
|Label in Diagram | Originating RFC | | | Label in Diagram | Originating RFC | | |||
+======================+===========================================+ | +========================+==========================+ | |||
|crypto-types | [I-D.ietf-netconf-crypto-types] | | | crypto-types | [RFC9640] | | |||
+----------------------+-------------------------------------------+ | +------------------------+--------------------------+ | |||
|truststore | [I-D.ietf-netconf-trust-anchors] | | | truststore | [RFC9641] | | |||
+----------------------+-------------------------------------------+ | +------------------------+--------------------------+ | |||
|keystore | [I-D.ietf-netconf-keystore] | | | keystore | [RFC9642] | | |||
+----------------------+-------------------------------------------+ | +------------------------+--------------------------+ | |||
|tcp-client-server | [I-D.ietf-netconf-tcp-client-server] | | | tcp-client-server | [RFC9643] | | |||
+----------------------+-------------------------------------------+ | +------------------------+--------------------------+ | |||
|ssh-client-server | [I-D.ietf-netconf-ssh-client-server] | | | ssh-client-server | [RFC9644] | | |||
+----------------------+-------------------------------------------+ | +------------------------+--------------------------+ | |||
|tls-client-server | [I-D.ietf-netconf-tls-client-server] | | | tls-client-server | RFC 9645 | | |||
+----------------------+-------------------------------------------+ | +------------------------+--------------------------+ | |||
|http-client-server | [I-D.ietf-netconf-http-client-server] | | | http-client-server | [HTTP-CLIENT-SERVER] | | |||
+----------------------+-------------------------------------------+ | +------------------------+--------------------------+ | |||
|netconf-client-server | [I-D.ietf-netconf-netconf-client-server] | | | netconf-client-server | [NETCONF-CLIENT-SERVER] | | |||
+----------------------+-------------------------------------------+ | +------------------------+--------------------------+ | |||
|restconf-client-server| [I-D.ietf-netconf-restconf-client-server] | | | restconf-client-server | [RESTCONF-CLIENT-SERVER] | | |||
+----------------------+-------------------------------------------+ | +------------------------+--------------------------+ | |||
Table 1: Label in Diagram to RFC Mapping | Table 1: Labels in Diagram to RFC Mapping | |||
1.3. Specification Language | 1.3. Specification Language | |||
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | |||
"OPTIONAL" in this document are to be interpreted as described in BCP | "OPTIONAL" in this document are to be interpreted as described in | |||
14 [RFC2119] [RFC8174] when, and only when, they appear in all | BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all | |||
capitals, as shown here. | capitals, as shown here. | |||
1.4. Adherence to the NMDA | 1.4. Adherence to the NMDA | |||
This document is compliant with the Network Management Datastore | This document is compliant with the Network Management Datastore | |||
Architecture (NMDA) [RFC8342]. For instance, as described in | Architecture (NMDA) [RFC8342]. For instance, as described in | |||
[I-D.ietf-netconf-trust-anchors] and [I-D.ietf-netconf-keystore], | [RFC9641] and [RFC9642], trust anchors and keys installed during | |||
trust anchors and keys installed during manufacturing are expected to | manufacturing are expected to appear in <operational> (Section 5.3 of | |||
appear in <operational> (Section 5.3 of [RFC8342]), and <system> | [RFC8342]) and <system> [SYSTEM-CONFIG] if implemented. | |||
[I-D.ietf-netmod-system-config], if implemented. | ||||
1.5. Conventions | 1.5. Conventions | |||
Various examples in this document use "BASE64VALUE=" as a placeholder | Various examples in this document use "BASE64VALUE=" as a placeholder | |||
value for binary data that has been base64 encoded (per Section 9.8 | value for binary data that has been base64 encoded (per Section 9.8 | |||
of [RFC7950]). This placeholder value is used because real base64 | of [RFC7950]). This placeholder value is used because real | |||
encoded structures are often many lines long and hence distracting to | base64-encoded structures are often many lines long and hence | |||
the example being presented. | distracting to the example being presented. | |||
Various examples in this document use the XML [W3C.REC-xml-20081126] | ||||
encoding. Other encodings, such as JSON [RFC8259], could | ||||
alternatively be used. | ||||
Various examples in this document contain long lines that may be | ||||
folded, as described in [RFC8792]. | ||||
2. The "ietf-tls-common" Module | 2. The "ietf-tls-common" Module | |||
The TLS common model presented in this section contains features and | The TLS common model presented in this section contains features and | |||
groupings common to both TLS clients and TLS servers. The "hello- | groupings common to both TLS clients and TLS servers. The "hello- | |||
params-grouping" grouping can be used to configure the list of TLS | params-grouping" grouping can be used to configure the list of TLS | |||
algorithms permitted by the TLS client or TLS server. The lists of | algorithms permitted by the TLS client or TLS server. The lists of | |||
algorithms are ordered such that, if multiple algorithms are | algorithms are ordered such that, if multiple algorithms are | |||
permitted by the client, the algorithm that appears first in its list | permitted by the client, the algorithm that appears first in its list | |||
that is also permitted by the server is used for the TLS transport | and that is also permitted by the server is used for the TLS | |||
layer connection. The ability to restrict the algorithms allowed is | transport layer connection. The ability to restrict the algorithms | |||
provided in this grouping for TLS clients and TLS servers that are | allowed is provided in this grouping for TLS clients and TLS servers | |||
capable of doing so and may serve to make TLS clients and TLS servers | that are capable of doing so and that may serve to make TLS clients | |||
compliant with local security policies. This model supports both TLS | and TLS servers compliant with local security policies. This model | |||
1.2 [RFC5246] and TLS 1.3 [RFC8446]. | supports both TLS 1.2 [RFC5246] and TLS 1.3 [RFC8446]. | |||
Thus, in order to support both TLS1.2 and TLS1.3, the cipher-suites | Thus, in order to support both TLS 1.2 and TLS 1.3, the cipher suites | |||
part of the "hello-params-grouping" grouping should include three | part of the "hello-params-grouping" grouping should include the | |||
parameters for configuring its permitted TLS algorithms, which are: | following three parameters for configuring its permitted TLS | |||
TLS Cipher Suites, TLS SignatureScheme, TLS Supported Groups. | algorithms: TLS Cipher Suites, TLS SignatureScheme, and TLS Supported | |||
Groups. | ||||
2.1. Data Model Overview | 2.1. Data Model Overview | |||
This section provides an overview of the "ietf-tls-common" module in | This section provides an overview of the "ietf-tls-common" module in | |||
terms of its features, identities, and groupings. | terms of its features, identities, and groupings. | |||
2.1.1. Features | 2.1.1. Features | |||
The following diagram lists all the "feature" statements defined in | The following diagram lists all the "feature" statements defined in | |||
the "ietf-tls-common" module: | the "ietf-tls-common" module: | |||
skipping to change at page 9, line 43 ¶ | skipping to change at line 303 ¶ | |||
+-- tls-version-base | +-- tls-version-base | |||
+-- tls12 | +-- tls12 | |||
+-- tls13 | +-- tls13 | |||
The diagram above uses syntax that is similar to but not defined in | The diagram above uses syntax that is similar to but not defined in | |||
[RFC8340]. | [RFC8340]. | |||
Comments: | Comments: | |||
* The diagram shows that there are two base identities. | * The diagram shows that there are two base identities. | |||
* One base identity is used to specific TLS versions, while the | * One base identity is used to specify TLS versions. This base | |||
other is used to specify cipher-suites. | identity is "abstract" in the object-oriented programming sense | |||
* These base identities are "abstract", in the object oriented | because it defines a "class" of things rather than a specific | |||
programming sense, in that they only define a "class" of things, | thing. | |||
* These base identities are "abstract" in the object-oriented | ||||
programming sense because they only define a "class" of things | ||||
rather than a specific thing. | rather than a specific thing. | |||
2.1.3. Groupings | 2.1.3. Groupings | |||
The "ietf-tls-common" module defines the following "grouping" | The "ietf-tls-common" module defines the following "grouping" | |||
statement: | statement: | |||
* hello-params-grouping | * hello-params-grouping | |||
This grouping is presented in the following subsection. | This grouping is presented in the following subsection. | |||
skipping to change at page 10, line 24 ¶ | skipping to change at line 335 ¶ | |||
grouping hello-params-grouping: | grouping hello-params-grouping: | |||
+-- tls-versions | +-- tls-versions | |||
| +-- min? identityref | | +-- min? identityref | |||
| +-- max? identityref | | +-- max? identityref | |||
+-- cipher-suites | +-- cipher-suites | |||
+-- cipher-suite* tlscsa:tls-cipher-suite-algorithm | +-- cipher-suite* tlscsa:tls-cipher-suite-algorithm | |||
Comments: | Comments: | |||
* This grouping is used by both the "tls-client-grouping" and the | * This grouping is used by both the "tls-client-grouping" and the | |||
"tls-server-grouping" groupings defined in Section 3.1.2.1 and | "tls-server-grouping" groupings defined in Sections 3.1.2.1 and | |||
Section 4.1.2.1, respectively. | 4.1.2.1, respectively. | |||
* This grouping enables client and server configurations to specify | * This grouping enables client and server configurations to specify | |||
the TLS versions and cipher suites that are to be used when | the TLS versions and cipher suites that are to be used when | |||
establishing TLS sessions. | establishing TLS sessions. | |||
* The "cipher-suites" list is "ordered-by user". | * The "cipher-suites" list is "ordered-by user". | |||
2.1.4. Protocol-accessible Nodes | 2.1.4. Protocol-Accessible Nodes | |||
The following tree diagram [RFC8340] lists all the protocol- | The following tree diagram [RFC8340] lists all the protocol- | |||
accessible nodes defined in the "ietf-tls-common" module, without | accessible nodes defined in the "ietf-tls-common" module, without | |||
expanding the "grouping" statements: | expanding the "grouping" statements: | |||
module: ietf-tls-common | module: ietf-tls-common | |||
+--ro supported-algorithms {algorithm-discovery}? | +--ro supported-algorithms {algorithm-discovery}? | |||
+--ro supported-algorithm* tlscsa:tls-cipher-suite-algorithm | +--ro supported-algorithm* tlscsa:tls-cipher-suite-algorithm | |||
rpcs: | rpcs: | |||
skipping to change at page 11, line 35 ¶ | skipping to change at line 380 ¶ | |||
+--ro output | +--ro output | |||
+--ro (key-or-hidden)? | +--ro (key-or-hidden)? | |||
+--:(key) | +--:(key) | |||
| +---u ct:asymmetric-key-pair-grouping | | +---u ct:asymmetric-key-pair-grouping | |||
+--:(hidden) | +--:(hidden) | |||
+--ro location? | +--ro location? | |||
instance-identifier | instance-identifier | |||
Comments: | Comments: | |||
* Protocol-accessible nodes are those nodes that are accessible when | * Protocol-accessible nodes are nodes that are accessible when the | |||
the module is "implemented", as described in Section 5.6.5 of | module is "implemented", as described in Section 5.6.5 of | |||
[RFC7950]. | [RFC7950]. | |||
* The protocol-accessible nodes for the "ietf-tls-common" module are | * The protocol-accessible nodes for the "ietf-tls-common" module are | |||
limited to the "supported-algorithms" container, which is | limited to the "supported-algorithms" container, which is | |||
constrained by the "algorithm-discovery" feature, and the RPC | constrained by the "algorithm-discovery" feature, and the | |||
"generate-asymmetric-key-pair", which is constrained by the | "generate-asymmetric-key-pair" RPC, which is constrained by the | |||
"asymmetric-key-pair-generation" feature. | "asymmetric-key-pair-generation" feature. | |||
* The "encrypted-by-grouping" grouping is discussed in | * The "encrypted-by-grouping" grouping is discussed in | |||
Section 2.1.3.1 of [I-D.ietf-netconf-keystore]. | Section 2.1.3.1 of [RFC9642]. | |||
* The "asymmetric-key-pair-grouping" grouping is discussed in | * The "asymmetric-key-pair-grouping" grouping is discussed in | |||
Section 2.1.4.6 of [I-D.ietf-netconf-crypto-types]. | Section 2.1.4.6 of [RFC9640]. | |||
2.2. Example Usage | 2.2. Example Usage | |||
The following example illustrates the "hello-params-grouping' | The following example illustrates the "hello-params-grouping" | |||
grouping when populated with some data. | grouping when populated with some data. | |||
<!-- The outermost element below doesn't exist in the data model. --> | <!-- The outermost element below doesn't exist in the data model. --> | |||
<!-- It simulates if the "grouping" were a "container" instead. --> | <!-- It simulates if the "grouping" were a "container" instead. --> | |||
<hello-params | <hello-params | |||
xmlns="urn:ietf:params:xml:ns:yang:ietf-tls-common" | xmlns="urn:ietf:params:xml:ns:yang:ietf-tls-common" | |||
xmlns:tlscmn="urn:ietf:params:xml:ns:yang:ietf-tls-common"> | xmlns:tlscmn="urn:ietf:params:xml:ns:yang:ietf-tls-common"> | |||
<tls-versions> | <tls-versions> | |||
<min>tlscmn:tls12</min> | <min>tlscmn:tls12</min> | |||
skipping to change at page 14, line 40 ¶ | skipping to change at line 493 ¶ | |||
n:public-key-format> | n:public-key-format> | |||
<tlscmn:public-key>BASE64VALUE=</tlscmn:public-key> | <tlscmn:public-key>BASE64VALUE=</tlscmn:public-key> | |||
<tlscmn:private-key-format>ct:ec-private-key-format</tlscmn:privat\ | <tlscmn:private-key-format>ct:ec-private-key-format</tlscmn:privat\ | |||
e-key-format> | e-key-format> | |||
<tlscmn:cleartext-private-key>BASE64VALUE=</tlscmn:cleartext-priva\ | <tlscmn:cleartext-private-key>BASE64VALUE=</tlscmn:cleartext-priva\ | |||
te-key> | te-key> | |||
</rpc-reply> | </rpc-reply> | |||
2.3. YANG Module | 2.3. YANG Module | |||
This YANG module has a normative references to [RFC5288], [RFC5289], | This YANG module has normative references to [RFC5288], [RFC5289], | |||
[RFC8422], and FIPS PUB 180-4. | [RFC8422], [RFC9640], [RFC9642], [FIPS180-4], and [FIPS186-5]. | |||
This YANG module has a informative references to [RFC5246], and | This YANG module has informative references to [RFC5246] and | |||
[RFC8446]. | [RFC8446]. | |||
<CODE BEGINS> file "ietf-tls-common@2024-03-16.yang" | <CODE BEGINS> file "ietf-tls-common@2024-03-16.yang" | |||
module ietf-tls-common { | module ietf-tls-common { | |||
yang-version 1.1; | yang-version 1.1; | |||
namespace "urn:ietf:params:xml:ns:yang:ietf-tls-common"; | namespace "urn:ietf:params:xml:ns:yang:ietf-tls-common"; | |||
prefix tlscmn; | prefix tlscmn; | |||
import iana-tls-cipher-suite-algs { | import iana-tls-cipher-suite-algs { | |||
prefix tlscsa; | prefix tlscsa; | |||
reference | reference | |||
"RFC FFFF: YANG Groupings for TLS Clients and SSH Servers"; | "RFC 9645: YANG Groupings for TLS Clients and TLS Servers"; | |||
} | } | |||
import ietf-crypto-types { | import ietf-crypto-types { | |||
prefix ct; | prefix ct; | |||
reference | reference | |||
"RFC AAAA: YANG Data Types and Groupings for Cryptography"; | "RFC 9640: YANG Data Types and Groupings for Cryptography"; | |||
} | } | |||
import ietf-keystore { | import ietf-keystore { | |||
prefix ks; | prefix ks; | |||
reference | reference | |||
"RFC CCCC: A YANG Data Model for a Keystore"; | "RFC 9642: A YANG Data Model for a Keystore"; | |||
} | } | |||
organization | organization | |||
"IETF NETCONF (Network Configuration) Working Group"; | "IETF NETCONF (Network Configuration) Working Group"; | |||
contact | contact | |||
"WG List: NETCONF WG list <mailto:netconf@ietf.org> | "WG List: NETCONF WG list <mailto:netconf@ietf.org> | |||
WG Web: https://datatracker.ietf.org/wg/netconf | WG Web: https://datatracker.ietf.org/wg/netconf | |||
Author: Kent Watsen <mailto:kent+ietf@watsen.net> | Author: Kent Watsen <mailto:kent+ietf@watsen.net> | |||
Author: Jeff Hartley <mailto:intensifysecurity@gmail.com> | Author: Jeff Hartley <mailto:intensifysecurity@gmail.com> | |||
Author: Gary Wu <mailto:garywu@cisco.com>"; | Author: Gary Wu <mailto:garywu@cisco.com>"; | |||
description | description | |||
"This module defines a common features and groupings for | "This module defines common features and groupings for | |||
Transport Layer Security (TLS). | Transport Layer Security (TLS). | |||
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', | ||||
'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', | ||||
'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document | ||||
are to be interpreted as described in BCP 14 (RFC 2119) | ||||
(RFC 8174) when, and only when, they appear in all | ||||
capitals, as shown here. | ||||
Copyright (c) 2024 IETF Trust and the persons identified | Copyright (c) 2024 IETF Trust and the persons identified | |||
as authors of the code. All rights reserved. | as authors of the code. All rights reserved. | |||
Redistribution and use in source and binary forms, with | Redistribution and use in source and binary forms, with | |||
or without modification, is permitted pursuant to, and | or without modification, is permitted pursuant to, and | |||
subject to the license terms contained in, the Revised | subject to the license terms contained in, the Revised | |||
BSD License set forth in Section 4.c of the IETF Trust's | BSD License set forth in Section 4.c of the IETF Trust's | |||
Legal Provisions Relating to IETF Documents | Legal Provisions Relating to IETF Documents | |||
(https://trustee.ietf.org/license-info). | (https://trustee.ietf.org/license-info). | |||
This version of this YANG module is part of RFC FFFF | This version of this YANG module is part of RFC 9645 | |||
(https://www.rfc-editor.org/info/rfcFFFF); see the RFC | (https://www.rfc-editor.org/info/rfc9645); see the RFC | |||
itself for full legal notices. | itself for full legal notices."; | |||
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', | ||||
'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', | ||||
'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document | ||||
are to be interpreted as described in BCP 14 (RFC 2119) | ||||
(RFC 8174) when, and only when, they appear in all | ||||
capitals, as shown here."; | ||||
revision 2024-03-16 { | revision 2024-03-16 { | |||
description | description | |||
"Initial version"; | "Initial version."; | |||
reference | reference | |||
"RFC FFFF: YANG Groupings for TLS Clients and TLS Servers"; | "RFC 9645: YANG Groupings for TLS Clients and TLS Servers"; | |||
} | } | |||
// Features | // Features | |||
feature tls12 { | feature tls12 { | |||
description | description | |||
"TLS Protocol Version 1.2 is supported. TLS 1.2 is obsolete | "TLS Protocol Version 1.2 is supported. TLS 1.2 is obsolete, | |||
and thus it is NOT RECOMMENDED to enable this feature."; | and thus it is NOT RECOMMENDED to enable this feature."; | |||
reference | reference | |||
"RFC 5246: The Transport Layer Security (TLS) Protocol | "RFC 5246: The Transport Layer Security (TLS) Protocol | |||
Version 1.2"; | Version 1.2"; | |||
} | } | |||
feature tls13 { | feature tls13 { | |||
description | description | |||
"TLS Protocol Version 1.3 is supported."; | "TLS Protocol Version 1.3 is supported."; | |||
reference | reference | |||
skipping to change at page 17, line 42 ¶ | skipping to change at line 634 ¶ | |||
"RFC 8446: The Transport Layer Security (TLS) | "RFC 8446: The Transport Layer Security (TLS) | |||
Protocol Version 1.3"; | Protocol Version 1.3"; | |||
} | } | |||
// Typedefs | // Typedefs | |||
typedef epsk-supported-hash { | typedef epsk-supported-hash { | |||
type enumeration { | type enumeration { | |||
enum sha-256 { | enum sha-256 { | |||
description | description | |||
"The SHA-256 Hash."; | "The SHA-256 hash."; | |||
} | } | |||
enum sha-384 { | enum sha-384 { | |||
description | description | |||
"The SHA-384 Hash."; | "The SHA-384 hash."; | |||
} | } | |||
} | } | |||
description | description | |||
"As per Section 4.2.11 of RFC 8446, the hash algorithm | "As per Section 4.2.11 of RFC 8446, the hash algorithm | |||
supported by an instance of an External Pre-Shared | supported by an instance of an External Pre-Shared | |||
Key (EPSK)."; | Key (EPSK)."; | |||
reference | reference | |||
"RFC 8446: The Transport Layer Security (TLS) | "RFC 8446: The Transport Layer Security (TLS) | |||
Protocol Version 1.3"; | Protocol Version 1.3"; | |||
} | } | |||
skipping to change at page 19, line 5 ¶ | skipping to change at line 692 ¶ | |||
container cipher-suites { | container cipher-suites { | |||
description | description | |||
"Parameters regarding cipher suites."; | "Parameters regarding cipher suites."; | |||
leaf-list cipher-suite { | leaf-list cipher-suite { | |||
type tlscsa:tls-cipher-suite-algorithm; | type tlscsa:tls-cipher-suite-algorithm; | |||
ordered-by user; | ordered-by user; | |||
description | description | |||
"Acceptable cipher suites in order of descending | "Acceptable cipher suites in order of descending | |||
preference. The configured host key algorithms should | preference. The configured host key algorithms should | |||
be compatible with the algorithm used by the configured | be compatible with the algorithm used by the configured | |||
private key. Please see Section 5 of RFC FFFF for | private key. Please see Section 5 of RFC 9645 for | |||
valid combinations. | valid combinations. | |||
If this leaf-list is not configured (has zero elements) | If this leaf-list is not configured (has zero elements), | |||
the acceptable cipher suites are implementation- | the acceptable cipher suites are implementation- | |||
defined."; | defined."; | |||
reference | reference | |||
"RFC FFFF: YANG Groupings for TLS Clients and TLS Servers"; | "RFC 9645: YANG Groupings for TLS Clients and TLS Servers"; | |||
} | } | |||
} | } | |||
} // hello-params-grouping | } // hello-params-grouping | |||
// Protocol-accessible Nodes | // Protocol-accessible Nodes | |||
container supported-algorithms { | container supported-algorithms { | |||
if-feature "algorithm-discovery"; | if-feature "algorithm-discovery"; | |||
config false; | config false; | |||
description | description | |||
skipping to change at page 19, line 35 ¶ | skipping to change at line 722 ¶ | |||
leaf-list supported-algorithm { | leaf-list supported-algorithm { | |||
type tlscsa:tls-cipher-suite-algorithm; | type tlscsa:tls-cipher-suite-algorithm; | |||
description | description | |||
"A cipher suite algorithm supported by the server."; | "A cipher suite algorithm supported by the server."; | |||
} | } | |||
} | } | |||
rpc generate-asymmetric-key-pair { | rpc generate-asymmetric-key-pair { | |||
if-feature "asymmetric-key-pair-generation"; | if-feature "asymmetric-key-pair-generation"; | |||
description | description | |||
"Requests the device to generate an asymmetric-key-pair | "Requests the device to generate an 'asymmetric-key-pair' | |||
key using the specified key algorithm."; | key using the specified key algorithm."; | |||
input { | input { | |||
leaf algorithm { | leaf algorithm { | |||
type tlscsa:tls-cipher-suite-algorithm; | type tlscsa:tls-cipher-suite-algorithm; | |||
mandatory true; | mandatory true; | |||
description | description | |||
"The cipher suite algorithm that the generated key is | "The cipher suite algorithm that the generated key | |||
to work with. Implementations derive the public key | works with. Implementations derive the public key | |||
algorithm from the cipher suite algorithm. Example: | algorithm from the cipher suite algorithm. For | |||
cipher suite 'tls-rsa-with-aes-256-cbc-sha256' maps | example, cipher suite | |||
to the RSA public key."; | 'tls-rsa-with-aes-256-cbc-sha256' maps to the RSA | |||
public key."; | ||||
} | } | |||
leaf num-bits { | leaf num-bits { | |||
type uint16; | type uint16; | |||
description | description | |||
"Specifies the number of bits in the key to create. | "Specifies the number of bits to create in the key. | |||
For RSA keys, the minimum size is 1024 bits and | For RSA keys, the minimum size is 1024 bits, and | |||
the default is 3072 bits. Generally, 3072 bits is | the default is 3072 bits. Generally, 3072 bits is | |||
considered sufficient. DSA keys must be exactly 1024 | considered sufficient. DSA keys must be exactly | |||
bits as specified by FIPS 186-2. For elliptical | 1024 bits as specified by FIPS 186-2. For | |||
keys, the 'num-bits' value determines the key length | elliptical keys, the 'num-bits' value determines | |||
of the curve (e.g., 256, 384 or 521), where valid | the key length of the curve (e.g., 256, 384, or 521), | |||
values supported by the server are conveyed via an | where valid values supported by the server are | |||
unspecified mechanism. For some public algorithms, | conveyed via an unspecified mechanism. For some | |||
the keys have a fixed length and thus the 'num-bits' | public algorithms, the keys have a fixed length, and | |||
value is not specified."; | thus the 'num-bits' value is not specified."; | |||
} | } | |||
container private-key-encoding { | container private-key-encoding { | |||
description | description | |||
"Indicates how the private key is to be encoded."; | "Indicates how the private key is to be encoded."; | |||
choice private-key-encoding { | choice private-key-encoding { | |||
mandatory true; | mandatory true; | |||
description | description | |||
"A choice amongst optional private key handling."; | "A choice amongst optional private key handling."; | |||
case cleartext { | case cleartext { | |||
if-feature "ct:cleartext-private-keys"; | if-feature "ct:cleartext-private-keys"; | |||
skipping to change at page 20, line 36 ¶ | skipping to change at line 771 ¶ | |||
type empty; | type empty; | |||
description | description | |||
"Indicates that the private key is to be returned | "Indicates that the private key is to be returned | |||
as a cleartext value."; | as a cleartext value."; | |||
} | } | |||
} | } | |||
case encrypted { | case encrypted { | |||
if-feature "ct:encrypted-private-keys"; | if-feature "ct:encrypted-private-keys"; | |||
container encrypted { | container encrypted { | |||
description | description | |||
"Indicates that the key is to be encrypted using | "Indicates that the key is to be encrypted using | |||
the specified symmetric or asymmetric key."; | the specified symmetric or asymmetric key."; | |||
uses ks:encrypted-by-grouping; | uses ks:encrypted-by-grouping; | |||
} | } | |||
} | } | |||
case hidden { | case hidden { | |||
if-feature "ct:hidden-private-keys"; | if-feature "ct:hidden-private-keys"; | |||
leaf hidden { | leaf hidden { | |||
type empty; | type empty; | |||
description | description | |||
"Indicates that the private key is to be hidden. | "Indicates that the private key is to be hidden. | |||
Unlike the 'cleartext' and 'encrypt' options, the | Unlike the 'cleartext' and 'encrypt' options, the | |||
key returned is a placeholder for an internally | key returned is a placeholder for an internally | |||
stored key. See the 'Support for Built-in Keys' | stored key. See Section 3 of RFC 9642 ('Support | |||
section in RFC CCCC for information about hidden | for Built-In Keys') for information about hidden | |||
keys."; | keys."; | |||
} | } | |||
} | } | |||
} | } | |||
} | } | |||
} | } | |||
output { | output { | |||
choice key-or-hidden { | choice key-or-hidden { | |||
case key { | case key { | |||
uses ct:asymmetric-key-pair-grouping; | uses ct:asymmetric-key-pair-grouping; | |||
skipping to change at page 21, line 31 ¶ | skipping to change at line 814 ¶ | |||
} | } | |||
description | description | |||
"The output can be either a key (for cleartext and | "The output can be either a key (for cleartext and | |||
encrypted keys) or the location to where the key | encrypted keys) or the location to where the key | |||
was created (for hidden keys)."; | was created (for hidden keys)."; | |||
} | } | |||
} | } | |||
} // end generate-asymmetric-key-pair | } // end generate-asymmetric-key-pair | |||
} | } | |||
<CODE ENDS> | <CODE ENDS> | |||
3. The "ietf-tls-client" Module | 3. The "ietf-tls-client" Module | |||
This section defines a YANG 1.1 [RFC7950] module called "ietf-tls- | This section defines a YANG 1.1 [RFC7950] module called "ietf-tls- | |||
client". A high-level overview of the module is provided in | client". A high-level overview of the module is provided in | |||
Section 3.1. Examples illustrating the module's use are provided in | Section 3.1. Examples illustrating the module's use are provided in | |||
Examples (Section 3.2). The YANG module itself is defined in | Section 3.2 ("Example Usage"). The YANG module itself is defined in | |||
Section 3.3. | Section 3.3. | |||
3.1. Data Model Overview | 3.1. Data Model Overview | |||
This section provides an overview of the "ietf-tls-client" module in | This section provides an overview of the "ietf-tls-client" module in | |||
terms of its features and groupings. | terms of its features and groupings. | |||
3.1.1. Features | 3.1.1. Features | |||
The following diagram lists all the "feature" statements defined in | The following diagram lists all the "feature" statements defined in | |||
skipping to change at page 24, line 19 ¶ | skipping to change at line 925 ¶ | |||
* The "server-authentication" node configures trust anchors for | * The "server-authentication" node configures trust anchors for | |||
authenticating the TLS server, with each option enabled by a | authenticating the TLS server, with each option enabled by a | |||
"feature" statement. | "feature" statement. | |||
* The "hello-params" node, which must be enabled by a feature, | * The "hello-params" node, which must be enabled by a feature, | |||
configures parameters for the TLS sessions established by this | configures parameters for the TLS sessions established by this | |||
configuration. | configuration. | |||
* The "keepalives" node, which must be enabled by a feature, | * The "keepalives" node, which must be enabled by a feature, | |||
configures a "presence" container for testing the aliveness of the | configures a "presence" container to test the aliveness of the TLS | |||
TLS server. The aliveness-test occurs at the TLS protocol layer. | server. The aliveness-test occurs at the TLS protocol layer. | |||
* For the referenced grouping statement(s): | * For the referenced grouping statement(s): | |||
- The "inline-or-keystore-end-entity-cert-with-key-grouping" | - The "inline-or-keystore-end-entity-cert-with-key-grouping" | |||
grouping is discussed in Section 2.1.3.6 of | grouping is discussed in Section 2.1.3.6 of [RFC9642]. | |||
[I-D.ietf-netconf-keystore]. | ||||
- The "inline-or-keystore-asymmetric-key-grouping" grouping is | - The "inline-or-keystore-asymmetric-key-grouping" grouping is | |||
discussed in Section 2.1.3.4 of [I-D.ietf-netconf-keystore]. | discussed in Section 2.1.3.4 of [RFC9642]. | |||
- The "inline-or-keystore-symmetric-key-grouping" grouping is | - The "inline-or-keystore-symmetric-key-grouping" grouping is | |||
discussed in Section 2.1.3.3 of [I-D.ietf-netconf-keystore]. | discussed in Section 2.1.3.3 of [RFC9642]. | |||
- The "inline-or-truststore-certs-grouping" grouping is discussed | - The "inline-or-truststore-certs-grouping" grouping is discussed | |||
in Section 2.1.3.3 of [I-D.ietf-netconf-trust-anchors]. | in Section 2.1.3.3 of [RFC9641]. | |||
- The "inline-or-truststore-public-keys-grouping" grouping is | - The "inline-or-truststore-public-keys-grouping" grouping is | |||
discussed in Section 2.1.3.4 of | discussed in Section 2.1.3.4 of [RFC9641]. | |||
[I-D.ietf-netconf-trust-anchors]. | ||||
- The "hello-params-grouping" grouping is discussed in | - The "hello-params-grouping" grouping is discussed in | |||
Section 2.1.3.1 in this document. | Section 2.1.3.1 in this document. | |||
3.1.3. Protocol-accessible Nodes | 3.1.3. Protocol-Accessible Nodes | |||
The "ietf-tls-client" module defines only "grouping" statements that | The "ietf-tls-client" module defines only "grouping" statements that | |||
are used by other modules to instantiate protocol-accessible nodes. | are used by other modules to instantiate protocol-accessible nodes. | |||
Thus this module, when implemented, does not itself define any | Thus, this module does not itself define any protocol-accessible | |||
protocol-accessible nodes. | nodes when implemented. | |||
3.2. Example Usage | 3.2. Example Usage | |||
This section presents two examples showing the "tls-client-grouping" | This section presents two examples showing the "tls-client-grouping" | |||
grouping populated with some data. These examples are effectively | grouping populated with some data. These examples are effectively | |||
the same except the first configures the client identity using a | the same except the first configures the client identity using a | |||
local key while the second uses a key configured in a keystore. Both | local key while the second uses a key configured in a keystore. Both | |||
examples are consistent with the examples presented in Section 2.2.1 | examples are consistent with the examples presented in Section 2.2.1 | |||
of [I-D.ietf-netconf-trust-anchors] and Section 2.2.1 of | of [RFC9641] and Section 2.2.1 of [RFC9642]. | |||
[I-D.ietf-netconf-keystore]. | ||||
The following configuration example uses inline-definitions for the | The following configuration example uses inline-definitions for the | |||
client identity and server authentication: | client identity and server authentication: | |||
=============== NOTE: '\' line wrapping per RFC 8792 ================ | =============== NOTE: '\' line wrapping per RFC 8792 ================ | |||
<!-- The outermost element below doesn't exist in the data model. --> | <!-- The outermost element below doesn't exist in the data model. --> | |||
<!-- It simulates if the "grouping" were a "container" instead. --> | <!-- It simulates if the "grouping" were a "container" instead. --> | |||
<tls-client | <tls-client | |||
xmlns="urn:ietf:params:xml:ns:yang:ietf-tls-client" | xmlns="urn:ietf:params:xml:ns:yang:ietf-tls-client" | |||
xmlns:ct="urn:ietf:params:xml:ns:yang:ietf-crypto-types"> | xmlns:ct="urn:ietf:params:xml:ns:yang:ietf-crypto-types"> | |||
<!-- how this client will authenticate itself to the server --> | <!-- how this client will authenticate itself to the server --> | |||
<client-identity> | <client-identity> | |||
<certificate> | <certificate> | |||
<inline-definition> | <inline-definition> | |||
<private-key-format>ct:rsa-private-key-format</priva\ | <private-key-format>ct:rsa-private-key-format</priva\ | |||
te-key-format> | te-key-format> | |||
<cleartext-private-key>BASE64VALUE=</cleartext-priva\ | <cleartext-private-key>BASE64VALUE=</cleartext-priva\ | |||
te-key> | te-key> | |||
<cert-data>BASE64VALUE=</cert-data> | <cert-data>BASE64VALUE=</cert-data> | |||
</inline-definition> | </inline-definition> | |||
</certificate> | </certificate> | |||
skipping to change at page 26, line 49 ¶ | skipping to change at line 1041 ¶ | |||
<test-peer-aliveness> | <test-peer-aliveness> | |||
<max-wait>30</max-wait> | <max-wait>30</max-wait> | |||
<max-attempts>3</max-attempts> | <max-attempts>3</max-attempts> | |||
</test-peer-aliveness> | </test-peer-aliveness> | |||
</keepalives> | </keepalives> | |||
</tls-client> | </tls-client> | |||
The following configuration example uses central-keystore-references | The following configuration example uses central-keystore-references | |||
for the client identity and central-truststore-references for server | for the client identity and central-truststore-references for server | |||
authentication: from the keystore: | authentication from the keystore: | |||
=============== NOTE: '\' line wrapping per RFC 8792 ================ | =============== NOTE: '\' line wrapping per RFC 8792 ================ | |||
<!-- The outermost element below doesn't exist in the data model. --> | <!-- The outermost element below doesn't exist in the data model. --> | |||
<!-- It simulates if the "grouping" were a "container" instead. --> | <!-- It simulates if the "grouping" were a "container" instead. --> | |||
<tls-client xmlns="urn:ietf:params:xml:ns:yang:ietf-tls-client"> | <tls-client xmlns="urn:ietf:params:xml:ns:yang:ietf-tls-client"> | |||
<!-- how this client will authenticate itself to the server --> | <!-- how this client will authenticate itself to the server --> | |||
<client-identity> | <client-identity> | |||
skipping to change at page 28, line 7 ¶ | skipping to change at line 1089 ¶ | |||
<test-peer-aliveness> | <test-peer-aliveness> | |||
<max-wait>30</max-wait> | <max-wait>30</max-wait> | |||
<max-attempts>3</max-attempts> | <max-attempts>3</max-attempts> | |||
</test-peer-aliveness> | </test-peer-aliveness> | |||
</keepalives> | </keepalives> | |||
</tls-client> | </tls-client> | |||
3.3. YANG Module | 3.3. YANG Module | |||
This YANG module has normative references to | This YANG module has normative references to [RFC4279], [RFC5280], | |||
[I-D.ietf-netconf-trust-anchors] and [I-D.ietf-netconf-keystore], and | [RFC6520], [RFC7250], [RFC9640], [RFC9641], and [RFC9642] and | |||
Informative references to [RFC5246], [RFC8446], [RFC9258] and | informative references to [RFC5056], [RFC5246], [RFC8446], [RFC9258], | |||
[RFC9257]. | and [RFC9257]. | |||
<CODE BEGINS> file "ietf-tls-client@2024-03-16.yang" | <CODE BEGINS> file "ietf-tls-client@2024-03-16.yang" | |||
module ietf-tls-client { | module ietf-tls-client { | |||
yang-version 1.1; | yang-version 1.1; | |||
namespace "urn:ietf:params:xml:ns:yang:ietf-tls-client"; | namespace "urn:ietf:params:xml:ns:yang:ietf-tls-client"; | |||
prefix tlsc; | prefix tlsc; | |||
import ietf-netconf-acm { | import ietf-netconf-acm { | |||
prefix nacm; | prefix nacm; | |||
reference | reference | |||
"RFC 8341: Network Configuration Access Control Model"; | "RFC 8341: Network Configuration Access Control Model"; | |||
} | } | |||
skipping to change at page 28, line 24 ¶ | skipping to change at line 1105 ¶ | |||
module ietf-tls-client { | module ietf-tls-client { | |||
yang-version 1.1; | yang-version 1.1; | |||
namespace "urn:ietf:params:xml:ns:yang:ietf-tls-client"; | namespace "urn:ietf:params:xml:ns:yang:ietf-tls-client"; | |||
prefix tlsc; | prefix tlsc; | |||
import ietf-netconf-acm { | import ietf-netconf-acm { | |||
prefix nacm; | prefix nacm; | |||
reference | reference | |||
"RFC 8341: Network Configuration Access Control Model"; | "RFC 8341: Network Configuration Access Control Model"; | |||
} | } | |||
import ietf-crypto-types { | import ietf-crypto-types { | |||
prefix ct; | prefix ct; | |||
reference | reference | |||
"RFC AAAA: YANG Data Types and Groupings for Cryptography"; | "RFC 9640: YANG Data Types and Groupings for Cryptography"; | |||
} | } | |||
import ietf-truststore { | import ietf-truststore { | |||
prefix ts; | prefix ts; | |||
reference | reference | |||
"RFC BBBB: A YANG Data Model for a Truststore"; | "RFC 9641: A YANG Data Model for a Truststore"; | |||
} | } | |||
import ietf-keystore { | import ietf-keystore { | |||
prefix ks; | prefix ks; | |||
reference | reference | |||
"RFC CCCC: A YANG Data Model for a Keystore"; | "RFC 9642: A YANG Data Model for a Keystore"; | |||
} | } | |||
import ietf-tls-common { | import ietf-tls-common { | |||
prefix tlscmn; | prefix tlscmn; | |||
reference | reference | |||
"RFC FFFF: YANG Groupings for TLS Clients and TLS Servers"; | "RFC 9645: YANG Groupings for TLS Clients and TLS Servers"; | |||
} | } | |||
organization | organization | |||
"IETF NETCONF (Network Configuration) Working Group"; | "IETF NETCONF (Network Configuration) Working Group"; | |||
contact | contact | |||
"WG List: NETCONF WG list <mailto:netconf@ietf.org> | "WG List: NETCONF WG list <mailto:netconf@ietf.org> | |||
WG Web: https://datatracker.ietf.org/wg/netconf | WG Web: https://datatracker.ietf.org/wg/netconf | |||
Author: Kent Watsen <mailto:kent+ietf@watsen.net> | Author: Kent Watsen <mailto:kent+ietf@watsen.net> | |||
Author: Jeff Hartley <mailto:intensifysecurity@gmail.com>"; | Author: Jeff Hartley <mailto:intensifysecurity@gmail.com>"; | |||
description | description | |||
"This module defines reusable groupings for TLS clients that | "This module defines reusable groupings for TLS clients that | |||
can be used as a basis for specific TLS client instances. | can be used as a basis for specific TLS client instances. | |||
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', | ||||
'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', | ||||
'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document | ||||
are to be interpreted as described in BCP 14 (RFC 2119) | ||||
(RFC 8174) when, and only when, they appear in all | ||||
capitals, as shown here. | ||||
Copyright (c) 2024 IETF Trust and the persons identified | Copyright (c) 2024 IETF Trust and the persons identified | |||
as authors of the code. All rights reserved. | as authors of the code. All rights reserved. | |||
Redistribution and use in source and binary forms, with | Redistribution and use in source and binary forms, with | |||
or without modification, is permitted pursuant to, and | or without modification, is permitted pursuant to, and | |||
subject to the license terms contained in, the Revised | subject to the license terms contained in, the Revised | |||
BSD License set forth in Section 4.c of the IETF Trust's | BSD License set forth in Section 4.c of the IETF Trust's | |||
Legal Provisions Relating to IETF Documents | Legal Provisions Relating to IETF Documents | |||
(https://trustee.ietf.org/license-info). | (https://trustee.ietf.org/license-info). | |||
This version of this YANG module is part of RFC FFFF | This version of this YANG module is part of RFC 9645 | |||
(https://www.rfc-editor.org/info/rfcFFFF); see the RFC | (https://www.rfc-editor.org/info/rfc9645); see the RFC | |||
itself for full legal notices. | itself for full legal notices."; | |||
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', | ||||
'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', | ||||
'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document | ||||
are to be interpreted as described in BCP 14 (RFC 2119) | ||||
(RFC 8174) when, and only when, they appear in all | ||||
capitals, as shown here."; | ||||
revision 2024-03-16 { | revision 2024-03-16 { | |||
description | description | |||
"Initial version"; | "Initial version"; | |||
reference | reference | |||
"RFC FFFF: YANG Groupings for TLS Clients and TLS Servers"; | "RFC 9645: YANG Groupings for TLS Clients and TLS Servers"; | |||
} | } | |||
// Features | // Features | |||
feature tls-client-keepalives { | feature tls-client-keepalives { | |||
description | description | |||
"Per socket TLS keepalive parameters are configurable for | "Per-socket TLS keepalive parameters are configurable for | |||
TLS clients on the server implementing this feature."; | TLS clients on the server implementing this feature."; | |||
} | } | |||
feature client-ident-x509-cert { | feature client-ident-x509-cert { | |||
description | description | |||
"Indicates that the client supports identifying itself | "Indicates that the client supports identifying itself | |||
using X.509 certificates."; | using X.509 certificates."; | |||
reference | reference | |||
"RFC 5280: | "RFC 5280: | |||
Internet X.509 Public Key Infrastructure Certificate | Internet X.509 Public Key Infrastructure Certificate | |||
skipping to change at page 30, line 25 ¶ | skipping to change at line 1197 ¶ | |||
reference | reference | |||
"RFC 7250: | "RFC 7250: | |||
Using Raw Public Keys in Transport Layer Security (TLS) | Using Raw Public Keys in Transport Layer Security (TLS) | |||
and Datagram Transport Layer Security (DTLS)"; | and Datagram Transport Layer Security (DTLS)"; | |||
} | } | |||
feature client-ident-tls12-psk { | feature client-ident-tls12-psk { | |||
if-feature "tlscmn:tls12"; | if-feature "tlscmn:tls12"; | |||
description | description | |||
"Indicates that the client supports identifying itself | "Indicates that the client supports identifying itself | |||
using TLS-1.2 PSKs (pre-shared or pairwise-symmetric keys)."; | using TLS 1.2 PSKs (pre-shared or pairwise symmetric keys)."; | |||
reference | reference | |||
"RFC 4279: | "RFC 4279: | |||
Pre-Shared Key Ciphersuites for Transport Layer Security | Pre-Shared Key Ciphersuites for Transport Layer Security | |||
(TLS)"; | (TLS)"; | |||
} | } | |||
feature client-ident-tls13-epsk { | feature client-ident-tls13-epsk { | |||
if-feature "tlscmn:tls13"; | if-feature "tlscmn:tls13"; | |||
description | description | |||
"Indicates that the client supports identifying itself | "Indicates that the client supports identifying itself | |||
using TLS-1.3 External PSKs (pre-shared keys)."; | using TLS 1.3 External PSKs (pre-shared keys)."; | |||
reference | reference | |||
"RFC 8446: | "RFC 8446: | |||
The Transport Layer Security (TLS) Protocol Version 1.3"; | The Transport Layer Security (TLS) Protocol Version 1.3"; | |||
} | } | |||
feature server-auth-x509-cert { | feature server-auth-x509-cert { | |||
description | description | |||
"Indicates that the client supports authenticating servers | "Indicates that the client supports authenticating servers | |||
using X.509 certificates."; | using X.509 certificates."; | |||
reference | reference | |||
skipping to change at page 31, line 4 ¶ | skipping to change at line 1223 ¶ | |||
feature server-auth-x509-cert { | feature server-auth-x509-cert { | |||
description | description | |||
"Indicates that the client supports authenticating servers | "Indicates that the client supports authenticating servers | |||
using X.509 certificates."; | using X.509 certificates."; | |||
reference | reference | |||
"RFC 5280: | "RFC 5280: | |||
Internet X.509 Public Key Infrastructure Certificate | Internet X.509 Public Key Infrastructure Certificate | |||
and Certificate Revocation List (CRL) Profile"; | and Certificate Revocation List (CRL) Profile"; | |||
} | } | |||
feature server-auth-raw-public-key { | feature server-auth-raw-public-key { | |||
description | description | |||
"Indicates that the client supports authenticating servers | "Indicates that the client supports authenticating servers | |||
using raw public keys."; | using raw public keys."; | |||
reference | reference | |||
"RFC 7250: | "RFC 7250: | |||
Using Raw Public Keys in Transport Layer Security (TLS) | Using Raw Public Keys in Transport Layer Security (TLS) | |||
and Datagram Transport Layer Security (DTLS)"; | and Datagram Transport Layer Security (DTLS)"; | |||
} | } | |||
feature server-auth-tls12-psk { | feature server-auth-tls12-psk { | |||
description | description | |||
"Indicates that the client supports authenticating servers | "Indicates that the client supports authenticating servers | |||
using PSKs (pre-shared or pairwise-symmetric keys)."; | using PSKs (pre-shared or pairwise symmetric keys)."; | |||
reference | reference | |||
"RFC 4279: | "RFC 4279: | |||
Pre-Shared Key Ciphersuites for Transport Layer Security | Pre-Shared Key Ciphersuites for Transport Layer Security | |||
(TLS)"; | (TLS)"; | |||
} | } | |||
feature server-auth-tls13-epsk { | feature server-auth-tls13-epsk { | |||
description | description | |||
"Indicates that the client supports authenticating servers | "Indicates that the client supports authenticating servers | |||
using TLS-1.3 External PSKs (pre-shared keys)."; | using TLS 1.3 External PSKs (pre-shared keys)."; | |||
reference | reference | |||
"RFC 8446: | "RFC 8446: | |||
The Transport Layer Security (TLS) Protocol Version 1.3"; | The Transport Layer Security (TLS) Protocol Version 1.3"; | |||
} | } | |||
// Groupings | // Groupings | |||
grouping tls-client-grouping { | grouping tls-client-grouping { | |||
description | description | |||
"A reusable grouping for configuring a TLS client without | "A reusable grouping for configuring a TLS client without | |||
skipping to change at page 31, line 49 ¶ | skipping to change at line 1269 ¶ | |||
established. | established. | |||
Note that this grouping uses fairly typical descendant | Note that this grouping uses fairly typical descendant | |||
node names such that a stack of 'uses' statements will | node names such that a stack of 'uses' statements will | |||
have name conflicts. It is intended that the consuming | have name conflicts. It is intended that the consuming | |||
data model will resolve the issue (e.g., by wrapping | data model will resolve the issue (e.g., by wrapping | |||
the 'uses' statement in a container called | the 'uses' statement in a container called | |||
'tls-client-parameters'). This model purposely does | 'tls-client-parameters'). This model purposely does | |||
not do this itself so as to provide maximum flexibility | not do this itself so as to provide maximum flexibility | |||
to consuming models."; | to consuming models."; | |||
container client-identity { | container client-identity { | |||
nacm:default-deny-write; | nacm:default-deny-write; | |||
presence | presence "Indicates that a TLS-level client identity has been | |||
"Indicates that a TLS-level client identity has been | configured. This statement is present so the | |||
configured. This statement is present so the mandatory | mandatory descendant nodes do not imply that this | |||
descendant do not imply that this node must be configured."; | node must be configured."; | |||
description | description | |||
"Identity credentials the TLS client MAY present when | "Identity credentials the TLS client MAY present when | |||
establishing a connection to a TLS server. If not | establishing a connection to a TLS server. If not | |||
configured, then client authentication is presumed to | configured, then client authentication is presumed to | |||
occur in a protocol layer above TLS. When configured, | occur in a protocol layer above TLS. When configured, | |||
and requested by the TLS server when establishing a | and requested by the TLS server when establishing a | |||
TLS session, these credentials are passed in the | TLS session, these credentials are passed in the | |||
Certificate message defined in Section 7.4.2 of | Certificate message defined in Section 7.4.2 of | |||
RFC 5246 and Section 4.4.2 in RFC 8446."; | RFC 5246 and Section 4.4.2 of RFC 8446."; | |||
reference | reference | |||
"RFC 5246: The Transport Layer Security (TLS) | "RFC 5246: The Transport Layer Security (TLS) | |||
Protocol Version 1.2 | Protocol Version 1.2 | |||
RFC 8446: The Transport Layer Security (TLS) | RFC 8446: The Transport Layer Security (TLS) | |||
Protocol Version 1.3 | Protocol Version 1.3 | |||
RFC CCCC: A YANG Data Model for a Keystore"; | RFC 9642: A YANG Data Model for a Keystore"; | |||
choice auth-type { | choice auth-type { | |||
mandatory true; | mandatory true; | |||
description | description | |||
"A choice amongst authentication types, of which one must | "A choice amongst authentication types, of which one must | |||
be enabled (via its associated 'feature') and selected."; | be enabled (via its associated 'feature') and selected."; | |||
case certificate { | case certificate { | |||
if-feature "client-ident-x509-cert"; | if-feature "client-ident-x509-cert"; | |||
container certificate { | container certificate { | |||
description | description | |||
"Specifies the client identity using a certificate."; | "Specifies the client identity using a certificate."; | |||
uses | uses "ks:inline-or-keystore-end-entity-cert-with-key-" | |||
"ks:inline-or-keystore-end-entity-cert-with-key-" | + "grouping" { | |||
+ "grouping" { | ||||
refine "inline-or-keystore/inline/inline-definition" { | refine "inline-or-keystore/inline/inline-definition" { | |||
must 'not(public-key-format) or derived-from-or-self' | must 'not(public-key-format) or derived-from-or-self' | |||
+ '(public-key-format, "ct:subject-public-key-' | + '(public-key-format, "ct:subject-public-key-' | |||
+ 'info-format")'; | + 'info-format")'; | |||
} | } | |||
refine "inline-or-keystore/central-keystore/" | refine "inline-or-keystore/central-keystore/" | |||
+ "central-keystore-reference/asymmetric-key" { | + "central-keystore-reference/asymmetric-key" { | |||
must 'not(deref(.)/../ks:public-key-format) or ' | must 'not(deref(.)/../ks:public-key-format) or ' | |||
+ 'derived-from-or-self(deref(.)/../ks:public-' | + 'derived-from-or-self(deref(.)/../ks:public-' | |||
+ 'key-format, "ct:subject-public-key-info-' | + 'key-format, "ct:subject-public-key-info-' | |||
skipping to change at page 33, line 30 ¶ | skipping to change at line 1344 ¶ | |||
+ 'format")'; | + 'format")'; | |||
} | } | |||
} | } | |||
} | } | |||
} | } | |||
case tls12-psk { | case tls12-psk { | |||
if-feature "client-ident-tls12-psk"; | if-feature "client-ident-tls12-psk"; | |||
container tls12-psk { | container tls12-psk { | |||
description | description | |||
"Specifies the client identity using a PSK (pre-shared | "Specifies the client identity using a PSK (pre-shared | |||
or pairwise-symmetric key)."; | or pairwise symmetric key)."; | |||
uses ks:inline-or-keystore-symmetric-key-grouping; | uses ks:inline-or-keystore-symmetric-key-grouping; | |||
leaf id { | leaf id { | |||
type string; | type string; | |||
description | description | |||
"The key 'psk_identity' value used in the TLS | "The key 'psk_identity' value used in the TLS | |||
'ClientKeyExchange' message."; | 'ClientKeyExchange' message."; | |||
reference | reference | |||
"RFC 4279: Pre-Shared Key Ciphersuites for | "RFC 4279: Pre-Shared Key Ciphersuites for | |||
Transport Layer Security (TLS)"; | Transport Layer Security (TLS)"; | |||
} | } | |||
} | } | |||
} | } | |||
case tls13-epsk { | case tls13-epsk { | |||
if-feature "client-ident-tls13-epsk"; | if-feature "client-ident-tls13-epsk"; | |||
container tls13-epsk { | container tls13-epsk { | |||
description | description | |||
"An External Pre-Shared Key (EPSK) is established | "An External Pre-Shared Key (EPSK) is established | |||
or provisioned out-of-band, i.e., not from a TLS | or provisioned out of band, i.e., not from a TLS | |||
connection. An EPSK is a tuple of (Base Key, | connection. An EPSK is a tuple of (Base Key, | |||
External Identity, Hash). External PSKs MUST NOT | External Identity, Hash). EPSKs MUST NOT be | |||
be imported for (D)TLS 1.2 or prior versions. When | imported for (D)TLS 1.2 or prior versions. When | |||
PSKs are provisioned out of band, the PSK identity | PSKs are provisioned out of band, the PSK identity | |||
and the KDF hash algorithm to be used with the PSK | and the Key Derivation Function (KDF) hash algorithm | |||
MUST also be provisioned. | to be used with the PSK MUST also be provisioned. | |||
The structure of this container is designed to | The structure of this container is designed to satisfy | |||
satisfy the requirements of RFC 8446 Section | the requirements in Section 4.2.11 of RFC 8446, the | |||
4.2.11, the recommendations from Section 6 in | recommendations from Section 6 of RFC 9257, and the | |||
RFC 9257, and the EPSK input fields detailed in | EPSK input fields detailed in Section 5.1 of RFC 9258. | |||
Section 5.1 in RFC 9258. The base-key is based | The base-key is based upon | |||
upon ks:inline-or-keystore-symmetric-key-grouping | 'ks:inline-or-keystore-symmetric-key-grouping' in | |||
in order to provide users with flexible and | order to provide users with flexible and secure | |||
secure storage options."; | storage options."; | |||
reference | reference | |||
"RFC 8446: The Transport Layer Security (TLS) | "RFC 8446: The Transport Layer Security (TLS) | |||
Protocol Version 1.3 | Protocol Version 1.3 | |||
RFC 9257: Guidance for External Pre-Shared Key | RFC 9257: Guidance for External Pre-Shared Key | |||
(PSK) Usage in TLS | (PSK) Usage in TLS | |||
RFC 9258: Importing External Pre-Shared Keys | RFC 9258: Importing External Pre-Shared Keys | |||
(PSKs) for TLS 1.3"; | (PSKs) for TLS 1.3"; | |||
uses ks:inline-or-keystore-symmetric-key-grouping; | uses ks:inline-or-keystore-symmetric-key-grouping; | |||
leaf external-identity { | leaf external-identity { | |||
type string; | type string; | |||
mandatory true; | mandatory true; | |||
description | description | |||
"As per Section 4.2.11 of RFC 8446, and Section 4.1 | "As per Section 4.2.11 of RFC 8446 and Section 4.1 | |||
of RFC 9257, a sequence of bytes used to identify | of RFC 9257, a sequence of bytes used to identify | |||
an EPSK. A label for a pre-shared key established | an EPSK. A label for a pre-shared key established | |||
externally."; | externally."; | |||
reference | reference | |||
"RFC 8446: The Transport Layer Security (TLS) | "RFC 8446: The Transport Layer Security (TLS) | |||
Protocol Version 1.3 | Protocol Version 1.3 | |||
RFC 9257: Guidance for External Pre-Shared Key | RFC 9257: Guidance for External Pre-Shared Key | |||
(PSK) Usage in TLS"; | (PSK) Usage in TLS"; | |||
} | } | |||
leaf hash { | leaf hash { | |||
type tlscmn:epsk-supported-hash; | type tlscmn:epsk-supported-hash; | |||
default sha-256; | default "sha-256"; | |||
description | description | |||
"As per Section 4.2.11 of RFC 8446, for externally | "As per Section 4.2.11 of RFC 8446, for EPSKs, | |||
established PSKs, the Hash algorithm MUST be set | the hash algorithm MUST be set when the PSK is | |||
when the PSK is established or default to SHA-256 | established; otherwise, default to SHA-256 if | |||
if no such algorithm is defined. The server MUST | no such algorithm is defined. The server MUST | |||
ensure that it selects a compatible PSK (if any) | ensure that it selects a compatible PSK (if any) | |||
and cipher suite. Each PSK MUST only be used with | and cipher suite. Each PSK MUST only be used | |||
a single hash function."; | with a single hash function."; | |||
reference | reference | |||
"RFC 8446: The Transport Layer Security (TLS) | "RFC 8446: The Transport Layer Security (TLS) | |||
Protocol Version 1.3"; | Protocol Version 1.3"; | |||
} | } | |||
leaf context { | leaf context { | |||
type string; | type string; | |||
description | description | |||
"Per Section 5.1 of RFC 9258, context MUST include | "As per Section 5.1 of RFC 9258, context MUST | |||
the context used to determine the EPSK, if | include the context used to determine the EPSK, | |||
any exists. For example, context may include | if any exists. For example, context may include | |||
information about peer roles or identities | information about peer roles or identities | |||
to mitigate Selfie-style reflection attacks. | to mitigate Selfie-style reflection attacks. | |||
Since the EPSK is a key derived from an external | Since the EPSK is a key derived from an external | |||
protocol or sequence of protocols, context MUST | protocol or a sequence of protocols, context MUST | |||
include a channel binding for the deriving | include a channel binding for the deriving | |||
protocols [RFC5056]. The details of this | protocols (see RFC 5056). The details of this | |||
binding are protocol specfic and out of scope | binding are protocol specific and out of scope | |||
for this document."; | for this document."; | |||
reference | reference | |||
"RFC 9258: Importing External Pre-Shared Keys | "RFC 9258: Importing External Pre-Shared Keys | |||
(PSKs) for TLS 1.3"; | (PSKs) for TLS 1.3"; | |||
} | } | |||
leaf target-protocol { | leaf target-protocol { | |||
type uint16; | type uint16; | |||
description | description | |||
"As per Section 3 of RFC 9258, the protocol | "As per Section 3 of RFC 9258, the protocol | |||
for which a PSK is imported for use."; | for which a PSK is imported for use."; | |||
reference | reference | |||
"RFC 9258: Importing External Pre-Shared Keys | "RFC 9258: Importing External Pre-Shared Keys | |||
(PSKs) for TLS 1.3"; | (PSKs) for TLS 1.3"; | |||
} | } | |||
leaf target-kdf { | leaf target-kdf { | |||
type uint16; | type uint16; | |||
description | description | |||
"As per Section 3 of RFC 9258, the KDF for | "As per Section 3 of RFC 9258, the Key Derivation | |||
which a PSK is imported for use."; | Function (KDF) for which a PSK is imported for | |||
use."; | ||||
reference | reference | |||
"RFC 9258: Importing External Pre-Shared Keys | "RFC 9258: Importing External Pre-Shared Keys | |||
(PSKs) for TLS 1.3"; | (PSKs) for TLS 1.3"; | |||
} | } | |||
} | } | |||
} | } | |||
} | } | |||
} // container client-identity | } // container client-identity | |||
container server-authentication { | container server-authentication { | |||
nacm:default-deny-write; | nacm:default-deny-write; | |||
must 'ca-certs or ee-certs or raw-public-keys or tls12-psks | must "ca-certs or ee-certs or raw-public-keys or tls12-psks | |||
or tls13-epsks'; | or tls13-epsks"; | |||
description | description | |||
"Specifies how the TLS client can authenticate TLS servers. | "Specifies how the TLS client can authenticate TLS servers. | |||
Any combination of credentials is additive and unordered. | Any combination of credentials is additive and unordered. | |||
Note that no configuration is required for PSK (pre-shared | Note that no configuration is required for authentication | |||
or pairwise-symmetric key) based authentication as the key | based on PSK (pre-shared or pairwise symmetric key) as | |||
is necessarily the same as configured in the '../client- | the key is necessarily the same as configured in the | |||
identity' node."; | '../client-identity' node."; | |||
container ca-certs { | container ca-certs { | |||
if-feature "server-auth-x509-cert"; | if-feature "server-auth-x509-cert"; | |||
presence | presence "Indicates that Certification Authority (CA) | |||
"Indicates that CA certificates have been configured. | certificates have been configured. This | |||
This statement is present so the mandatory descendant | statement is present so the mandatory | |||
nodes do not imply that this node must be configured."; | descendant nodes do not imply that this | |||
node must be configured."; | ||||
description | description | |||
"A set of certificate authority (CA) certificates used by | "A set of CA certificates used by the TLS client to | |||
the TLS client to authenticate TLS server certificates. | authenticate TLS server certificates. A server | |||
A server certificate is authenticated if it has a valid | certificate is authenticated if it has a valid chain of | |||
chain of trust to a configured CA certificate."; | trust to a configured CA certificate."; | |||
reference | reference | |||
"RFC BBBB: A YANG Data Model for a Truststore"; | "RFC 9641: A YANG Data Model for a Truststore"; | |||
uses ts:inline-or-truststore-certs-grouping; | uses ts:inline-or-truststore-certs-grouping; | |||
} | } | |||
container ee-certs { | container ee-certs { | |||
if-feature "server-auth-x509-cert"; | if-feature "server-auth-x509-cert"; | |||
presence | presence "Indicates that End-Entity (EE) certificates have | |||
"Indicates that EE certificates have been configured. | been configured. This statement is present so | |||
This statement is present so the mandatory descendant | the mandatory descendant nodes do not imply | |||
nodes do not imply that this node must be configured."; | that this node must be configured."; | |||
description | description | |||
"A set of server certificates (i.e., end entity | "A set of server certificates (i.e., EE certificates) used | |||
certificates) used by the TLS client to authenticate | by the TLS client to authenticate certificates presented | |||
certificates presented by TLS servers. A server | by TLS servers. A server certificate is authenticated if | |||
certificate is authenticated if it is an exact | it is an exact match to a configured server certificate."; | |||
match to a configured server certificate."; | ||||
reference | reference | |||
"RFC BBBB: A YANG Data Model for a Truststore"; | "RFC 9641: A YANG Data Model for a Truststore"; | |||
uses ts:inline-or-truststore-certs-grouping; | uses ts:inline-or-truststore-certs-grouping; | |||
} | } | |||
container raw-public-keys { | container raw-public-keys { | |||
if-feature "server-auth-raw-public-key"; | if-feature "server-auth-raw-public-key"; | |||
presence | presence "Indicates that raw public keys have been | |||
"Indicates that raw public keys have been configured. | configured. This statement is present so | |||
This statement is present so the mandatory descendant | the mandatory descendant nodes do not imply | |||
nodes do not imply that this node must be configured."; | that this node must be configured."; | |||
description | description | |||
"A set of raw public keys used by the TLS client to | "A set of raw public keys used by the TLS client to | |||
authenticate raw public keys presented by the TLS | authenticate raw public keys presented by the TLS | |||
server. A raw public key is authenticated if it | server. A raw public key is authenticated if it | |||
is an exact match to a configured raw public key."; | is an exact match to a configured raw public key."; | |||
reference | reference | |||
"RFC BBBB: A YANG Data Model for a Truststore"; | "RFC 9641: A YANG Data Model for a Truststore"; | |||
uses ts:inline-or-truststore-public-keys-grouping { | uses ts:inline-or-truststore-public-keys-grouping { | |||
refine "inline-or-truststore/inline/inline-definition/" | refine "inline-or-truststore/inline/inline-definition/" | |||
+ "public-key" { | + "public-key" { | |||
must 'derived-from-or-self(public-key-format,' | must 'derived-from-or-self(public-key-format,' | |||
+ ' "ct:subject-public-key-info-format")'; | + ' "ct:subject-public-key-info-format")'; | |||
} | } | |||
refine "inline-or-truststore/central-truststore/" | refine "inline-or-truststore/central-truststore/" | |||
+ "central-truststore-reference" { | + "central-truststore-reference" { | |||
must 'not(deref(.)/../ts:public-key/ts:public-key-' | must 'not(deref(.)/../ts:public-key/ts:public-key-' | |||
+ 'format[not(derived-from-or-self(., "ct:subject-' | + 'format[not(derived-from-or-self(., "ct:subject-' | |||
+ 'public-key-info-format"))])'; | + 'public-key-info-format"))])'; | |||
} | } | |||
} | } | |||
} | } | |||
leaf tls12-psks { | leaf tls12-psks { | |||
if-feature "server-auth-tls12-psk"; | if-feature "server-auth-tls12-psk"; | |||
type empty; | type empty; | |||
description | description | |||
"Indicates that the TLS client can authenticate TLS servers | "Indicates that the TLS client can authenticate TLS servers | |||
using configured PSKs (pre-shared or pairwise-symmetric | using configured PSKs (pre-shared or pairwise symmetric | |||
keys). | keys). | |||
No configuration is required since the PSK value is the | No configuration is required since the PSK value is the | |||
same as PSK value configured in the 'client-identity' | same as the PSK value configured in the 'client-identity' | |||
node."; | node."; | |||
} | } | |||
leaf tls13-epsks { | leaf tls13-epsks { | |||
if-feature "server-auth-tls13-epsk"; | if-feature "server-auth-tls13-epsk"; | |||
type empty; | type empty; | |||
description | description | |||
"Indicates that the TLS client can authenticate TLS servers | "Indicates that the TLS client can authenticate TLS servers | |||
using configured external PSKs (pre-shared keys). | using configured External PSKs (pre-shared keys). | |||
No configuration is required since the PSK value is the | No configuration is required since the PSK value is the | |||
same as PSK value configured in the 'client-identity' | same as the PSK value configured in the 'client-identity' | |||
node."; | node."; | |||
} | } | |||
} // container server-authentication | } // container server-authentication | |||
container hello-params { | container hello-params { | |||
nacm:default-deny-write; | nacm:default-deny-write; | |||
if-feature "tlscmn:hello-params"; | if-feature "tlscmn:hello-params"; | |||
uses tlscmn:hello-params-grouping; | uses tlscmn:hello-params-grouping; | |||
description | description | |||
"Configurable parameters for the TLS hello message."; | "Configurable parameters for the TLS hello message."; | |||
} // container hello-params | } // container hello-params | |||
container keepalives { | container keepalives { | |||
nacm:default-deny-write; | nacm:default-deny-write; | |||
if-feature "tls-client-keepalives"; | if-feature "tls-client-keepalives"; | |||
description | description | |||
"Configures the keepalive policy for the TLS client."; | "Configures the keepalive policy for the TLS client."; | |||
leaf peer-allowed-to-send { | leaf peer-allowed-to-send { | |||
type empty; | type empty; | |||
description | description | |||
"Indicates that the remote TLS server is allowed to send | "Indicates that the remote TLS server is allowed to send | |||
HeartbeatRequest messages, as defined by RFC 6520 | HeartbeatRequest messages, as defined by RFC 6520, | |||
to this TLS client."; | to this TLS client."; | |||
reference | reference | |||
"RFC 6520: Transport Layer Security (TLS) and Datagram | "RFC 6520: Transport Layer Security (TLS) and Datagram | |||
Transport Layer Security (DTLS) Heartbeat Extension"; | Transport Layer Security (DTLS) Heartbeat Extension"; | |||
} | } | |||
container test-peer-aliveness { | container test-peer-aliveness { | |||
presence | presence "Indicates that the TLS client proactively tests the | |||
"Indicates that the TLS client proactively tests the | aliveness of the remote TLS server."; | |||
aliveness of the remote TLS server."; | ||||
description | description | |||
"Configures the keep-alive policy to proactively test | "Configures the keepalive policy to proactively test | |||
the aliveness of the TLS server. An unresponsive | the aliveness of the TLS server. An unresponsive | |||
TLS server is dropped after approximately max-wait | TLS server is dropped after approximately max-wait | |||
* max-attempts seconds. The TLS client MUST send | * max-attempts seconds. The TLS client MUST send | |||
HeartbeatRequest messages, as defined by RFC 6520."; | HeartbeatRequest messages, as defined in RFC 6520."; | |||
reference | reference | |||
"RFC 6520: Transport Layer Security (TLS) and Datagram | "RFC 6520: Transport Layer Security (TLS) and Datagram | |||
Transport Layer Security (DTLS) Heartbeat Extension"; | Transport Layer Security (DTLS) Heartbeat Extension"; | |||
leaf max-wait { | leaf max-wait { | |||
type uint16 { | type uint16 { | |||
range "1..max"; | range "1..max"; | |||
} | } | |||
units "seconds"; | units "seconds"; | |||
default "30"; | default "30"; | |||
description | description | |||
"Sets the amount of time in seconds after which if | "Sets the amount of time in seconds, after which a | |||
no data has been received from the TLS server, a | ||||
TLS-level message will be sent to test the | TLS-level message will be sent to test the | |||
aliveness of the TLS server."; | aliveness of the TLS server if no data has been | |||
received from the TLS server."; | ||||
} | } | |||
leaf max-attempts { | leaf max-attempts { | |||
type uint8; | type uint8; | |||
default "3"; | default "3"; | |||
description | description | |||
"Sets the maximum number of sequential keep-alive | "Sets the maximum number of sequential keepalive | |||
messages that can fail to obtain a response from | messages that can fail to obtain a response from | |||
the TLS server before assuming the TLS server is | the TLS server before assuming the TLS server is | |||
no longer alive."; | no longer alive."; | |||
} | } | |||
} | } | |||
} | } | |||
} // grouping tls-client-grouping | } // grouping tls-client-grouping | |||
} | } | |||
<CODE ENDS> | <CODE ENDS> | |||
4. The "ietf-tls-server" Module | 4. The "ietf-tls-server" Module | |||
This section defines a YANG 1.1 module called "ietf-tls-server". A | This section defines a YANG 1.1 module called "ietf-tls-server". A | |||
high-level overview of the module is provided in Section 4.1. | high-level overview of the module is provided in Section 4.1. | |||
Examples illustrating the module's use are provided in Examples | Examples illustrating the module's use are provided in Section 4.2 | |||
(Section 4.2). The YANG module itself is defined in Section 4.3. | ("Example Usage"). The YANG module itself is defined in Section 4.3. | |||
4.1. Data Model Overview | 4.1. Data Model Overview | |||
This section provides an overview of the "ietf-tls-server" module in | This section provides an overview of the "ietf-tls-server" module in | |||
terms of its features and groupings. | terms of its features and groupings. | |||
4.1.1. Features | 4.1.1. Features | |||
The following diagram lists all the "feature" statements defined in | The following diagram lists all the "feature" statements defined in | |||
the "ietf-tls-server" module: | the "ietf-tls-server" module: | |||
skipping to change at page 42, line 19 ¶ | skipping to change at line 1721 ¶ | |||
(as client authentication MAY occur at a higher protocol layer), | (as client authentication MAY occur at a higher protocol layer), | |||
configures trust anchors for authenticating the TLS client, with | configures trust anchors for authenticating the TLS client, with | |||
each option enabled by a "feature" statement. | each option enabled by a "feature" statement. | |||
* The "hello-params" node, which must be enabled by a feature, | * The "hello-params" node, which must be enabled by a feature, | |||
configures parameters for the TLS sessions established by this | configures parameters for the TLS sessions established by this | |||
configuration. | configuration. | |||
* The "keepalives" node, which must be enabled by a feature, | * The "keepalives" node, which must be enabled by a feature, | |||
configures a flag enabling the TLS client to test the aliveness of | configures a flag enabling the TLS client to test the aliveness of | |||
the TLS server, as well as a "presence" container for testing the | the TLS server as well as a "presence" container to test the | |||
aliveness of the TLS client. The aliveness-tests occurs at the | aliveness of the TLS client. The aliveness-tests occur at the TLS | |||
TLS protocol layer. | protocol layer. | |||
* For the referenced grouping statement(s): | * For the referenced grouping statement(s): | |||
- The "inline-or-keystore-end-entity-cert-with-key-grouping" | - The "inline-or-keystore-end-entity-cert-with-key-grouping" | |||
grouping is discussed in Section 2.1.3.6 of | grouping is discussed in Section 2.1.3.6 of [RFC9642]. | |||
[I-D.ietf-netconf-keystore]. | ||||
- The "inline-or-keystore-asymmetric-key-grouping" grouping is | - The "inline-or-keystore-asymmetric-key-grouping" grouping is | |||
discussed in Section 2.1.3.4 of [I-D.ietf-netconf-keystore]. | discussed in Section 2.1.3.4 of [RFC9642]. | |||
- The "inline-or-keystore-symmetric-key-grouping" grouping is | - The "inline-or-keystore-symmetric-key-grouping" grouping is | |||
discussed in Section 2.1.3.3 of [I-D.ietf-netconf-keystore]. | discussed in Section 2.1.3.3 of [RFC9642]. | |||
- The "inline-or-truststore-public-keys-grouping" grouping is | - The "inline-or-truststore-public-keys-grouping" grouping is | |||
discussed in Section 2.1.3.4 of | discussed in Section 2.1.3.4 of [RFC9641]. | |||
[I-D.ietf-netconf-trust-anchors]. | ||||
- The "inline-or-truststore-certs-grouping" grouping is discussed | - The "inline-or-truststore-certs-grouping" grouping is discussed | |||
in Section 2.1.3.3 of [I-D.ietf-netconf-trust-anchors]. | in Section 2.1.3.3 of [RFC9641]. | |||
- The "hello-params-grouping" grouping is discussed in | - The "hello-params-grouping" grouping is discussed in | |||
Section 2.1.3.1 in this document. | Section 2.1.3.1 in this document. | |||
4.1.3. Protocol-accessible Nodes | 4.1.3. Protocol-Accessible Nodes | |||
The "ietf-tls-server" module defines only "grouping" statements that | The "ietf-tls-server" module defines only "grouping" statements that | |||
are used by other modules to instantiate protocol-accessible nodes. | are used by other modules to instantiate protocol-accessible nodes. | |||
Thus this module, when implemented, does not itself define any | Thus, this module does not itself define any protocol-accessible | |||
protocol-accessible nodes. | nodes when implemented. | |||
4.2. Example Usage | 4.2. Example Usage | |||
This section presents two examples showing the "tls-server-grouping" | This section presents two examples showing the "tls-server-grouping" | |||
grouping populated with some data. These examples are effectively | grouping populated with some data. These examples are effectively | |||
the same except the first configures the server identity using a | the same except the first configures the server identity using a | |||
local key while the second uses a key configured in a keystore. Both | local key while the second uses a key configured in a keystore. Both | |||
examples are consistent with the examples presented in Section 2.2.1 | examples are consistent with the examples presented in Section 2.2.1 | |||
of [I-D.ietf-netconf-trust-anchors] and Section 2.2.1 of | of [RFC9641] and Section 2.2.1 of [RFC9642]. | |||
[I-D.ietf-netconf-keystore]. | ||||
The following configuration example uses inline-definitions for the | The following configuration example uses inline-definitions for the | |||
server identity and client authentication: | server identity and client authentication: | |||
=============== NOTE: '\' line wrapping per RFC 8792 ================ | =============== NOTE: '\' line wrapping per RFC 8792 ================ | |||
<!-- The outermost element below doesn't exist in the data model. --> | <!-- The outermost element below doesn't exist in the data model. --> | |||
<!-- It simulates if the "grouping" were a "container" instead. --> | <!-- It simulates if the "grouping" were a "container" instead. --> | |||
<tls-server | <tls-server | |||
skipping to change at page 44, line 46 ¶ | skipping to change at line 1835 ¶ | |||
</client-authentication> | </client-authentication> | |||
<keepalives> | <keepalives> | |||
<peer-allowed-to-send/> | <peer-allowed-to-send/> | |||
</keepalives> | </keepalives> | |||
</tls-server> | </tls-server> | |||
The following configuration example uses central-keystore-references | The following configuration example uses central-keystore-references | |||
for the server identity and central-truststore-references for client | for the server identity and central-truststore-references for client | |||
authentication: from the keystore: | authentication from the keystore: | |||
=============== NOTE: '\' line wrapping per RFC 8792 ================ | =============== NOTE: '\' line wrapping per RFC 8792 ================ | |||
<!-- The outermost element below doesn't exist in the data model. --> | <!-- The outermost element below doesn't exist in the data model. --> | |||
<!-- It simulates if the "grouping" were a "container" instead. --> | <!-- It simulates if the "grouping" were a "container" instead. --> | |||
<tls-server xmlns="urn:ietf:params:xml:ns:yang:ietf-tls-server"> | <tls-server xmlns="urn:ietf:params:xml:ns:yang:ietf-tls-server"> | |||
<!-- how this server will authenticate itself to the client --> | <!-- how this server will authenticate itself to the client --> | |||
<server-identity> | <server-identity> | |||
skipping to change at page 45, line 48 ¶ | skipping to change at line 1880 ¶ | |||
</client-authentication> | </client-authentication> | |||
<keepalives> | <keepalives> | |||
<peer-allowed-to-send/> | <peer-allowed-to-send/> | |||
</keepalives> | </keepalives> | |||
</tls-server> | </tls-server> | |||
4.3. YANG Module | 4.3. YANG Module | |||
This YANG module has normative references to | This YANG module has normative references to [RFC4279], [RFC5280], | |||
[I-D.ietf-netconf-trust-anchors] and [I-D.ietf-netconf-keystore], and | [RFC6520], [RFC7250], [RFC9640], [RFC9641], and [RFC9642] and | |||
Informative references to [RFC5246], [RFC8446], [RFC9258] and | informative references to [RFC5056], [RFC5246], [RFC8446], [RFC9258], | |||
[RFC9257]. | and [RFC9257]. | |||
<CODE BEGINS> file "ietf-tls-server@2024-03-16.yang" | <CODE BEGINS> file "ietf-tls-server@2024-03-16.yang" | |||
module ietf-tls-server { | module ietf-tls-server { | |||
yang-version 1.1; | yang-version 1.1; | |||
namespace "urn:ietf:params:xml:ns:yang:ietf-tls-server"; | namespace "urn:ietf:params:xml:ns:yang:ietf-tls-server"; | |||
prefix tlss; | prefix tlss; | |||
import ietf-netconf-acm { | import ietf-netconf-acm { | |||
prefix nacm; | prefix nacm; | |||
reference | reference | |||
"RFC 8341: Network Configuration Access Control Model"; | "RFC 8341: Network Configuration Access Control Model"; | |||
} | } | |||
skipping to change at page 46, line 17 ¶ | skipping to change at line 1896 ¶ | |||
module ietf-tls-server { | module ietf-tls-server { | |||
yang-version 1.1; | yang-version 1.1; | |||
namespace "urn:ietf:params:xml:ns:yang:ietf-tls-server"; | namespace "urn:ietf:params:xml:ns:yang:ietf-tls-server"; | |||
prefix tlss; | prefix tlss; | |||
import ietf-netconf-acm { | import ietf-netconf-acm { | |||
prefix nacm; | prefix nacm; | |||
reference | reference | |||
"RFC 8341: Network Configuration Access Control Model"; | "RFC 8341: Network Configuration Access Control Model"; | |||
} | } | |||
import ietf-crypto-types { | import ietf-crypto-types { | |||
prefix ct; | prefix ct; | |||
reference | reference | |||
"RFC AAAA: YANG Data Types and Groupings for Cryptography"; | "RFC 9640: YANG Data Types and Groupings for Cryptography"; | |||
} | } | |||
import ietf-truststore { | import ietf-truststore { | |||
prefix ts; | prefix ts; | |||
reference | reference | |||
"RFC BBBB: A YANG Data Model for a Truststore"; | "RFC 9641: A YANG Data Model for a Truststore"; | |||
} | } | |||
import ietf-keystore { | import ietf-keystore { | |||
prefix ks; | prefix ks; | |||
reference | reference | |||
"RFC CCCC: A YANG Data Model for a Keystore"; | "RFC 9642: A YANG Data Model for a Keystore"; | |||
} | } | |||
import ietf-tls-common { | import ietf-tls-common { | |||
prefix tlscmn; | prefix tlscmn; | |||
reference | reference | |||
"RFC FFFF: YANG Groupings for TLS Clients and TLS Servers"; | "RFC 9645: YANG Groupings for TLS Clients and TLS Servers"; | |||
} | } | |||
organization | organization | |||
"IETF NETCONF (Network Configuration) Working Group"; | "IETF NETCONF (Network Configuration) Working Group"; | |||
contact | contact | |||
"WG List: NETCONF WG list <mailto:netconf@ietf.org> | "WG List: NETCONF WG list <mailto:netconf@ietf.org> | |||
WG Web: https://datatracker.ietf.org/wg/netconf | WG Web: https://datatracker.ietf.org/wg/netconf | |||
Author: Kent Watsen <mailto:kent+ietf@watsen.net> | Author: Kent Watsen <mailto:kent+ietf@watsen.net> | |||
Author: Jeff Hartley <mailto:intensifysecurity@gmail.com>"; | Author: Jeff Hartley <mailto:intensifysecurity@gmail.com>"; | |||
description | description | |||
"This module defines reusable groupings for TLS servers that | "This module defines reusable groupings for TLS servers that | |||
can be used as a basis for specific TLS server instances. | can be used as a basis for specific TLS server instances. | |||
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', | ||||
'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', | ||||
'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document | ||||
are to be interpreted as described in BCP 14 (RFC 2119) | ||||
(RFC 8174) when, and only when, they appear in all | ||||
capitals, as shown here. | ||||
Copyright (c) 2024 IETF Trust and the persons identified | Copyright (c) 2024 IETF Trust and the persons identified | |||
as authors of the code. All rights reserved. | as authors of the code. All rights reserved. | |||
Redistribution and use in source and binary forms, with | Redistribution and use in source and binary forms, with | |||
or without modification, is permitted pursuant to, and | or without modification, is permitted pursuant to, and | |||
subject to the license terms contained in, the Revised | subject to the license terms contained in, the Revised | |||
BSD License set forth in Section 4.c of the IETF Trust's | BSD License set forth in Section 4.c of the IETF Trust's | |||
Legal Provisions Relating to IETF Documents | Legal Provisions Relating to IETF Documents | |||
(https://trustee.ietf.org/license-info). | (https://trustee.ietf.org/license-info). | |||
This version of this YANG module is part of RFC FFFF | This version of this YANG module is part of RFC 9645 | |||
(https://www.rfc-editor.org/info/rfcFFFF); see the RFC | (https://www.rfc-editor.org/info/rfc9645); see the RFC | |||
itself for full legal notices. | itself for full legal notices."; | |||
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', | ||||
'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', | ||||
'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document | ||||
are to be interpreted as described in BCP 14 (RFC 2119) | ||||
(RFC 8174) when, and only when, they appear in all | ||||
capitals, as shown here."; | ||||
revision 2024-03-16 { | revision 2024-03-16 { | |||
description | description | |||
"Initial version"; | "Initial version."; | |||
reference | reference | |||
"RFC FFFF: YANG Groupings for TLS Clients and TLS Servers"; | "RFC 9645: YANG Groupings for TLS Clients and TLS Servers"; | |||
} | } | |||
// Features | // Features | |||
feature tls-server-keepalives { | feature tls-server-keepalives { | |||
description | description | |||
"Per socket TLS keepalive parameters are configurable for | "Per-socket TLS keepalive parameters are configurable for | |||
TLS servers on the server implementing this feature."; | TLS servers on the server implementing this feature."; | |||
} | } | |||
feature server-ident-x509-cert { | feature server-ident-x509-cert { | |||
description | description | |||
"Indicates that the server supports identifying itself | "Indicates that the server supports identifying itself | |||
using X.509 certificates."; | using X.509 certificates."; | |||
reference | reference | |||
"RFC 5280: | "RFC 5280: | |||
Internet X.509 Public Key Infrastructure Certificate | Internet X.509 Public Key Infrastructure Certificate | |||
skipping to change at page 48, line 4 ¶ | skipping to change at line 1973 ¶ | |||
feature server-ident-x509-cert { | feature server-ident-x509-cert { | |||
description | description | |||
"Indicates that the server supports identifying itself | "Indicates that the server supports identifying itself | |||
using X.509 certificates."; | using X.509 certificates."; | |||
reference | reference | |||
"RFC 5280: | "RFC 5280: | |||
Internet X.509 Public Key Infrastructure Certificate | Internet X.509 Public Key Infrastructure Certificate | |||
and Certificate Revocation List (CRL) Profile"; | and Certificate Revocation List (CRL) Profile"; | |||
} | } | |||
feature server-ident-raw-public-key { | feature server-ident-raw-public-key { | |||
description | description | |||
"Indicates that the server supports identifying itself | "Indicates that the server supports identifying itself | |||
using raw public keys."; | using raw public keys."; | |||
reference | reference | |||
"RFC 7250: | "RFC 7250: | |||
Using Raw Public Keys in Transport Layer Security (TLS) | Using Raw Public Keys in Transport Layer Security (TLS) | |||
and Datagram Transport Layer Security (DTLS)"; | and Datagram Transport Layer Security (DTLS)"; | |||
} | } | |||
feature server-ident-tls12-psk { | feature server-ident-tls12-psk { | |||
if-feature "tlscmn:tls12"; | if-feature "tlscmn:tls12"; | |||
description | description | |||
"Indicates that the server supports identifying itself | "Indicates that the server supports identifying itself | |||
using TLS-1.2 PSKs (pre-shared or pairwise-symmetric keys)."; | using TLS 1.2 PSKs (pre-shared or pairwise symmetric keys)."; | |||
reference | reference | |||
"RFC 4279: | "RFC 4279: | |||
Pre-Shared Key Ciphersuites for Transport Layer Security | Pre-Shared Key Ciphersuites for Transport Layer Security | |||
(TLS)"; | (TLS)"; | |||
} | } | |||
feature server-ident-tls13-epsk { | feature server-ident-tls13-epsk { | |||
if-feature "tlscmn:tls13"; | if-feature "tlscmn:tls13"; | |||
description | description | |||
"Indicates that the server supports identifying itself | "Indicates that the server supports identifying itself | |||
using TLS-1.3 External PSKs (pre-shared keys)."; | using TLS 1.3 External PSKs (pre-shared keys)."; | |||
reference | reference | |||
"RFC 8446: | "RFC 8446: | |||
The Transport Layer Security (TLS) Protocol Version 1.3"; | The Transport Layer Security (TLS) Protocol Version 1.3"; | |||
} | } | |||
feature client-auth-supported { | feature client-auth-supported { | |||
description | description | |||
"Indicates that the configuration for how to authenticate | "Indicates that the configuration for how to authenticate | |||
clients can be configured herein. TLS-level client | clients can be configured herein. TLS-level client | |||
authentication may not be needed when client authentication | authentication may not be needed when client authentication | |||
skipping to change at page 49, line 4 ¶ | skipping to change at line 2022 ¶ | |||
feature client-auth-x509-cert { | feature client-auth-x509-cert { | |||
description | description | |||
"Indicates that the server supports authenticating clients | "Indicates that the server supports authenticating clients | |||
using X.509 certificates."; | using X.509 certificates."; | |||
reference | reference | |||
"RFC 5280: | "RFC 5280: | |||
Internet X.509 Public Key Infrastructure Certificate | Internet X.509 Public Key Infrastructure Certificate | |||
and Certificate Revocation List (CRL) Profile"; | and Certificate Revocation List (CRL) Profile"; | |||
} | } | |||
feature client-auth-raw-public-key { | feature client-auth-raw-public-key { | |||
description | description | |||
"Indicates that the server supports authenticating clients | "Indicates that the server supports authenticating clients | |||
using raw public keys."; | using raw public keys."; | |||
reference | reference | |||
"RFC 7250: | "RFC 7250: | |||
Using Raw Public Keys in Transport Layer Security (TLS) | Using Raw Public Keys in Transport Layer Security (TLS) | |||
and Datagram Transport Layer Security (DTLS)"; | and Datagram Transport Layer Security (DTLS)"; | |||
} | } | |||
feature client-auth-tls12-psk { | feature client-auth-tls12-psk { | |||
description | description | |||
"Indicates that the server supports authenticating clients | "Indicates that the server supports authenticating clients | |||
using PSKs (pre-shared or pairwise-symmetric keys)."; | using PSKs (pre-shared or pairwise symmetric keys)."; | |||
reference | reference | |||
"RFC 4279: | "RFC 4279: | |||
Pre-Shared Key Ciphersuites for Transport Layer Security | Pre-Shared Key Ciphersuites for Transport Layer Security | |||
(TLS)"; | (TLS)"; | |||
} | } | |||
feature client-auth-tls13-epsk { | feature client-auth-tls13-epsk { | |||
description | description | |||
"Indicates that the server supports authenticating clients | "Indicates that the server supports authenticating clients | |||
using TLS-1.3 External PSKs (pre-shared keys)."; | using TLS 1.3 External PSKs (pre-shared keys)."; | |||
reference | reference | |||
"RFC 8446: | "RFC 8446: | |||
The Transport Layer Security (TLS) Protocol Version 1.3"; | The Transport Layer Security (TLS) Protocol Version 1.3"; | |||
} | } | |||
// Groupings | // Groupings | |||
grouping tls-server-grouping { | grouping tls-server-grouping { | |||
description | description | |||
"A reusable grouping for configuring a TLS server without | "A reusable grouping for configuring a TLS server without | |||
skipping to change at page 49, line 49 ¶ | skipping to change at line 2068 ¶ | |||
established. | established. | |||
Note that this grouping uses fairly typical descendant | Note that this grouping uses fairly typical descendant | |||
node names such that a stack of 'uses' statements will | node names such that a stack of 'uses' statements will | |||
have name conflicts. It is intended that the consuming | have name conflicts. It is intended that the consuming | |||
data model will resolve the issue (e.g., by wrapping | data model will resolve the issue (e.g., by wrapping | |||
the 'uses' statement in a container called | the 'uses' statement in a container called | |||
'tls-server-parameters'). This model purposely does | 'tls-server-parameters'). This model purposely does | |||
not do this itself so as to provide maximum flexibility | not do this itself so as to provide maximum flexibility | |||
to consuming models."; | to consuming models."; | |||
container server-identity { | container server-identity { | |||
nacm:default-deny-write; | nacm:default-deny-write; | |||
description | description | |||
"A locally-defined or referenced end-entity certificate, | "A locally defined or referenced End-Entity (EE) certificate, | |||
including any configured intermediate certificates, the | including any configured intermediate certificates, that | |||
TLS server will present when establishing a TLS connection | the TLS server will present when establishing a TLS | |||
in its Certificate message, as defined in Section 7.4.2 | connection in its Certificate message, as defined in | |||
in RFC 5246 and Section 4.4.2 in RFC 8446."; | Section 7.4.2 of RFC 5246 and Section 4.4.2 of RFC 8446."; | |||
reference | reference | |||
"RFC 5246: The Transport Layer Security (TLS) Protocol | "RFC 5246: The Transport Layer Security (TLS) Protocol | |||
Version 1.2 | Version 1.2 | |||
RFC 8446: The Transport Layer Security (TLS) Protocol | RFC 8446: The Transport Layer Security (TLS) Protocol | |||
Version 1.3 | Version 1.3 | |||
RFC CCCC: A YANG Data Model for a Keystore"; | RFC 9642: A YANG Data Model for a Keystore"; | |||
choice auth-type { | choice auth-type { | |||
mandatory true; | mandatory true; | |||
description | description | |||
"A choice amongst authentication types, of which one must | "A choice amongst authentication types, of which one must | |||
be enabled (via its associated 'feature') and selected."; | be enabled (via its associated 'feature') and selected."; | |||
case certificate { | case certificate { | |||
if-feature "server-ident-x509-cert"; | if-feature "server-ident-x509-cert"; | |||
container certificate { | container certificate { | |||
description | description | |||
"Specifies the server identity using a certificate."; | "Specifies the server identity using a certificate."; | |||
uses | uses "ks:inline-or-keystore-end-entity-cert-with-key-" | |||
"ks:inline-or-keystore-end-entity-cert-with-key-" | + "grouping" { | |||
+ "grouping" { | ||||
refine "inline-or-keystore/inline/inline-definition" { | refine "inline-or-keystore/inline/inline-definition" { | |||
must 'not(public-key-format) or derived-from-or-self' | must 'not(public-key-format) or derived-from-or-self' | |||
+ '(public-key-format,' + ' "ct:subject-public-' | + '(public-key-format,' | |||
+ ' "ct:subject-public-' | ||||
+ 'key-info-format")'; | + 'key-info-format")'; | |||
} | } | |||
refine "inline-or-keystore/central-keystore/" | refine "inline-or-keystore/central-keystore/" | |||
+ "central-keystore-reference/asymmetric-key" { | + "central-keystore-reference/asymmetric-key" { | |||
must 'not(deref(.)/../ks:public-key-format) or ' | must 'not(deref(.)/../ks:public-key-format) or ' | |||
+ 'derived-from-or-self(deref(.)/../ks:public-key' | + 'derived-from-or-self(deref(.)/../ks:public-key' | |||
+ '-format, "ct:subject-public-key-info-format")'; | + '-format, "ct:subject-public-key-info-format")'; | |||
} | } | |||
} | } | |||
} | } | |||
} | } | |||
case raw-private-key { | case raw-private-key { | |||
if-feature "server-ident-raw-public-key"; | if-feature "server-ident-raw-public-key"; | |||
container raw-private-key { | container raw-private-key { | |||
description | description | |||
"Specifies the server identity using a raw | "Specifies the server identity using a raw | |||
private key."; | private key."; | |||
uses ks:inline-or-keystore-asymmetric-key-grouping { | uses ks:inline-or-keystore-asymmetric-key-grouping { | |||
refine "inline-or-keystore/inline/inline-definition" { | refine "inline-or-keystore/inline/inline-definition" { | |||
must 'not(public-key-format) or derived-from-or-self' | must 'not(public-key-format) or derived-from-or-self' | |||
+ '(public-key-format,' + ' "ct:subject-public-' | + '(public-key-format,' | |||
+ ' "ct:subject-public-' | ||||
+ 'key-info-format")'; | + 'key-info-format")'; | |||
} | } | |||
refine "inline-or-keystore/central-keystore/" | refine "inline-or-keystore/central-keystore/" | |||
+ "central-keystore-reference" { | + "central-keystore-reference" { | |||
must 'not(deref(.)/../ks:public-key-format) or ' | must 'not(deref(.)/../ks:public-key-format) or ' | |||
+ 'derived-from-or-self(deref(.)/../ks:public-key' | + 'derived-from-or-self(deref(.)/../ks:public-key' | |||
+ '-format, "ct:subject-public-key-info-format")'; | + '-format, "ct:subject-public-key-info-format")'; | |||
} | } | |||
} | } | |||
} | } | |||
} | } | |||
case tls12-psk { | case tls12-psk { | |||
if-feature "server-ident-tls12-psk"; | if-feature "server-ident-tls12-psk"; | |||
container tls12-psk { | container tls12-psk { | |||
description | description | |||
"Specifies the server identity using a PSK (pre-shared | "Specifies the server identity using a PSK (pre-shared | |||
or pairwise-symmetric key)."; | or pairwise symmetric key)."; | |||
uses ks:inline-or-keystore-symmetric-key-grouping; | uses ks:inline-or-keystore-symmetric-key-grouping; | |||
leaf id-hint { | leaf id-hint { | |||
type string; | type string; | |||
description | description | |||
"The key 'psk_identity_hint' value used in the TLS | "The key 'psk_identity_hint' value used in the TLS | |||
'ServerKeyExchange' message."; | 'ServerKeyExchange' message."; | |||
reference | reference | |||
"RFC 4279: Pre-Shared Key Ciphersuites for | "RFC 4279: Pre-Shared Key Ciphersuites for | |||
Transport Layer Security (TLS)"; | Transport Layer Security (TLS)"; | |||
} | } | |||
} | } | |||
} | } | |||
case tls13-epsk { | case tls13-epsk { | |||
if-feature "server-ident-tls13-epsk"; | if-feature "server-ident-tls13-epsk"; | |||
container tls13-epsk { | container tls13-epsk { | |||
description | description | |||
"An External Pre-Shared Key (EPSK) is established | "An External Pre-Shared Key (EPSK) is established | |||
or provisioned out-of-band, i.e., not from a TLS | or provisioned out of band, i.e., not from a TLS | |||
connection. An EPSK is a tuple of (Base Key, | connection. An EPSK is a tuple of (Base Key, | |||
External Identity, Hash). External PSKs MUST | External Identity, Hash). EPSKs MUST NOT be | |||
NOT be imported for (D)TLS 1.2 or prior versions. | imported for (D)TLS 1.2 or prior versions. | |||
When PSKs are provisioned out of band, the PSK | When PSKs are provisioned out of band, the PSK | |||
identity and the KDF hash algorithm to be used | identity and the KDF hash algorithm to be used | |||
with the PSK MUST also be provisioned. | with the PSK MUST also be provisioned. | |||
The structure of this container is designed to | The structure of this container is designed to | |||
satisfy the requirements of RFC 8446 Section | satisfy the requirements in Section 4.2.11 of | |||
4.2.11, the recommendations from Section 6 in | RFC 8446, the recommendations from Section 6 of | |||
RFC 9257, and the EPSK input fields detailed in | RFC 9257, and the EPSK input fields detailed in | |||
Section 5.1 in RFC 9258. The base-key is based | Section 5.1 of RFC 9258. The base-key is based | |||
upon ks:inline-or-keystore-symmetric-key-grouping | upon 'ks:inline-or-keystore-symmetric-key-grouping' | |||
in order to provide users with flexible and | in order to provide users with flexible and | |||
secure storage options."; | secure storage options."; | |||
reference | reference | |||
"RFC 8446: The Transport Layer Security (TLS) | "RFC 8446: The Transport Layer Security (TLS) | |||
Protocol Version 1.3 | Protocol Version 1.3 | |||
RFC 9257: Guidance for External Pre-Shared Key | RFC 9257: Guidance for External Pre-Shared Key | |||
(PSK) Usage in TLS | (PSK) Usage in TLS | |||
RFC 9258: Importing External Pre-Shared Keys | RFC 9258: Importing External Pre-Shared Keys | |||
(PSKs) for TLS 1.3"; | (PSKs) for TLS 1.3"; | |||
uses ks:inline-or-keystore-symmetric-key-grouping; | uses ks:inline-or-keystore-symmetric-key-grouping; | |||
leaf external-identity { | leaf external-identity { | |||
type string; | type string; | |||
mandatory true; | mandatory true; | |||
description | description | |||
"As per Section 4.2.11 of RFC 8446, and Section 4.1 | "As per Section 4.2.11 of RFC 8446 and Section 4.1 | |||
of RFC 9257, a sequence of bytes used to identify | of RFC 9257, a sequence of bytes used to identify | |||
an EPSK. A label for a pre-shared key established | an EPSK. A label for a pre-shared key established | |||
externally."; | externally."; | |||
reference | reference | |||
"RFC 8446: The Transport Layer Security (TLS) | "RFC 8446: The Transport Layer Security (TLS) | |||
Protocol Version 1.3 | Protocol Version 1.3 | |||
RFC 9257: Guidance for External Pre-Shared Key | RFC 9257: Guidance for External Pre-Shared Key | |||
(PSK) Usage in TLS"; | (PSK) Usage in TLS"; | |||
} | } | |||
leaf hash { | leaf hash { | |||
type tlscmn:epsk-supported-hash; | type tlscmn:epsk-supported-hash; | |||
default sha-256; | default "sha-256"; | |||
description | description | |||
"As per Section 4.2.11 of RFC 8446, for externally | "As per Section 4.2.11 of RFC 8446, for EPSKs, | |||
established PSKs, the Hash algorithm MUST be set | the hash algorithm MUST be set when the PSK is | |||
when the PSK is established or default to SHA-256 | established; otherwise, default to SHA-256 if | |||
if no such algorithm is defined. The server MUST | no such algorithm is defined. The server MUST | |||
ensure that it selects a compatible PSK (if any) | ensure that it selects a compatible PSK (if any) | |||
and cipher suite. Each PSK MUST only be used | and cipher suite. Each PSK MUST only be used | |||
with a single hash function."; | with a single hash function."; | |||
reference | reference | |||
"RFC 8446: The Transport Layer Security (TLS) | "RFC 8446: The Transport Layer Security (TLS) | |||
Protocol Version 1.3"; | Protocol Version 1.3"; | |||
} | } | |||
leaf context { | leaf context { | |||
type string; | type string; | |||
description | description | |||
"Per Section 5.1 of RFC 9258, context MUST include | "As per Section 5.1 of RFC 9258, context MUST | |||
the context used to determine the EPSK, if | include the context used to determine the EPSK, | |||
any exists. For example, context may include | if any exists. For example, context may include | |||
information about peer roles or identities | information about peer roles or identities | |||
to mitigate Selfie-style reflection attacks. | to mitigate Selfie-style reflection attacks. | |||
Since the EPSK is a key derived from an external | Since the EPSK is a key derived from an external | |||
protocol or sequence of protocols, context MUST | protocol or sequence of protocols, context MUST | |||
include a channel binding for the deriving | include a channel binding for the deriving | |||
protocols [RFC5056]. The details of this | protocols (see RFC 5056). The details of this | |||
binding are protocol specfic and out of scope | binding are protocol specific and out of scope | |||
for this document."; | for this document."; | |||
reference | reference | |||
"RFC 9258: Importing External Pre-Shared Keys | "RFC 9258: Importing External Pre-Shared Keys | |||
(PSKs) for TLS 1.3"; | (PSKs) for TLS 1.3"; | |||
} | } | |||
leaf target-protocol { | leaf target-protocol { | |||
type uint16; | type uint16; | |||
description | description | |||
"As per Section 3.1 of RFC 9258, the protocol | "As per Section 3.1 of RFC 9258, the protocol | |||
for which a PSK is imported for use."; | for which a PSK is imported for use."; | |||
skipping to change at page 53, line 37 ¶ | skipping to change at line 2247 ¶ | |||
"As per Section 3 of RFC 9258, the KDF for | "As per Section 3 of RFC 9258, the KDF for | |||
which a PSK is imported for use."; | which a PSK is imported for use."; | |||
reference | reference | |||
"RFC 9258: Importing External Pre-Shared Keys | "RFC 9258: Importing External Pre-Shared Keys | |||
(PSKs) for TLS 1.3"; | (PSKs) for TLS 1.3"; | |||
} | } | |||
} | } | |||
} | } | |||
} | } | |||
} // container server-identity | } // container server-identity | |||
container client-authentication { | container client-authentication { | |||
if-feature "client-auth-supported"; | if-feature "client-auth-supported"; | |||
nacm:default-deny-write; | nacm:default-deny-write; | |||
must 'ca-certs or ee-certs or raw-public-keys or tls12-psks | must "ca-certs or ee-certs or raw-public-keys or tls12-psks | |||
or tls13-epsks'; | or tls13-epsks"; | |||
presence | presence "Indicates that client authentication is supported | |||
"Indicates that client authentication is supported (i.e., | (i.e., that the server will request clients send | |||
that the server will request clients send certificates). | certificates). If not configured, the TLS server | |||
If not configured, the TLS server SHOULD NOT request the | SHOULD NOT request that TLS clients provide | |||
TLS clients provide authentication credentials."; | authentication credentials."; | |||
description | description | |||
"Specifies how the TLS server can authenticate TLS clients. | "Specifies how the TLS server can authenticate TLS clients. | |||
Any combination of credentials is additive and unordered. | Any combination of credentials is additive and unordered. | |||
Note that no configuration is required for PSK (pre-shared | Note that no configuration is required for authentication | |||
or pairwise-symmetric key) based authentication as the key | based on PSK (pre-shared or pairwise symmetric key) as the | |||
is necessarily the same as configured in the '../server- | the key is necessarily the same as configured in the | |||
identity' node."; | '../server-identity' node."; | |||
container ca-certs { | container ca-certs { | |||
if-feature "client-auth-x509-cert"; | if-feature "client-auth-x509-cert"; | |||
presence | presence "Indicates that Certification Authority (CA) | |||
"Indicates that CA certificates have been configured. | certificates have been configured. This | |||
This statement is present so the mandatory descendant | statement is present so the mandatory | |||
nodes do not imply that this node must be configured."; | descendant nodes do not imply that this node | |||
must be configured."; | ||||
description | description | |||
"A set of certificate authority (CA) certificates used by | "A set of CA certificates used by the TLS server to | |||
the TLS server to authenticate TLS client certificates. | authenticate TLS client certificates. A client | |||
A client certificate is authenticated if it has a valid | certificate is authenticated if it has a valid chain | |||
chain of trust to a configured CA certificate."; | of trust to a configured CA certificate."; | |||
reference | reference | |||
"RFC BBBB: A YANG Data Model for a Truststore"; | "RFC 9641: A YANG Data Model for a Truststore"; | |||
uses ts:inline-or-truststore-certs-grouping; | uses ts:inline-or-truststore-certs-grouping; | |||
} | } | |||
container ee-certs { | container ee-certs { | |||
if-feature "client-auth-x509-cert"; | if-feature "client-auth-x509-cert"; | |||
presence | presence "Indicates that EE certificates have been | |||
"Indicates that EE certificates have been configured. | configured. This statement is present so the | |||
This statement is present so the mandatory descendant | mandatory descendant nodes do not imply that | |||
nodes do not imply that this node must be configured."; | this node must be configured."; | |||
description | description | |||
"A set of client certificates (i.e., end entity | "A set of client certificates (i.e., EE certificates) | |||
certificates) used by the TLS server to authenticate | used by the TLS server to authenticate | |||
certificates presented by TLS clients. A client | certificates presented by TLS clients. A client | |||
certificate is authenticated if it is an exact | certificate is authenticated if it is an exact | |||
match to a configured client certificate."; | match to a configured client certificate."; | |||
reference | reference | |||
"RFC BBBB: A YANG Data Model for a Truststore"; | "RFC 9641: A YANG Data Model for a Truststore"; | |||
uses ts:inline-or-truststore-certs-grouping; | uses ts:inline-or-truststore-certs-grouping; | |||
} | } | |||
container raw-public-keys { | container raw-public-keys { | |||
if-feature "client-auth-raw-public-key"; | if-feature "client-auth-raw-public-key"; | |||
presence | presence "Indicates that raw public keys have been | |||
"Indicates that raw public keys have been configured. | configured. This statement is present so | |||
This statement is present so the mandatory descendant | the mandatory descendant nodes do not imply | |||
nodes do not imply that this node must be configured."; | that this node must be configured."; | |||
description | description | |||
"A set of raw public keys used by the TLS server to | "A set of raw public keys used by the TLS server to | |||
authenticate raw public keys presented by the TLS | authenticate raw public keys presented by the TLS | |||
client. A raw public key is authenticated if it | client. A raw public key is authenticated if it | |||
is an exact match to a configured raw public key."; | is an exact match to a configured raw public key."; | |||
reference | reference | |||
"RFC BBBB: A YANG Data Model for a Truststore"; | "RFC 9641: A YANG Data Model for a Truststore"; | |||
uses ts:inline-or-truststore-public-keys-grouping { | uses ts:inline-or-truststore-public-keys-grouping { | |||
refine "inline-or-truststore/inline/inline-definition/" | refine "inline-or-truststore/inline/inline-definition/" | |||
+ "public-key" { | + "public-key" { | |||
must 'derived-from-or-self(public-key-format,' | must 'derived-from-or-self(public-key-format,' | |||
+ ' "ct:subject-public-key-info-format")'; | + ' "ct:subject-public-key-info-format")'; | |||
} | } | |||
refine "inline-or-truststore/central-truststore/" | refine "inline-or-truststore/central-truststore/" | |||
+ "central-truststore-reference" { | + "central-truststore-reference" { | |||
must 'not(deref(.)/../ts:public-key/ts:public-key-' | must 'not(deref(.)/../ts:public-key/ts:public-key-' | |||
+ 'format[not(derived-from-or-self(., "ct:subject-' | + 'format[not(derived-from-or-self(., "ct:subject-' | |||
+ 'public-key-info-format"))])'; | + 'public-key-info-format"))])'; | |||
} | } | |||
} | } | |||
} | } | |||
leaf tls12-psks { | leaf tls12-psks { | |||
if-feature "client-auth-tls12-psk"; | if-feature "client-auth-tls12-psk"; | |||
type empty; | type empty; | |||
description | description | |||
"Indicates that the TLS server can authenticate TLS clients | "Indicates that the TLS server can authenticate TLS clients | |||
using configured PSKs (pre-shared or pairwise-symmetric | using configured PSKs (pre-shared or pairwise symmetric | |||
keys). | keys). | |||
No configuration is required since the PSK value is the | No configuration is required since the PSK value is the | |||
same as PSK value configured in the 'server-identity' | same as PSK value configured in the 'server-identity' | |||
node."; | node."; | |||
} | } | |||
leaf tls13-epsks { | leaf tls13-epsks { | |||
if-feature "client-auth-tls13-epsk"; | if-feature "client-auth-tls13-epsk"; | |||
type empty; | type empty; | |||
description | description | |||
"Indicates that the TLS 1.3 server can authenticate TLS | "Indicates that the TLS 1.3 server can authenticate TLS | |||
clients using configured external PSKs (pre-shared keys). | clients using configured External PSKs (pre-shared keys). | |||
No configuration is required since the PSK value is the | No configuration is required since the PSK value is the | |||
same as PSK value configured in the 'server-identity' | same as PSK value configured in the 'server-identity' | |||
node."; | node."; | |||
} | } | |||
} // container client-authentication | } // container client-authentication | |||
container hello-params { | container hello-params { | |||
nacm:default-deny-write; | nacm:default-deny-write; | |||
if-feature "tlscmn:hello-params"; | if-feature "tlscmn:hello-params"; | |||
uses tlscmn:hello-params-grouping; | uses tlscmn:hello-params-grouping; | |||
description | description | |||
"Configurable parameters for the TLS hello message."; | "Configurable parameters for the TLS hello message."; | |||
} // container hello-params | } // container hello-params | |||
container keepalives { | container keepalives { | |||
nacm:default-deny-write; | nacm:default-deny-write; | |||
if-feature "tls-server-keepalives"; | if-feature "tls-server-keepalives"; | |||
description | description | |||
"Configures the keepalive policy for the TLS server."; | "Configures the keepalive policy for the TLS server."; | |||
leaf peer-allowed-to-send { | leaf peer-allowed-to-send { | |||
type empty; | type empty; | |||
description | description | |||
"Indicates that the remote TLS client is allowed to send | "Indicates that the remote TLS client is allowed to send | |||
HeartbeatRequest messages, as defined by RFC 6520 | HeartbeatRequest messages, as defined by RFC 6520, | |||
to this TLS server."; | to this TLS server."; | |||
reference | reference | |||
"RFC 6520: Transport Layer Security (TLS) and Datagram | "RFC 6520: Transport Layer Security (TLS) and Datagram | |||
Transport Layer Security (DTLS) Heartbeat Extension"; | Transport Layer Security (DTLS) Heartbeat Extension"; | |||
} | } | |||
container test-peer-aliveness { | container test-peer-aliveness { | |||
presence | presence "Indicates that the TLS server proactively tests the | |||
"Indicates that the TLS server proactively tests the | aliveness of the remote TLS client."; | |||
aliveness of the remote TLS client."; | ||||
description | description | |||
"Configures the keep-alive policy to proactively test | "Configures the keepalive policy to proactively test | |||
the aliveness of the TLS client. An unresponsive | the aliveness of the TLS client. An unresponsive | |||
TLS client is dropped after approximately max-wait | TLS client is dropped after approximately max-wait | |||
* max-attempts seconds."; | * max-attempts seconds."; | |||
leaf max-wait { | leaf max-wait { | |||
type uint16 { | type uint16 { | |||
range "1..max"; | range "1..max"; | |||
} | } | |||
units "seconds"; | units "seconds"; | |||
default "30"; | default "30"; | |||
description | description | |||
"Sets the amount of time in seconds after which if | "Sets the amount of time in seconds, after which a | |||
no data has been received from the TLS client, a | ||||
TLS-level message will be sent to test the | TLS-level message will be sent to test the | |||
aliveness of the TLS client."; | aliveness of the TLS client if no data has been | |||
received from the TLS client."; | ||||
} | } | |||
leaf max-attempts { | leaf max-attempts { | |||
type uint8; | type uint8; | |||
default "3"; | default "3"; | |||
description | description | |||
"Sets the maximum number of sequential keep-alive | "Sets the maximum number of sequential keepalive | |||
messages that can fail to obtain a response from | messages that can fail to obtain a response from | |||
the TLS client before assuming the TLS client is | the TLS client before assuming the TLS client is | |||
no longer alive."; | no longer alive."; | |||
} | } | |||
} | } | |||
} // container keepalives | } // container keepalives | |||
} // grouping tls-server-grouping | } // grouping tls-server-grouping | |||
} | } | |||
<CODE ENDS> | <CODE ENDS> | |||
5. Security Considerations | 5. Security Considerations | |||
The three IETF YANG modules in this document define groupings and | The three IETF YANG modules in this document define groupings and | |||
will not be deployed as standalone modules. Their security | will not be deployed as standalone modules. Their security | |||
implications may be context dependent based on their use in other | implications may be context dependent based on their use in other | |||
modules. The designers of modules which import these grouping must | modules. The designers of modules that import these grouping must | |||
conduct their own analysis of the security considerations. | conduct their own analysis of the security considerations. | |||
5.1. Considerations for the "iana-tls-cipher-suite-algs" Module | 5.1. Considerations for the "iana-tls-cipher-suite-algs" YANG Module | |||
This section follows the template defined in Section 3.7.1 of | This section is modeled after the template defined in Section 3.7.1 | |||
[RFC8407]. | of [RFC8407]. | |||
The "iana-tls-cipher-suite-algs" YANG module defines a data model | The "iana-tls-cipher-suite-algs" YANG module defines a data model | |||
that is designed to be accessed via YANG based management protocols, | that is designed to be accessed via YANG-based management protocols, | |||
such as NETCONF [RFC6241] and RESTCONF [RFC8040]. Both of these | such as NETCONF [RFC6241] and RESTCONF [RFC8040]. These protocols | |||
protocols have mandatory-to-implement secure transport layers (e.g., | have mandatory-to-implement secure transport layers (e.g., Secure | |||
SSH, TLS) with mutual authentication. | Shell (SSH) [RFC4252], TLS [RFC8446], and QUIC [RFC9000]) and | |||
mandatory-to-implement mutual authentication. | ||||
The Network Access Control Model (NACM) [RFC8341] provides the means | The Network Configuration Access Control Model (NACM) [RFC8341] | |||
to restrict access for particular users to a pre-configured subset of | provides the means to restrict access for particular users to a | |||
all available protocol operations and content. | preconfigured subset of all available protocol operations and | |||
content. | ||||
This YANG module defines YANG enumerations, for a public IANA- | This YANG module defines YANG enumerations, for a public IANA- | |||
maintained registry. | maintained registry. | |||
YANG enumerations are not security-sensitive, as they are statically | YANG enumerations are not security-sensitive, as they are statically | |||
defined in the publicly-accessible YANG module. IANA MAY deprecate | defined in the publicly accessible YANG module. IANA MAY deprecate | |||
and/or obsolete enumerations over time as needed to address security | and/or obsolete enumerations over time as needed to address security | |||
issues found in the algorithms. | issues found in the algorithms. | |||
This module does not define any writable-nodes, RPCs, actions, or | This module does not define any writable nodes, RPCs, actions, or | |||
notifications, and thus the security consideration for such is not | notifications, and thus the security considerations for such are not | |||
provided here. | provided here. | |||
5.2. Considerations for the "ietf-tls-common" YANG Module | 5.2. Considerations for the "ietf-tls-common" YANG Module | |||
This section follows the template defined in Section 3.7.1 of | This section is modeled after the template defined in Section 3.7.1 | |||
[RFC8407]. | of [RFC8407]. | |||
The "ietf-tls-common" YANG module defines "grouping" statements that | The "ietf-tls-common" YANG module defines a data model that is | |||
are designed to be accessed via YANG based management protocols, such | designed to be accessed via YANG-based management protocols, such as | |||
as NETCONF [RFC6241] and RESTCONF [RFC8040]. Both of these protocols | NETCONF [RFC6241] and RESTCONF [RFC8040]. These protocols have | |||
have mandatory-to-implement secure transport layers (e.g., SSH, TLS) | mandatory-to-implement secure transport layers (e.g., Secure Shell | |||
with mutual authentication. | (SSH) [RFC4252], TLS [RFC8446], and QUIC [RFC9000]) and mandatory-to- | |||
implement mutual authentication. | ||||
The Network Access Control Model (NACM) [RFC8341] provides the means | The Network Configuration Access Control Model (NACM) [RFC8341] | |||
to restrict access for particular users to a pre-configured subset of | provides the means to restrict access for particular users to a | |||
all available protocol operations and content. | preconfigured subset of all available protocol operations and | |||
content. | ||||
Please be aware that this YANG module uses groupings from other YANG | Please be aware that this YANG module uses groupings from other YANG | |||
modules that define nodes that may be considered sensitive or | modules that define nodes that may be considered sensitive or | |||
vulnerable in network environments. Please review the Security | vulnerable in network environments. Please review the Security | |||
Considerations for dependent YANG modules for information as to which | Considerations for dependent YANG modules for information as to which | |||
nodes may be considered sensitive or vulnerable in network | nodes may be considered sensitive or vulnerable in network | |||
environments. | environments. | |||
None of the readable data nodes defined in this YANG module are | None of the readable data nodes defined in this YANG module are | |||
considered sensitive or vulnerable in network environments. The NACM | considered sensitive or vulnerable in network environments. The NACM | |||
"default-deny-all" extension has not been set for any data nodes | "default-deny-all" extension has not been set for any data nodes | |||
defined in this module. | defined in this module. | |||
None of the writable data nodes defined in this YANG module are | None of the writable data nodes defined in this YANG module are | |||
considered sensitive or vulnerable in network environments. The NACM | considered sensitive or vulnerable in network environments. The NACM | |||
"default-deny-write" extension has not been set for any data nodes | "default-deny-write" extension has not been set for any data nodes | |||
defined in this module. | defined in this module. | |||
This module defines the RPC "generate-asymmetric-key-pair" that may, | This module defines the "generate-asymmetric-key-pair" RPC that may, | |||
if the "ct:cleartext-private-keys" feature is enabled, and the client | if the "ct:cleartext-private-keys" feature is enabled and the client | |||
requests it, return the private clear in cleartext form. It is NOT | requests it, return the private clear in cleartext form. It is NOT | |||
RECOMMENDED for private keys to pass the server's security perimeter. | RECOMMENDED for private keys to pass the server's security perimeter. | |||
This module does not define any actions or notifications, and thus | This module does not define any actions or notifications, and thus | |||
the security consideration for such is not provided here. | the security considerations for such are not provided here. | |||
5.3. Considerations for the "ietf-tls-client" YANG Module | 5.3. Considerations for the "ietf-tls-client" YANG Module | |||
This section follows the template defined in Section 3.7.1 of | This section is modeled after the template defined in Section 3.7.1 | |||
[RFC8407]. | of [RFC8407]. | |||
The "ietf-tls-client" YANG module defines "grouping" statements that | The "ietf-tls-client" YANG module defines a data model that is | |||
are designed to be accessed via YANG based management protocols, such | designed to be accessed via YANG-based management protocols, such as | |||
as NETCONF [RFC6241] and RESTCONF [RFC8040]. Both of these protocols | NETCONF [RFC6241] and RESTCONF [RFC8040]. These protocols have | |||
have mandatory-to-implement secure transport layers (e.g., SSH, TLS) | mandatory-to-implement secure transport layers (e.g., Secure Shell | |||
with mutual authentication. | (SSH) [RFC4252], TLS [RFC8446], and QUIC [RFC9000]) and mandatory-to- | |||
implement mutual authentication. | ||||
The Network Access Control Model (NACM) [RFC8341] provides the means | The Network Configuration Access Control Model (NACM) [RFC8341] | |||
to restrict access for particular users to a pre-configured subset of | provides the means to restrict access for particular users to a | |||
all available protocol operations and content. | preconfigured subset of all available protocol operations and | |||
content. | ||||
Please be aware that this YANG module uses groupings from other YANG | Please be aware that this YANG module uses groupings from other YANG | |||
modules that define nodes that may be considered sensitive or | modules that define nodes that may be considered sensitive or | |||
vulnerable in network environments. Please review the Security | vulnerable in network environments. Please review the Security | |||
Considerations for dependent YANG modules for information as to which | Considerations for dependent YANG modules for information as to which | |||
nodes may be considered sensitive or vulnerable in network | nodes may be considered sensitive or vulnerable in network | |||
environments. | environments. | |||
None of the readable data nodes defined in this YANG module are | None of the readable data nodes defined in this YANG module are | |||
considered sensitive or vulnerable in network environments. The NACM | considered sensitive or vulnerable in network environments. The NACM | |||
skipping to change at page 59, line 25 ¶ | skipping to change at line 2522 ¶ | |||
defined in this module. | defined in this module. | |||
All the writable data nodes defined by this module may be considered | All the writable data nodes defined by this module may be considered | |||
sensitive or vulnerable in some network environments. For instance, | sensitive or vulnerable in some network environments. For instance, | |||
any modification to a key or reference to a key may dramatically | any modification to a key or reference to a key may dramatically | |||
alter the implemented security policy. For this reason, the NACM | alter the implemented security policy. For this reason, the NACM | |||
extension "default-deny-write" has been set for all data nodes | extension "default-deny-write" has been set for all data nodes | |||
defined in this module. | defined in this module. | |||
This module does not define any RPCs, actions, or notifications, and | This module does not define any RPCs, actions, or notifications, and | |||
thus the security consideration for such is not provided here. | thus the security considerations for such are not provided here. | |||
5.4. Considerations for the "ietf-tls-server" YANG Module | 5.4. Considerations for the "ietf-tls-server" YANG Module | |||
This section follows the template defined in Section 3.7.1 of | This section is modeled after the template defined in Section 3.7.1 | |||
[RFC8407]. | of [RFC8407]. | |||
The "ietf-tls-server" YANG module defines "grouping" statements that | The "ietf-tls-server" YANG module defines a data model that is | |||
are designed to be accessed via YANG based management protocols, such | designed to be accessed via YANG-based management protocols, such as | |||
as NETCONF [RFC6241] and RESTCONF [RFC8040]. Both of these protocols | NETCONF [RFC6241] and RESTCONF [RFC8040]. These protocols have | |||
have mandatory-to-implement secure transport layers (e.g., SSH, TLS) | mandatory-to-implement secure transport layers (e.g., Secure Shell | |||
with mutual authentication. | (SSH) [RFC4252], TLS [RFC8446], and QUIC [RFC9000]) and mandatory-to- | |||
implement mutual authentication. | ||||
The Network Access Control Model (NACM) [RFC8341] provides the means | The Network Configuration Access Control Model (NACM) [RFC8341] | |||
to restrict access for particular users to a pre-configured subset of | provides the means to restrict access for particular users to a | |||
all available protocol operations and content. | preconfigured subset of all available protocol operations and | |||
content. | ||||
Please be aware that this YANG module uses groupings from other YANG | Please be aware that this YANG module uses groupings from other YANG | |||
modules that define nodes that may be considered sensitive or | modules that define nodes that may be considered sensitive or | |||
vulnerable in network environments. Please review the Security | vulnerable in network environments. Please review the Security | |||
Considerations for dependent YANG modules for information as to which | Considerations for dependent YANG modules for information as to which | |||
nodes may be considered sensitive or vulnerable in network | nodes may be considered sensitive or vulnerable in network | |||
environments. | environments. | |||
None of the readable data nodes defined in this YANG module are | None of the readable data nodes defined in this YANG module are | |||
considered sensitive or vulnerable in network environments. The NACM | considered sensitive or vulnerable in network environments. The NACM | |||
"default-deny-all" extension has not been set for any data nodes | "default-deny-all" extension has not been set for any data nodes | |||
defined in this module. | defined in this module. | |||
Please be aware that this module uses the "key" and "private-key" | Please be aware that this module uses the "key" and "private-key" | |||
nodes from the "ietf-crypto-types" module | nodes from the "ietf-crypto-types" module [RFC9640], where said nodes | |||
[I-D.ietf-netconf-crypto-types], where said nodes have the NACM | have the NACM extension "default-deny-all" set, thus preventing | |||
extension "default-deny-all" set, thus preventing unrestricted read- | unrestricted read access to the cleartext key values. | |||
access to the cleartext key values. | ||||
All the writable data nodes defined by this module may be considered | All the writable data nodes defined by this module may be considered | |||
sensitive or vulnerable in some network environments. For instance, | sensitive or vulnerable in some network environments. For instance, | |||
any modification to a key or reference to a key may dramatically | any modification to a key or reference to a key may dramatically | |||
alter the implemented security policy. For this reason, the NACM | alter the implemented security policy. For this reason, the NACM | |||
extension "default-deny-write" has been set for all data nodes | extension "default-deny-write" has been set for all data nodes | |||
defined in this module. | defined in this module. | |||
This module does not define any RPCs, actions, or notifications, and | This module does not define any RPCs, actions, or notifications, and | |||
thus the security consideration for such is not provided here. | thus the security considerations for such are not provided here. | |||
6. IANA Considerations | 6. IANA Considerations | |||
6.1. The "IETF XML" Registry | 6.1. The IETF XML Registry | |||
This document registers four URIs in the "ns" subregistry of the IETF | IANA has registered the following four URIs in the "ns" registry of | |||
XML Registry [RFC3688]. Following the format in [RFC3688], the | the "IETF XML Registry" [RFC3688]. | |||
following registrations are requested: | ||||
URI: urn:ietf:params:xml:ns:yang:iana-tls-cipher-suite-algs | URI: urn:ietf:params:xml:ns:yang:iana-tls-cipher-suite-algs | |||
Registrant Contact: The IESG | Registrant Contact: The IESG | |||
XML: N/A, the requested URI is an XML namespace. | XML: N/A; the requested URI is an XML namespace. | |||
URI: urn:ietf:params:xml:ns:yang:ietf-tls-common | URI: urn:ietf:params:xml:ns:yang:ietf-tls-common | |||
Registrant Contact: The IESG | Registrant Contact: The IESG | |||
XML: N/A, the requested URI is an XML namespace. | XML: N/A; the requested URI is an XML namespace. | |||
URI: urn:ietf:params:xml:ns:yang:ietf-tls-client | URI: urn:ietf:params:xml:ns:yang:ietf-tls-client | |||
Registrant Contact: The IESG | Registrant Contact: The IESG | |||
XML: N/A, the requested URI is an XML namespace. | XML: N/A; the requested URI is an XML namespace. | |||
URI: urn:ietf:params:xml:ns:yang:ietf-tls-server | URI: urn:ietf:params:xml:ns:yang:ietf-tls-server | |||
Registrant Contact: The IESG | Registrant Contact: The IESG | |||
XML: N/A, the requested URI is an XML namespace. | XML: N/A; the requested URI is an XML namespace. | |||
6.2. The "YANG Module Names" Registry | 6.2. The YANG Module Names Registry | |||
This document registers four YANG modules in the YANG Module Names | IANA has registered the following four YANG modules in the "YANG | |||
registry [RFC6020]. Following the format in [RFC6020], the following | Module Names" registry [RFC6020]. | |||
registrations are requested: | ||||
name: iana-tls-cipher-suite-algs | name: iana-tls-cipher-suite-algs | |||
namespace: urn:ietf:params:xml:ns:yang:iana-tls-cipher-suite-algs | Maintained by IANA: Y | |||
prefix: tlscsa | namespace: urn:ietf:params:xml:ns:yang:iana-tls-cipher-suite-algs | |||
reference: RFC FFFF | prefix: tlscsa | |||
reference: RFC 9645 | ||||
name: ietf-tls-common | name: ietf-tls-common | |||
namespace: urn:ietf:params:xml:ns:yang:ietf-tls-common | Maintained by IANA: N | |||
prefix: tlscmn | namespace: urn:ietf:params:xml:ns:yang:ietf-tls-common | |||
reference: RFC FFFF | prefix: tlscmn | |||
reference: RFC 9645 | ||||
name: ietf-tls-client | name: ietf-tls-client | |||
namespace: urn:ietf:params:xml:ns:yang:ietf-tls-client | Maintained by IANA: N | |||
prefix: tlsc | namespace: urn:ietf:params:xml:ns:yang:ietf-tls-client | |||
reference: RFC FFFF | prefix: tlsc | |||
reference: RFC 9645 | ||||
name: ietf-tls-server | name: ietf-tls-server | |||
namespace: urn:ietf:params:xml:ns:yang:ietf-tls-server | Maintained by IANA: N | |||
prefix: tlss | namespace: urn:ietf:params:xml:ns:yang:ietf-tls-server | |||
reference: RFC FFFF | prefix: tlss | |||
reference: RFC 9645 | ||||
6.3. Considerations for the "iana-tls-cipher-suite-algs" Module | 6.3. Considerations for the "iana-tls-cipher-suite-algs" YANG Module | |||
This section follows the template defined in Section 4.30.3.1 of | This section follows the template defined in Section 4.30.3.1 of | |||
[I-D.ietf-netmod-rfc8407bis]. | [RFC8407BIS]. | |||
This document presents a script (see Appendix A) for IANA to use to | IANA used the script in Appendix A to generate the IANA-maintained | |||
generate the IANA-maintained "iana-tls-cipher-suite-algs" YANG | "iana-tls-cipher-suite-algs" YANG module. The YANG module is | |||
module. The most recent version of the YANG module is available from | available from the "YANG Parameters" registry [IANA-YANG-PARAMETERS]. | |||
the "YANG Parameters" registry [IANA-YANG-PARAMETERS]. | ||||
IANA is requested to add the following note to the registry: | IANA has added the following note to the registry: | |||
| New values must not be directly added to the "iana-tls-cipher- | | New values must not be directly added to the "iana-tls-cipher- | |||
| suite-algs" YANG module. They must instead be added to the "TLS | | suite-algs" YANG module. They must instead be added to the "TLS | |||
| Cipher Suites" sub-registry of the "Transport Layer Security (TLS) | | Cipher Suites" registry in the "Transport Layer Security (TLS) | |||
| Parameters" registry [IANA-CIPHER-ALGS]. | | Parameters" registry group [IANA-CIPHER-ALGS]. | |||
When a value is added to the "TLS Cipher Suites" sub-registry, a new | When a value is added to the "TLS Cipher Suites" registry, a new | |||
"enum" statement must be added to the "iana-tls-cipher-suite-algs" | "enum" statement must be added to the "iana-tls-cipher-suite-algs" | |||
YANG module. The "enum" statement, and sub-statements thereof, | YANG module. The "enum" statement, and substatements thereof, should | |||
should be defined as follows: | be defined as follows: | |||
enum | enum | |||
Replicates a name from the registry. | Replicates a name from the registry. | |||
value | value | |||
Contains the decimal value of the IANA-assigned value. | Contains the decimal value of the IANA-assigned value. | |||
status | status | |||
Include only if a registration has been deprecated or obsoleted. | Include only if a registration has been deprecated or obsoleted. | |||
An IANA "Recommended" maps to YANG status "deprecated". Since the | An IANA "Recommended" value "N" maps to YANG status "deprecated". | |||
registry is unable to express a logical "MUST NOT" recommendation, | Since the registry is unable to express a logical "MUST NOT" | |||
there is no mapping to YANG status "obsolete", which is | recommendation, there is no mapping to YANG status "obsolete", | |||
unfortunate given Moving single-DES and IDEA TLS ciphersuites to | which is unfortunate given the moving of single-DES and | |||
Historic (https://datatracker.ietf.org/doc/status-change-tls-des- | International Data Encryption Algorithm (IDEA) TLS cipher suites | |||
idea-ciphers-to-historic) . | to Historic [RFC8996]. | |||
description | description | |||
Contains "Enumeration for the 'TLS_FOO' algorithm.", where | Contains "Enumeration for the 'TLS_FOO' algorithm", where | |||
"TLS_FOO" is a placeholder for the algorithm's name (e.g., | "TLS_FOO" is a placeholder for the algorithm's name (e.g., | |||
"TLS_PSK_WITH_AES_256_CBC_SHA"). | "TLS_PSK_WITH_AES_256_CBC_SHA"). | |||
reference | reference | |||
Replicates the reference(s) from the registry with the title of | Replicates the reference(s) from the registry with the title of | |||
the document(s) added. | the document(s) added. | |||
Unassigned or reserved values are not present in the module. | Unassigned or reserved values are not present in the module. | |||
When the "iana-tls-cipher-suite-algs" YANG module is updated, a new | When the "iana-tls-cipher-suite-algs" YANG module is updated, a new | |||
"revision" statement with a unique revision date must be added in | "revision" statement with a unique revision date must be added in | |||
front of the existing revision statements. The "revision" must have | front of the existing revision statements. The "revision" must have | |||
a "description" statement explaining why the the update occurred, and | a "description" statement explaining why the the update occurred and | |||
must have a "reference" substatement that points to the document | must have a "reference" substatement that points to the document | |||
defining the registry update that resulted in this change. For | defining the registry update that resulted in this change. For | |||
instance: | instance: | |||
revision 2024-02-02 { | revision 2024-02-02 { | |||
description | description | |||
"This update reflect the update made to the underlying | "This update reflects the update made to the underlying | |||
Foo Bar registry per RFC XXXX."; | 'Foo Bar' registry per RFC XXXX."; | |||
reference | reference | |||
"RFC XXXX: Extend the Foo Bars Registry | "RFC XXXX: Extend the Foo Bar Registry | |||
to Support Something Important"; | to Support Something Important"; | |||
} | } | |||
IANA is requested to add the following note to the "TLS Cipher | IANA has added the following note to the "TLS Cipher Suites" registry | |||
Suites" sub-registry of the "Transport Layer Security (TLS) | under the "Transport Layer Security (TLS) Parameters" registry group | |||
Parameters" registry [IANA-CIPHER-ALGS]. | [IANA-CIPHER-ALGS]. | |||
| When this registry is modified, the YANG module "iana-tls-cipher- | | When this registry is modified, the YANG module "iana-tls-cipher- | |||
| suite-algs" [IANA-YANG-PARAMETERS] must be updated as defined in | | suite-algs" [IANA-YANG-PARAMETERS] must be updated as defined in | |||
| RFC FFFF. | | RFC 9645. | |||
An initial version of this module can be found in Appendix A.1. | ||||
7. References | 7. References | |||
7.1. Normative References | ||||
[I-D.ietf-netconf-crypto-types] | 7.1. Normative References | |||
Watsen, K., "YANG Data Types and Groupings for | ||||
Cryptography", Work in Progress, Internet-Draft, draft- | ||||
ietf-netconf-crypto-types-33, 1 March 2024, | ||||
<https://datatracker.ietf.org/doc/html/draft-ietf-netconf- | ||||
crypto-types-33>. | ||||
[I-D.ietf-netconf-keystore] | [FIPS180-4] | |||
Watsen, K., "A YANG Data Model for a Keystore and Keystore | National Institute of Standards and Technology (NIST), | |||
Operations", Work in Progress, Internet-Draft, draft-ietf- | "Secure Hash Standard (SHS)", FIPS PUB 180-4, | |||
netconf-keystore-34, 1 March 2024, | DOI 10.6028/NIST.FIPS.180-4, August 2015, | |||
<https://datatracker.ietf.org/doc/html/draft-ietf-netconf- | <https://nvlpubs.nist.gov/nistpubs/FIPS/ | |||
keystore-34>. | NIST.FIPS.180-4.pdf>. | |||
[I-D.ietf-netconf-trust-anchors] | [FIPS186-5] | |||
Watsen, K., "A YANG Data Model for a Truststore", Work in | National Institute of Standards and Technology (NIST), | |||
Progress, Internet-Draft, draft-ietf-netconf-trust- | "Digital Signature Standard (DSS)", FIPS 186-5, | |||
anchors-27, 1 March 2024, | DOI 10.6028/NIST.FIPS.186-5, February 2023, | |||
<https://datatracker.ietf.org/doc/html/draft-ietf-netconf- | <https://nvlpubs.nist.gov/nistpubs/FIPS/ | |||
trust-anchors-27>. | NIST.FIPS.186-5.pdf>. | |||
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
DOI 10.17487/RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, | |||
<https://www.rfc-editor.org/info/rfc2119>. | <https://www.rfc-editor.org/info/rfc2119>. | |||
[RFC2712] Medvinsky, A. and M. Hur, "Addition of Kerberos Cipher | [RFC4252] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH) | |||
Suites to Transport Layer Security (TLS)", RFC 2712, | Authentication Protocol", RFC 4252, DOI 10.17487/RFC4252, | |||
DOI 10.17487/RFC2712, October 1999, | January 2006, <https://www.rfc-editor.org/info/rfc4252>. | |||
<https://www.rfc-editor.org/info/rfc2712>. | ||||
[RFC4162] Lee, H.J., Yoon, J.H., and J.I. Lee, "Addition of SEED | ||||
Cipher Suites to Transport Layer Security (TLS)", | ||||
RFC 4162, DOI 10.17487/RFC4162, August 2005, | ||||
<https://www.rfc-editor.org/info/rfc4162>. | ||||
[RFC4279] Eronen, P., Ed. and H. Tschofenig, Ed., "Pre-Shared Key | [RFC4279] Eronen, P., Ed. and H. Tschofenig, Ed., "Pre-Shared Key | |||
Ciphersuites for Transport Layer Security (TLS)", | Ciphersuites for Transport Layer Security (TLS)", | |||
RFC 4279, DOI 10.17487/RFC4279, December 2005, | RFC 4279, DOI 10.17487/RFC4279, December 2005, | |||
<https://www.rfc-editor.org/info/rfc4279>. | <https://www.rfc-editor.org/info/rfc4279>. | |||
[RFC4346] Dierks, T. and E. Rescorla, "The Transport Layer Security | [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., | |||
(TLS) Protocol Version 1.1", RFC 4346, | Housley, R., and W. Polk, "Internet X.509 Public Key | |||
DOI 10.17487/RFC4346, April 2006, | Infrastructure Certificate and Certificate Revocation List | |||
<https://www.rfc-editor.org/info/rfc4346>. | (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, | |||
<https://www.rfc-editor.org/info/rfc5280>. | ||||
[RFC4785] Blumenthal, U. and P. Goel, "Pre-Shared Key (PSK) | ||||
Ciphersuites with NULL Encryption for Transport Layer | ||||
Security (TLS)", RFC 4785, DOI 10.17487/RFC4785, January | ||||
2007, <https://www.rfc-editor.org/info/rfc4785>. | ||||
[RFC5054] Taylor, D., Wu, T., Mavrogiannopoulos, N., and T. Perrin, | ||||
"Using the Secure Remote Password (SRP) Protocol for TLS | ||||
Authentication", RFC 5054, DOI 10.17487/RFC5054, November | ||||
2007, <https://www.rfc-editor.org/info/rfc5054>. | ||||
[RFC5288] Salowey, J., Choudhury, A., and D. McGrew, "AES Galois | [RFC5288] Salowey, J., Choudhury, A., and D. McGrew, "AES Galois | |||
Counter Mode (GCM) Cipher Suites for TLS", RFC 5288, | Counter Mode (GCM) Cipher Suites for TLS", RFC 5288, | |||
DOI 10.17487/RFC5288, August 2008, | DOI 10.17487/RFC5288, August 2008, | |||
<https://www.rfc-editor.org/info/rfc5288>. | <https://www.rfc-editor.org/info/rfc5288>. | |||
[RFC5289] Rescorla, E., "TLS Elliptic Curve Cipher Suites with SHA- | [RFC5289] Rescorla, E., "TLS Elliptic Curve Cipher Suites with SHA- | |||
256/384 and AES Galois Counter Mode (GCM)", RFC 5289, | 256/384 and AES Galois Counter Mode (GCM)", RFC 5289, | |||
DOI 10.17487/RFC5289, August 2008, | DOI 10.17487/RFC5289, August 2008, | |||
<https://www.rfc-editor.org/info/rfc5289>. | <https://www.rfc-editor.org/info/rfc5289>. | |||
[RFC5469] Eronen, P., Ed., "DES and IDEA Cipher Suites for Transport | ||||
Layer Security (TLS)", RFC 5469, DOI 10.17487/RFC5469, | ||||
February 2009, <https://www.rfc-editor.org/info/rfc5469>. | ||||
[RFC5487] Badra, M., "Pre-Shared Key Cipher Suites for TLS with SHA- | ||||
256/384 and AES Galois Counter Mode", RFC 5487, | ||||
DOI 10.17487/RFC5487, March 2009, | ||||
<https://www.rfc-editor.org/info/rfc5487>. | ||||
[RFC5489] Badra, M. and I. Hajjeh, "ECDHE_PSK Cipher Suites for | ||||
Transport Layer Security (TLS)", RFC 5489, | ||||
DOI 10.17487/RFC5489, March 2009, | ||||
<https://www.rfc-editor.org/info/rfc5489>. | ||||
[RFC5746] Rescorla, E., Ray, M., Dispensa, S., and N. Oskov, | ||||
"Transport Layer Security (TLS) Renegotiation Indication | ||||
Extension", RFC 5746, DOI 10.17487/RFC5746, February 2010, | ||||
<https://www.rfc-editor.org/info/rfc5746>. | ||||
[RFC5932] Kato, A., Kanda, M., and S. Kanno, "Camellia Cipher Suites | ||||
for TLS", RFC 5932, DOI 10.17487/RFC5932, June 2010, | ||||
<https://www.rfc-editor.org/info/rfc5932>. | ||||
[RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for | [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for | |||
the Network Configuration Protocol (NETCONF)", RFC 6020, | the Network Configuration Protocol (NETCONF)", RFC 6020, | |||
DOI 10.17487/RFC6020, October 2010, | DOI 10.17487/RFC6020, October 2010, | |||
<https://www.rfc-editor.org/info/rfc6020>. | <https://www.rfc-editor.org/info/rfc6020>. | |||
[RFC6209] Kim, W., Lee, J., Park, J., and D. Kwon, "Addition of the | [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., | |||
ARIA Cipher Suites to Transport Layer Security (TLS)", | and A. Bierman, Ed., "Network Configuration Protocol | |||
RFC 6209, DOI 10.17487/RFC6209, April 2011, | (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, | |||
<https://www.rfc-editor.org/info/rfc6209>. | <https://www.rfc-editor.org/info/rfc6241>. | |||
[RFC6367] Kanno, S. and M. Kanda, "Addition of the Camellia Cipher | ||||
Suites to Transport Layer Security (TLS)", RFC 6367, | ||||
DOI 10.17487/RFC6367, September 2011, | ||||
<https://www.rfc-editor.org/info/rfc6367>. | ||||
[RFC6655] McGrew, D. and D. Bailey, "AES-CCM Cipher Suites for | ||||
Transport Layer Security (TLS)", RFC 6655, | ||||
DOI 10.17487/RFC6655, July 2012, | ||||
<https://www.rfc-editor.org/info/rfc6655>. | ||||
[RFC7251] McGrew, D., Bailey, D., Campagna, M., and R. Dugal, "AES- | [RFC6520] Seggelmann, R., Tuexen, M., and M. Williams, "Transport | |||
CCM Elliptic Curve Cryptography (ECC) Cipher Suites for | Layer Security (TLS) and Datagram Transport Layer Security | |||
TLS", RFC 7251, DOI 10.17487/RFC7251, June 2014, | (DTLS) Heartbeat Extension", RFC 6520, | |||
<https://www.rfc-editor.org/info/rfc7251>. | DOI 10.17487/RFC6520, February 2012, | |||
<https://www.rfc-editor.org/info/rfc6520>. | ||||
[RFC7507] Moeller, B. and A. Langley, "TLS Fallback Signaling Cipher | [RFC7250] Wouters, P., Ed., Tschofenig, H., Ed., Gilmore, J., | |||
Suite Value (SCSV) for Preventing Protocol Downgrade | Weiler, S., and T. Kivinen, "Using Raw Public Keys in | |||
Attacks", RFC 7507, DOI 10.17487/RFC7507, April 2015, | Transport Layer Security (TLS) and Datagram Transport | |||
<https://www.rfc-editor.org/info/rfc7507>. | Layer Security (DTLS)", RFC 7250, DOI 10.17487/RFC7250, | |||
June 2014, <https://www.rfc-editor.org/info/rfc7250>. | ||||
[RFC7589] Badra, M., Luchuk, A., and J. Schoenwaelder, "Using the | [RFC7589] Badra, M., Luchuk, A., and J. Schoenwaelder, "Using the | |||
NETCONF Protocol over Transport Layer Security (TLS) with | NETCONF Protocol over Transport Layer Security (TLS) with | |||
Mutual X.509 Authentication", RFC 7589, | Mutual X.509 Authentication", RFC 7589, | |||
DOI 10.17487/RFC7589, June 2015, | DOI 10.17487/RFC7589, June 2015, | |||
<https://www.rfc-editor.org/info/rfc7589>. | <https://www.rfc-editor.org/info/rfc7589>. | |||
[RFC7905] Langley, A., Chang, W., Mavrogiannopoulos, N., | ||||
Strombergson, J., and S. Josefsson, "ChaCha20-Poly1305 | ||||
Cipher Suites for Transport Layer Security (TLS)", | ||||
RFC 7905, DOI 10.17487/RFC7905, June 2016, | ||||
<https://www.rfc-editor.org/info/rfc7905>. | ||||
[RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", | [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", | |||
RFC 7950, DOI 10.17487/RFC7950, August 2016, | RFC 7950, DOI 10.17487/RFC7950, August 2016, | |||
<https://www.rfc-editor.org/info/rfc7950>. | <https://www.rfc-editor.org/info/rfc7950>. | |||
[RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF | ||||
Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, | ||||
<https://www.rfc-editor.org/info/rfc8040>. | ||||
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | |||
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | |||
May 2017, <https://www.rfc-editor.org/info/rfc8174>. | May 2017, <https://www.rfc-editor.org/info/rfc8174>. | |||
[RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration | [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration | |||
Access Control Model", STD 91, RFC 8341, | Access Control Model", STD 91, RFC 8341, | |||
DOI 10.17487/RFC8341, March 2018, | DOI 10.17487/RFC8341, March 2018, | |||
<https://www.rfc-editor.org/info/rfc8341>. | <https://www.rfc-editor.org/info/rfc8341>. | |||
[RFC8422] Nir, Y., Josefsson, S., and M. Pegourie-Gonnard, "Elliptic | [RFC8422] Nir, Y., Josefsson, S., and M. Pegourie-Gonnard, "Elliptic | |||
Curve Cryptography (ECC) Cipher Suites for Transport Layer | Curve Cryptography (ECC) Cipher Suites for Transport Layer | |||
Security (TLS) Versions 1.2 and Earlier", RFC 8422, | Security (TLS) Versions 1.2 and Earlier", RFC 8422, | |||
DOI 10.17487/RFC8422, August 2018, | DOI 10.17487/RFC8422, August 2018, | |||
<https://www.rfc-editor.org/info/rfc8422>. | <https://www.rfc-editor.org/info/rfc8422>. | |||
[RFC8442] Mattsson, J. and D. Migault, "ECDHE_PSK with AES-GCM and | ||||
AES-CCM Cipher Suites for TLS 1.2 and DTLS 1.2", RFC 8442, | ||||
DOI 10.17487/RFC8442, September 2018, | ||||
<https://www.rfc-editor.org/info/rfc8442>. | ||||
[RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol | [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol | |||
Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, | Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, | |||
<https://www.rfc-editor.org/info/rfc8446>. | <https://www.rfc-editor.org/info/rfc8446>. | |||
[RFC8492] Harkins, D., Ed., "Secure Password Ciphersuites for | [RFC9000] Iyengar, J., Ed. and M. Thomson, Ed., "QUIC: A UDP-Based | |||
Transport Layer Security (TLS)", RFC 8492, | Multiplexed and Secure Transport", RFC 9000, | |||
DOI 10.17487/RFC8492, February 2019, | DOI 10.17487/RFC9000, May 2021, | |||
<https://www.rfc-editor.org/info/rfc8492>. | <https://www.rfc-editor.org/info/rfc9000>. | |||
[RFC8998] Yang, P., "ShangMi (SM) Cipher Suites for TLS 1.3", | [RFC9640] Watsen, K., "YANG Data Types and Groupings for | |||
RFC 8998, DOI 10.17487/RFC8998, March 2021, | Cryptography", RFC 9640, DOI 10.17487/RFC9640, October | |||
<https://www.rfc-editor.org/info/rfc8998>. | 2024, <https://www.rfc-editor.org/info/rfc9640>. | |||
[RFC9150] Cam-Winget, N. and J. Visoky, "TLS 1.3 Authentication and | [RFC9641] Watsen, K., "A YANG Data Model for a Truststore", | |||
Integrity-Only Cipher Suites", RFC 9150, | RFC 9641, DOI 10.17487/RFC9641, October 2024, | |||
DOI 10.17487/RFC9150, April 2022, | <https://www.rfc-editor.org/info/rfc9641>. | |||
<https://www.rfc-editor.org/info/rfc9150>. | ||||
[RFC9189] Smyshlyaev, S., Ed., Belyavsky, D., and E. Alekseev, "GOST | [RFC9642] Watsen, K., "A YANG Data Model for a Keystore", RFC 9642, | |||
Cipher Suites for Transport Layer Security (TLS) Protocol | DOI 10.17487/RFC9642, October 2024, | |||
Version 1.2", RFC 9189, DOI 10.17487/RFC9189, March 2022, | <https://www.rfc-editor.org/info/rfc9642>. | |||
<https://www.rfc-editor.org/info/rfc9189>. | ||||
7.2. Informative References | 7.2. Informative References | |||
[I-D.ietf-netconf-http-client-server] | [HTTP-CLIENT-SERVER] | |||
Watsen, K., "YANG Groupings for HTTP Clients and HTTP | Watsen, K., "YANG Groupings for HTTP Clients and HTTP | |||
Servers", Work in Progress, Internet-Draft, draft-ietf- | Servers", Work in Progress, Internet-Draft, draft-ietf- | |||
netconf-http-client-server-19, 1 March 2024, | netconf-http-client-server-23, 15 August 2024, | |||
<https://datatracker.ietf.org/doc/html/draft-ietf-netconf- | <https://datatracker.ietf.org/doc/html/draft-ietf-netconf- | |||
http-client-server-19>. | http-client-server-23>. | |||
[I-D.ietf-netconf-netconf-client-server] | [IANA-CIPHER-ALGS] | |||
IANA, "TLS Cipher Suites", | ||||
<https://www.iana.org/assignments/tls-parameters/>. | ||||
[IANA-YANG-PARAMETERS] | ||||
IANA, "YANG Parameters", | ||||
<https://www.iana.org/assignments/yang-parameters>. | ||||
[NETCONF-CLIENT-SERVER] | ||||
Watsen, K., "NETCONF Client and Server Models", Work in | Watsen, K., "NETCONF Client and Server Models", Work in | |||
Progress, Internet-Draft, draft-ietf-netconf-netconf- | Progress, Internet-Draft, draft-ietf-netconf-netconf- | |||
client-server-35, 1 March 2024, | client-server-37, 14 August 2024, | |||
<https://datatracker.ietf.org/doc/html/draft-ietf-netconf- | <https://datatracker.ietf.org/doc/html/draft-ietf-netconf- | |||
netconf-client-server-35>. | netconf-client-server-37>. | |||
[I-D.ietf-netconf-restconf-client-server] | [RESTCONF-CLIENT-SERVER] | |||
Watsen, K., "RESTCONF Client and Server Models", Work in | Watsen, K., "RESTCONF Client and Server Models", Work in | |||
Progress, Internet-Draft, draft-ietf-netconf-restconf- | Progress, Internet-Draft, draft-ietf-netconf-restconf- | |||
client-server-35, 1 March 2024, | client-server-38, 14 August 2024, | |||
<https://datatracker.ietf.org/doc/html/draft-ietf-netconf- | ||||
restconf-client-server-35>. | ||||
[I-D.ietf-netconf-ssh-client-server] | ||||
Watsen, K., "YANG Groupings for SSH Clients and SSH | ||||
Servers", Work in Progress, Internet-Draft, draft-ietf- | ||||
netconf-ssh-client-server-39, 1 March 2024, | ||||
<https://datatracker.ietf.org/doc/html/draft-ietf-netconf- | ||||
ssh-client-server-39>. | ||||
[I-D.ietf-netconf-tcp-client-server] | ||||
Watsen, K. and M. Scharf, "YANG Groupings for TCP Clients | ||||
and TCP Servers", Work in Progress, Internet-Draft, draft- | ||||
ietf-netconf-tcp-client-server-23, 1 March 2024, | ||||
<https://datatracker.ietf.org/doc/html/draft-ietf-netconf- | ||||
tcp-client-server-23>. | ||||
[I-D.ietf-netconf-tls-client-server] | ||||
Watsen, K., "YANG Groupings for TLS Clients and TLS | ||||
Servers", Work in Progress, Internet-Draft, draft-ietf- | ||||
netconf-tls-client-server-40, 1 March 2024, | ||||
<https://datatracker.ietf.org/doc/html/draft-ietf-netconf- | <https://datatracker.ietf.org/doc/html/draft-ietf-netconf- | |||
tls-client-server-40>. | restconf-client-server-38>. | |||
[I-D.ietf-netmod-rfc8407bis] | ||||
Bierman, A., Boucadair, M., and Q. Wu, "Guidelines for | ||||
Authors and Reviewers of Documents Containing YANG Data | ||||
Models", Work in Progress, Internet-Draft, draft-ietf- | ||||
netmod-rfc8407bis-09, 28 February 2024, | ||||
<https://datatracker.ietf.org/doc/html/draft-ietf-netmod- | ||||
rfc8407bis-09>. | ||||
[I-D.ietf-netmod-system-config] | ||||
Ma, Q., Wu, Q., and C. Feng, "System-defined | ||||
Configuration", Work in Progress, Internet-Draft, draft- | ||||
ietf-netmod-system-config-05, 21 February 2024, | ||||
<https://datatracker.ietf.org/doc/html/draft-ietf-netmod- | ||||
system-config-05>. | ||||
[IANA-CIPHER-ALGS] | ||||
(IANA), I. A. N. A., "IANA "TLS Cipher Suites" Sub- | ||||
registry of the "Transport Layer Security (TLS) | ||||
Parameters" Registry", <https://www.iana.org/assignments/ | ||||
tls-parameters/tls-parameters.xhtml#tls-parameters-4>. | ||||
[IANA-YANG-PARAMETERS] | ||||
"YANG Parameters", n.d., | ||||
<https://www.iana.org/assignments/yang-parameters>. | ||||
[RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, | ||||
DOI 10.17487/RFC2818, May 2000, | ||||
<https://www.rfc-editor.org/info/rfc2818>. | ||||
[RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, | [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, | |||
DOI 10.17487/RFC3688, January 2004, | DOI 10.17487/RFC3688, January 2004, | |||
<https://www.rfc-editor.org/info/rfc3688>. | <https://www.rfc-editor.org/info/rfc3688>. | |||
[RFC5056] Williams, N., "On the Use of Channel Bindings to Secure | ||||
Channels", RFC 5056, DOI 10.17487/RFC5056, November 2007, | ||||
<https://www.rfc-editor.org/info/rfc5056>. | ||||
[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security | [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security | |||
(TLS) Protocol Version 1.2", RFC 5246, | (TLS) Protocol Version 1.2", RFC 5246, | |||
DOI 10.17487/RFC5246, August 2008, | DOI 10.17487/RFC5246, August 2008, | |||
<https://www.rfc-editor.org/info/rfc5246>. | <https://www.rfc-editor.org/info/rfc5246>. | |||
[RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., | ||||
and A. Bierman, Ed., "Network Configuration Protocol | ||||
(NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, | ||||
<https://www.rfc-editor.org/info/rfc6241>. | ||||
[RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF | ||||
Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, | ||||
<https://www.rfc-editor.org/info/rfc8040>. | ||||
[RFC8071] Watsen, K., "NETCONF Call Home and RESTCONF Call Home", | [RFC8071] Watsen, K., "NETCONF Call Home and RESTCONF Call Home", | |||
RFC 8071, DOI 10.17487/RFC8071, February 2017, | RFC 8071, DOI 10.17487/RFC8071, February 2017, | |||
<https://www.rfc-editor.org/info/rfc8071>. | <https://www.rfc-editor.org/info/rfc8071>. | |||
[RFC8259] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data | ||||
Interchange Format", STD 90, RFC 8259, | ||||
DOI 10.17487/RFC8259, December 2017, | ||||
<https://www.rfc-editor.org/info/rfc8259>. | ||||
[RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", | [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", | |||
BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, | BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, | |||
<https://www.rfc-editor.org/info/rfc8340>. | <https://www.rfc-editor.org/info/rfc8340>. | |||
[RFC8342] Bjorklund, M., Schoenwaelder, J., Shafer, P., Watsen, K., | [RFC8342] Bjorklund, M., Schoenwaelder, J., Shafer, P., Watsen, K., | |||
and R. Wilton, "Network Management Datastore Architecture | and R. Wilton, "Network Management Datastore Architecture | |||
(NMDA)", RFC 8342, DOI 10.17487/RFC8342, March 2018, | (NMDA)", RFC 8342, DOI 10.17487/RFC8342, March 2018, | |||
<https://www.rfc-editor.org/info/rfc8342>. | <https://www.rfc-editor.org/info/rfc8342>. | |||
[RFC8407] Bierman, A., "Guidelines for Authors and Reviewers of | [RFC8407] Bierman, A., "Guidelines for Authors and Reviewers of | |||
Documents Containing YANG Data Models", BCP 216, RFC 8407, | Documents Containing YANG Data Models", BCP 216, RFC 8407, | |||
DOI 10.17487/RFC8407, October 2018, | DOI 10.17487/RFC8407, October 2018, | |||
<https://www.rfc-editor.org/info/rfc8407>. | <https://www.rfc-editor.org/info/rfc8407>. | |||
[RFC8407BIS] | ||||
Bierman, A., Boucadair, M., and Q. Wu, "Guidelines for | ||||
Authors and Reviewers of Documents Containing YANG Data | ||||
Models", Work in Progress, Internet-Draft, draft-ietf- | ||||
netmod-rfc8407bis-17, 27 September 2024, | ||||
<https://datatracker.ietf.org/doc/html/draft-ietf-netmod- | ||||
rfc8407bis-17>. | ||||
[RFC8996] Moriarty, K. and S. Farrell, "Deprecating TLS 1.0 and TLS | ||||
1.1", BCP 195, RFC 8996, DOI 10.17487/RFC8996, March 2021, | ||||
<https://www.rfc-editor.org/info/rfc8996>. | ||||
[RFC9110] Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke, | ||||
Ed., "HTTP Semantics", STD 97, RFC 9110, | ||||
DOI 10.17487/RFC9110, June 2022, | ||||
<https://www.rfc-editor.org/info/rfc9110>. | ||||
[RFC9257] Housley, R., Hoyland, J., Sethi, M., and C. A. Wood, | [RFC9257] Housley, R., Hoyland, J., Sethi, M., and C. A. Wood, | |||
"Guidance for External Pre-Shared Key (PSK) Usage in TLS", | "Guidance for External Pre-Shared Key (PSK) Usage in TLS", | |||
RFC 9257, DOI 10.17487/RFC9257, July 2022, | RFC 9257, DOI 10.17487/RFC9257, July 2022, | |||
<https://www.rfc-editor.org/info/rfc9257>. | <https://www.rfc-editor.org/info/rfc9257>. | |||
[RFC9258] Benjamin, D. and C. A. Wood, "Importing External Pre- | [RFC9258] Benjamin, D. and C. A. Wood, "Importing External Pre- | |||
Shared Keys (PSKs) for TLS 1.3", RFC 9258, | Shared Keys (PSKs) for TLS 1.3", RFC 9258, | |||
DOI 10.17487/RFC9258, July 2022, | DOI 10.17487/RFC9258, July 2022, | |||
<https://www.rfc-editor.org/info/rfc9258>. | <https://www.rfc-editor.org/info/rfc9258>. | |||
[RFC9643] Watsen, K. and M. Scharf, "YANG Groupings for TCP Clients | ||||
and TCP Servers", RFC 9643, DOI 10.17487/RFC9643, October | ||||
2024, <https://www.rfc-editor.org/info/rfc9643>. | ||||
[RFC9644] Watsen, K., "YANG Groupings for SSH Clients and SSH | ||||
Servers", RFC 9644, DOI 10.17487/RFC9644, October 2024, | ||||
<https://www.rfc-editor.org/info/rfc9644>. | ||||
[SYSTEM-CONFIG] | ||||
Ma, Q., Wu, Q., and C. Feng, "System-defined | ||||
Configuration", Work in Progress, Internet-Draft, draft- | ||||
ietf-netmod-system-config-09, 29 September 2024, | ||||
<https://datatracker.ietf.org/doc/html/draft-ietf-netmod- | ||||
system-config-09>. | ||||
[W3C.REC-xml-20081126] | ||||
Bray, T., Paoli, J., Sperberg-McQueen, C. M., Maler, E., | ||||
and F. Yergeau, "Extensible Markup Language (XML) 1.0 | ||||
(Fifth Edition)", W3C Recommendation REC-xml-20081126, | ||||
November 2008, <https://www.w3.org/TR/xml/>. | ||||
Appendix A. Script to Generate IANA-Maintained YANG Modules | Appendix A. Script to Generate IANA-Maintained YANG Modules | |||
This section is not Normative. | This section is not normative. | |||
The Python https://www.python.org script contained in this section | The Python <https://www.python.org> script contained in this section | |||
will create the IANA-maintained module described in this document. | was used to create the initial IANA-maintained "iana-tls-cipher- | |||
suite-algs" YANG module maintained at [IANA-YANG-PARAMETERS]. | ||||
Run the script using the command `python gen-yang-modules.py`, to | Run the script using the command 'python gen-yang-modules.py' to | |||
produce the YANG module file in the current directory. | produce the YANG module file in the current directory. | |||
Be aware that the script does not attempt to copy the "revision" | Be aware that the script does not attempt to copy the "revision" | |||
statements from the previous/current YANG module. Copying the | statements from the previous/current YANG module. Copying the | |||
revision statements must be done manually. | revision statements must be done manually. | |||
<CODE BEGINS> | <CODE BEGINS> | |||
=============== NOTE: '\\' line wrapping per RFC 8792 =============== | =============== NOTE: '\\' line wrapping per RFC 8792 =============== | |||
import re | import re | |||
skipping to change at page 70, line 30 ¶ | skipping to change at line 2982 ¶ | |||
organization | organization | |||
"Internet Assigned Numbers Authority (IANA)"; | "Internet Assigned Numbers Authority (IANA)"; | |||
contact | contact | |||
"Postal: ICANN | "Postal: ICANN | |||
12025 Waterfront Drive, Suite 300 | 12025 Waterfront Drive, Suite 300 | |||
Los Angeles, CA 90094-2536 | Los Angeles, CA 90094-2536 | |||
United States of America | United States of America | |||
Tel: +1 310 301 5800 | Tel: +1 310 301 5800 | |||
Email: iana@iana.org"; | Email: <iana@iana.org>"; | |||
description | description | |||
"This module defines enumerations for the Cipher Suite | "This module defines enumerations for the cipher suite | |||
algorithms defined in the 'TLS Cipher Suites' sub-registry | algorithms defined in the 'TLS Cipher Suites' registry | |||
of the 'Transport Layer Security (TLS) Parameters' registry | under the 'Transport Layer Security (TLS) Parameters' | |||
maintained by IANA. | registry group maintained by IANA. | |||
Copyright (c) YEAR IETF Trust and the persons identified as | Copyright (c) 2024 IETF Trust and the persons identified as | |||
authors of the code. All rights reserved. | authors of the code. All rights reserved. | |||
Redistribution and use in source and binary forms, with | Redistribution and use in source and binary forms, with | |||
or without modification, is permitted pursuant to, and | or without modification, is permitted pursuant to, and | |||
subject to the license terms contained in, the Revised | subject to the license terms contained in, the Revised | |||
BSD License set forth in Section 4.c of the IETF Trust's | BSD License set forth in Section 4.c of the IETF Trust's | |||
Legal Provisions Relating to IETF Documents | Legal Provisions Relating to IETF Documents | |||
(https://trustee.ietf.org/license-info). | (https://trustee.ietf.org/license-info). | |||
The initial version of this YANG module is part of RFC FFFF | The initial version of this YANG module is part of RFC 9645 | |||
(https://www.rfc-editor.org/info/rfcFFFF); see the RFC | (https://www.rfc-editor.org/info/rfc9645); see the RFC | |||
itself for full legal notices. | itself for full legal notices. | |||
All versions of this module are published by IANA at | All versions of this module are published by IANA | |||
https://www.iana.org/assignments/yang-parameters."; | (https://www.iana.org/assignments/yang-parameters)."; | |||
revision DATE { | revision DATE { | |||
description | description | |||
"This initial version of the module was created using | "This initial version of the module was created using | |||
the script defined in RFC FFFF to reflect the contents | the script defined in RFC 9645 to reflect the contents | |||
of the SNAME algorithms registry maintained by IANA."; | of the SNAME algorithms registry maintained by IANA."; | |||
reference | reference | |||
"RFC FFFF: YANG Groupings for TLS Clients and TLS Servers"; | "RFC 9645: YANG Groupings for TLS Clients and TLS Servers"; | |||
} | } | |||
typedef tls-HNAME-algorithm { | typedef tls-HNAME-algorithm { | |||
type enumeration { | type enumeration { | |||
""" | """ | |||
# Replacements | # Replacements | |||
rep = { | rep = { | |||
"DATE": datetime.today().strftime('%Y-%m-%d'), | "DATE": datetime.today().strftime('%Y-%m-%d'), | |||
"YEAR": datetime.today().strftime('%Y'), | "YEAR": datetime.today().strftime('%Y'), | |||
"SNAME": module["spaced_name"], | "SNAME": module["spaced_name"], | |||
skipping to change at page 72, line 51 ¶ | skipping to change at line 3098 ¶ | |||
\1>', item) | \1>', item) | |||
if title.startswith("ECDHE\_PSK"): | if title.startswith("ECDHE\_PSK"): | |||
title = re.sub("ECDHE\\\\_PSK", \ | title = re.sub("ECDHE\\\\_PSK", \ | |||
\"ECDHE_PSK", title) | \"ECDHE_PSK", title) | |||
titles.append(re.sub('.*{{(.*)}}.*',\ | titles.append(re.sub('.*{{(.*)}}.*',\ | |||
\ r'\g<1>', title)) | \ r'\g<1>', title)) | |||
break | break | |||
else: | else: | |||
raise Exception("RFC title not found") | raise Exception("RFC title not found") | |||
# Insert a space: "RFCXXXX" --> "RFC XXXX" | # Insert a space: "RFC9645" --> "RFC 9645" | |||
index = refs.index(ref) | index = refs.index(ref) | |||
refs[index] = "RFC " + ref[3:] | refs[index] = "RFC " + ref[3:] | |||
elif ref == "IESG Action 2018-08-16": | elif ref == "IESG Action 2018-08-16": | |||
# Rewrite the ref value | # Rewrite the ref value | |||
index = refs.index(ref) | index = refs.index(ref) | |||
refs[index] = "IESG Action" | refs[index] = "IESG Action" | |||
# Let title be something descriptive | # Let title be something descriptive | |||
titles.append("IESG Action 2018-08-16") | titles.append("IESG Action 2018-08-16") | |||
elif ref == "draft-irtf-cfrg-aegis-aead-08": | elif ref == "draft-irtf-cfrg-aegis-aead-08": | |||
# Manually set the draft's title | # Manually set the document's title | |||
titles.append("The AEGIS Family of Authentic\ | titles.append("The AEGIS Family of Authentic\ | |||
\ated Encryption Algorithms") | \ated Encryption Algorithms") | |||
elif ref: | elif ref: | |||
raise Exception(f'ref "{ref}" not found') | raise Exception(f'ref "{ref}" not found') | |||
else: | else: | |||
raise Exception(f'ref missing: {row}') | raise Exception(f'ref missing: {row}') | |||
# Write out the enum | # Write out the enum | |||
skipping to change at page 74, line 26 ¶ | skipping to change at line 3169 ¶ | |||
\algorithms.";\n') | \algorithms.";\n') | |||
f.write(" }\n") | f.write(" }\n") | |||
f.write('\n') | f.write('\n') | |||
f.write('}\n') | f.write('}\n') | |||
def create_module(module): | def create_module(module): | |||
# Install cache for 8x speedup | # Install cache for 8x speedup | |||
requests_cache.install_cache() | requests_cache.install_cache() | |||
# Ascertain yang module's name | # Ascertain the yang module's name | |||
yang_module_name = "iana-tls-" + module["hypenated_name"] + "-al\ | yang_module_name = "iana-tls-" + module["hypenated_name"] + "-al\ | |||
\gs.yang" | \gs.yang" | |||
# Create yang module file | # Create yang module file | |||
with open(yang_module_name, "w") as f: | with open(yang_module_name, "w") as f: | |||
create_module_begin(module, f) | create_module_begin(module, f) | |||
create_module_body(module, f) | create_module_body(module, f) | |||
create_module_end(module, f) | create_module_end(module, f) | |||
def main(): | def main(): | |||
for module in MODULES: | for module in MODULES: | |||
create_module(module) | create_module(module) | |||
if __name__ == "__main__": | if __name__ == "__main__": | |||
main() | main() | |||
<CODE ENDS> | <CODE ENDS> | |||
A.1. Initial Module for the "TLS Cipher Suites" Registry | ||||
Following are the complete contents to the initial IANA-maintained | ||||
YANG module. Please note that the date "2024-03-16" reflects the day | ||||
on which the extraction occurred. Applications SHOULD use the IANA- | ||||
maintained module, not the module defined in this draft. | ||||
This YANG module has normative references to [RFC2712], [RFC4162], | ||||
[RFC4279], [RFC4346], [RFC4785], [RFC5054], [RFC5246], [RFC5288], | ||||
[RFC5289], [RFC5469], [RFC5487], [RFC5489], [RFC5746], [RFC5932], | ||||
[RFC6209], [RFC6367], [RFC6655], [RFC7251], [RFC7507], [RFC7905], | ||||
[RFC8422], [RFC8442], [RFC8446], [RFC8492], [RFC8998], [RFC9150], | ||||
[RFC9189], and [RFC8340]. | ||||
<CODE BEGINS> file "iana-tls-cipher-suite-algs@2024-03-16.yang" | ||||
module iana-tls-cipher-suite-algs { | ||||
yang-version 1.1; | ||||
namespace "urn:ietf:params:xml:ns:yang:iana-tls-cipher-suite-algs"; | ||||
prefix tlscsa; | ||||
organization | ||||
"Internet Assigned Numbers Authority (IANA)"; | ||||
contact | ||||
"Postal: ICANN | ||||
12025 Waterfront Drive, Suite 300 | ||||
Los Angeles, CA 90094-2536 | ||||
United States of America | ||||
Tel: +1 310 301 5800 | ||||
Email: iana@iana.org"; | ||||
description | ||||
"This module defines enumerations for the Cipher Suite | ||||
algorithms defined in the 'TLS Cipher Suites' sub-registry | ||||
of the 'Transport Layer Security (TLS) Parameters' registry | ||||
maintained by IANA. | ||||
Copyright (c) 2024 IETF Trust and the persons identified as | ||||
authors of the code. All rights reserved. | ||||
Redistribution and use in source and binary forms, with | ||||
or without modification, is permitted pursuant to, and | ||||
subject to the license terms contained in, the Revised | ||||
BSD License set forth in Section 4.c of the IETF Trust's | ||||
Legal Provisions Relating to IETF Documents | ||||
(https://trustee.ietf.org/license-info). | ||||
The initial version of this YANG module is part of RFC FFFF | ||||
(https://www.rfc-editor.org/info/rfcFFFF); see the RFC | ||||
itself for full legal notices. | ||||
All versions of this module are published by IANA at | ||||
https://www.iana.org/assignments/yang-parameters."; | ||||
revision 2024-03-16 { | ||||
description | ||||
"This initial version of the module was created using | ||||
the script defined in RFC FFFF to reflect the contents | ||||
of the cipher-suite algorithms registry maintained by IANA."; | ||||
reference | ||||
"RFC FFFF: YANG Groupings for TLS Clients and TLS Servers"; | ||||
} | ||||
typedef tls-cipher-suite-algorithm { | ||||
type enumeration { | ||||
enum TLS_NULL_WITH_NULL_NULL { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_NULL_WITH_NULL_NULL' algorithm."; | ||||
reference | ||||
"RFC 5246: | ||||
The Transport Layer Security (TLS) Protocol Version | ||||
1.2"; | ||||
} | ||||
enum TLS_RSA_WITH_NULL_MD5 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_RSA_WITH_NULL_MD5' algorithm."; | ||||
reference | ||||
"RFC 5246: | ||||
The Transport Layer Security (TLS) Protocol Version | ||||
1.2"; | ||||
} | ||||
enum TLS_RSA_WITH_NULL_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_RSA_WITH_NULL_SHA' algorithm."; | ||||
reference | ||||
"RFC 5246: | ||||
The Transport Layer Security (TLS) Protocol Version | ||||
1.2"; | ||||
} | ||||
enum TLS_RSA_EXPORT_WITH_RC4_40_MD5 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_RSA_EXPORT_WITH_RC4_40_MD5' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4346: | ||||
The Transport Layer Security (TLS) Protocol Version 1.1 | ||||
RFC 6347: | ||||
Datagram Transport Layer Security Version 1.2"; | ||||
} | ||||
enum TLS_RSA_WITH_RC4_128_MD5 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_RSA_WITH_RC4_128_MD5' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5246: | ||||
The Transport Layer Security (TLS) Protocol Version 1.2 | ||||
RFC 6347: | ||||
Datagram Transport Layer Security Version 1.2"; | ||||
} | ||||
enum TLS_RSA_WITH_RC4_128_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_RSA_WITH_RC4_128_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5246: | ||||
The Transport Layer Security (TLS) Protocol Version 1.2 | ||||
RFC 6347: | ||||
Datagram Transport Layer Security Version 1.2"; | ||||
} | ||||
enum TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4346: | ||||
The Transport Layer Security (TLS) Protocol Version | ||||
1.1"; | ||||
} | ||||
enum TLS_RSA_WITH_IDEA_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_RSA_WITH_IDEA_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8996: | ||||
Deprecating TLS 1.0 and TLS 1.1"; | ||||
} | ||||
enum TLS_RSA_EXPORT_WITH_DES40_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_RSA_EXPORT_WITH_DES40_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4346: | ||||
The Transport Layer Security (TLS) Protocol Version | ||||
1.1"; | ||||
} | ||||
enum TLS_RSA_WITH_DES_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_RSA_WITH_DES_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8996: | ||||
Deprecating TLS 1.0 and TLS 1.1"; | ||||
} | ||||
enum TLS_RSA_WITH_3DES_EDE_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_RSA_WITH_3DES_EDE_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5246: | ||||
The Transport Layer Security (TLS) Protocol Version | ||||
1.2"; | ||||
} | ||||
enum TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4346: | ||||
The Transport Layer Security (TLS) Protocol Version | ||||
1.1"; | ||||
} | ||||
enum TLS_DH_DSS_WITH_DES_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DH_DSS_WITH_DES_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8996: | ||||
Deprecating TLS 1.0 and TLS 1.1"; | ||||
} | ||||
enum TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5246: | ||||
The Transport Layer Security (TLS) Protocol Version | ||||
1.2"; | ||||
} | ||||
enum TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4346: | ||||
The Transport Layer Security (TLS) Protocol Version | ||||
1.1"; | ||||
} | ||||
enum TLS_DH_RSA_WITH_DES_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DH_RSA_WITH_DES_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8996: | ||||
Deprecating TLS 1.0 and TLS 1.1"; | ||||
} | ||||
enum TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5246: | ||||
The Transport Layer Security (TLS) Protocol Version | ||||
1.2"; | ||||
} | ||||
enum TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA' algorithm."; | ||||
reference | ||||
"RFC 4346: | ||||
The Transport Layer Security (TLS) Protocol Version | ||||
1.1"; | ||||
} | ||||
enum TLS_DHE_DSS_WITH_DES_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DHE_DSS_WITH_DES_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8996: | ||||
Deprecating TLS 1.0 and TLS 1.1"; | ||||
} | ||||
enum TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5246: | ||||
The Transport Layer Security (TLS) Protocol Version | ||||
1.2"; | ||||
} | ||||
enum TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA' algorithm."; | ||||
reference | ||||
"RFC 4346: | ||||
The Transport Layer Security (TLS) Protocol Version | ||||
1.1"; | ||||
} | ||||
enum TLS_DHE_RSA_WITH_DES_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DHE_RSA_WITH_DES_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8996: | ||||
Deprecating TLS 1.0 and TLS 1.1"; | ||||
} | ||||
enum TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5246: | ||||
The Transport Layer Security (TLS) Protocol Version | ||||
1.2"; | ||||
} | ||||
enum TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DH_anon_EXPORT_WITH_RC4_40_MD5' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4346: | ||||
The Transport Layer Security (TLS) Protocol Version 1.1 | ||||
RFC 6347: | ||||
Datagram Transport Layer Security Version 1.2"; | ||||
} | ||||
enum TLS_DH_anon_WITH_RC4_128_MD5 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DH_anon_WITH_RC4_128_MD5' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5246: | ||||
The Transport Layer Security (TLS) Protocol Version 1.2 | ||||
RFC 6347: | ||||
Datagram Transport Layer Security Version 1.2"; | ||||
} | ||||
enum TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA' algorithm."; | ||||
reference | ||||
"RFC 4346: | ||||
The Transport Layer Security (TLS) Protocol Version | ||||
1.1"; | ||||
} | ||||
enum TLS_DH_anon_WITH_DES_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DH_anon_WITH_DES_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8996: | ||||
Deprecating TLS 1.0 and TLS 1.1"; | ||||
} | ||||
enum TLS_DH_anon_WITH_3DES_EDE_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DH_anon_WITH_3DES_EDE_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5246: | ||||
The Transport Layer Security (TLS) Protocol Version | ||||
1.2"; | ||||
} | ||||
enum TLS_KRB5_WITH_DES_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_KRB5_WITH_DES_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 2712: | ||||
Addition of Kerberos Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_KRB5_WITH_3DES_EDE_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_KRB5_WITH_3DES_EDE_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 2712: | ||||
Addition of Kerberos Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_KRB5_WITH_RC4_128_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_KRB5_WITH_RC4_128_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 2712: | ||||
Addition of Kerberos Cipher Suites to Transport Layer | ||||
Security (TLS) | ||||
RFC 6347: | ||||
Datagram Transport Layer Security Version 1.2"; | ||||
} | ||||
enum TLS_KRB5_WITH_IDEA_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_KRB5_WITH_IDEA_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 2712: | ||||
Addition of Kerberos Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_KRB5_WITH_DES_CBC_MD5 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_KRB5_WITH_DES_CBC_MD5' | ||||
algorithm."; | ||||
reference | ||||
"RFC 2712: | ||||
Addition of Kerberos Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_KRB5_WITH_3DES_EDE_CBC_MD5 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_KRB5_WITH_3DES_EDE_CBC_MD5' | ||||
algorithm."; | ||||
reference | ||||
"RFC 2712: | ||||
Addition of Kerberos Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_KRB5_WITH_RC4_128_MD5 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_KRB5_WITH_RC4_128_MD5' | ||||
algorithm."; | ||||
reference | ||||
"RFC 2712: | ||||
Addition of Kerberos Cipher Suites to Transport Layer | ||||
Security (TLS) | ||||
RFC 6347: | ||||
Datagram Transport Layer Security Version 1.2"; | ||||
} | ||||
enum TLS_KRB5_WITH_IDEA_CBC_MD5 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_KRB5_WITH_IDEA_CBC_MD5' | ||||
algorithm."; | ||||
reference | ||||
"RFC 2712: | ||||
Addition of Kerberos Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 2712: | ||||
Addition of Kerberos Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 2712: | ||||
Addition of Kerberos Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_KRB5_EXPORT_WITH_RC4_40_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_KRB5_EXPORT_WITH_RC4_40_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 2712: | ||||
Addition of Kerberos Cipher Suites to Transport Layer | ||||
Security (TLS) | ||||
RFC 6347: | ||||
Datagram Transport Layer Security Version 1.2"; | ||||
} | ||||
enum TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5' | ||||
algorithm."; | ||||
reference | ||||
"RFC 2712: | ||||
Addition of Kerberos Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5' | ||||
algorithm."; | ||||
reference | ||||
"RFC 2712: | ||||
Addition of Kerberos Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_KRB5_EXPORT_WITH_RC4_40_MD5 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_KRB5_EXPORT_WITH_RC4_40_MD5' | ||||
algorithm."; | ||||
reference | ||||
"RFC 2712: | ||||
Addition of Kerberos Cipher Suites to Transport Layer | ||||
Security (TLS) | ||||
RFC 6347: | ||||
Datagram Transport Layer Security Version 1.2"; | ||||
} | ||||
enum TLS_PSK_WITH_NULL_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_PSK_WITH_NULL_SHA' algorithm."; | ||||
reference | ||||
"RFC 4785: | ||||
Pre-Shared Key (PSK) Ciphersuites with NULL Encryption | ||||
for Transport Layer Security (TLS)"; | ||||
} | ||||
enum TLS_DHE_PSK_WITH_NULL_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DHE_PSK_WITH_NULL_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4785: | ||||
Pre-Shared Key (PSK) Ciphersuites with NULL Encryption | ||||
for Transport Layer Security (TLS)"; | ||||
} | ||||
enum TLS_RSA_PSK_WITH_NULL_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_RSA_PSK_WITH_NULL_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4785: | ||||
Pre-Shared Key (PSK) Ciphersuites with NULL Encryption | ||||
for Transport Layer Security (TLS)"; | ||||
} | ||||
enum TLS_RSA_WITH_AES_128_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_RSA_WITH_AES_128_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5246: | ||||
The Transport Layer Security (TLS) Protocol Version | ||||
1.2"; | ||||
} | ||||
enum TLS_DH_DSS_WITH_AES_128_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DH_DSS_WITH_AES_128_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5246: | ||||
The Transport Layer Security (TLS) Protocol Version | ||||
1.2"; | ||||
} | ||||
enum TLS_DH_RSA_WITH_AES_128_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DH_RSA_WITH_AES_128_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5246: | ||||
The Transport Layer Security (TLS) Protocol Version | ||||
1.2"; | ||||
} | ||||
enum TLS_DHE_DSS_WITH_AES_128_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DHE_DSS_WITH_AES_128_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5246: | ||||
The Transport Layer Security (TLS) Protocol Version | ||||
1.2"; | ||||
} | ||||
enum TLS_DHE_RSA_WITH_AES_128_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DHE_RSA_WITH_AES_128_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5246: | ||||
The Transport Layer Security (TLS) Protocol Version | ||||
1.2"; | ||||
} | ||||
enum TLS_DH_anon_WITH_AES_128_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DH_anon_WITH_AES_128_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5246: | ||||
The Transport Layer Security (TLS) Protocol Version | ||||
1.2"; | ||||
} | ||||
enum TLS_RSA_WITH_AES_256_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_RSA_WITH_AES_256_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5246: | ||||
The Transport Layer Security (TLS) Protocol Version | ||||
1.2"; | ||||
} | ||||
enum TLS_DH_DSS_WITH_AES_256_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DH_DSS_WITH_AES_256_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5246: | ||||
The Transport Layer Security (TLS) Protocol Version | ||||
1.2"; | ||||
} | ||||
enum TLS_DH_RSA_WITH_AES_256_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DH_RSA_WITH_AES_256_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5246: | ||||
The Transport Layer Security (TLS) Protocol Version | ||||
1.2"; | ||||
} | ||||
enum TLS_DHE_DSS_WITH_AES_256_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DHE_DSS_WITH_AES_256_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5246: | ||||
The Transport Layer Security (TLS) Protocol Version | ||||
1.2"; | ||||
} | ||||
enum TLS_DHE_RSA_WITH_AES_256_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DHE_RSA_WITH_AES_256_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5246: | ||||
The Transport Layer Security (TLS) Protocol Version | ||||
1.2"; | ||||
} | ||||
enum TLS_DH_anon_WITH_AES_256_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DH_anon_WITH_AES_256_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5246: | ||||
The Transport Layer Security (TLS) Protocol Version | ||||
1.2"; | ||||
} | ||||
enum TLS_RSA_WITH_NULL_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_RSA_WITH_NULL_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5246: | ||||
The Transport Layer Security (TLS) Protocol Version | ||||
1.2"; | ||||
} | ||||
enum TLS_RSA_WITH_AES_128_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_RSA_WITH_AES_128_CBC_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5246: | ||||
The Transport Layer Security (TLS) Protocol Version | ||||
1.2"; | ||||
} | ||||
enum TLS_RSA_WITH_AES_256_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_RSA_WITH_AES_256_CBC_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5246: | ||||
The Transport Layer Security (TLS) Protocol Version | ||||
1.2"; | ||||
} | ||||
enum TLS_DH_DSS_WITH_AES_128_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DH_DSS_WITH_AES_128_CBC_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5246: | ||||
The Transport Layer Security (TLS) Protocol Version | ||||
1.2"; | ||||
} | ||||
enum TLS_DH_RSA_WITH_AES_128_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DH_RSA_WITH_AES_128_CBC_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5246: | ||||
The Transport Layer Security (TLS) Protocol Version | ||||
1.2"; | ||||
} | ||||
enum TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DHE_DSS_WITH_AES_128_CBC_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5246: | ||||
The Transport Layer Security (TLS) Protocol Version | ||||
1.2"; | ||||
} | ||||
enum TLS_RSA_WITH_CAMELLIA_128_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_RSA_WITH_CAMELLIA_128_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5932: | ||||
Camellia Cipher Suites for TLS"; | ||||
} | ||||
enum TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5932: | ||||
Camellia Cipher Suites for TLS"; | ||||
} | ||||
enum TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5932: | ||||
Camellia Cipher Suites for TLS"; | ||||
} | ||||
enum TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA' algorithm."; | ||||
reference | ||||
"RFC 5932: | ||||
Camellia Cipher Suites for TLS"; | ||||
} | ||||
enum TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA' algorithm."; | ||||
reference | ||||
"RFC 5932: | ||||
Camellia Cipher Suites for TLS"; | ||||
} | ||||
enum TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA' algorithm."; | ||||
reference | ||||
"RFC 5932: | ||||
Camellia Cipher Suites for TLS"; | ||||
} | ||||
enum TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DHE_RSA_WITH_AES_128_CBC_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5246: | ||||
The Transport Layer Security (TLS) Protocol Version | ||||
1.2"; | ||||
} | ||||
enum TLS_DH_DSS_WITH_AES_256_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DH_DSS_WITH_AES_256_CBC_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5246: | ||||
The Transport Layer Security (TLS) Protocol Version | ||||
1.2"; | ||||
} | ||||
enum TLS_DH_RSA_WITH_AES_256_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DH_RSA_WITH_AES_256_CBC_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5246: | ||||
The Transport Layer Security (TLS) Protocol Version | ||||
1.2"; | ||||
} | ||||
enum TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DHE_DSS_WITH_AES_256_CBC_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5246: | ||||
The Transport Layer Security (TLS) Protocol Version | ||||
1.2"; | ||||
} | ||||
enum TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DHE_RSA_WITH_AES_256_CBC_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5246: | ||||
The Transport Layer Security (TLS) Protocol Version | ||||
1.2"; | ||||
} | ||||
enum TLS_DH_anon_WITH_AES_128_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DH_anon_WITH_AES_128_CBC_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5246: | ||||
The Transport Layer Security (TLS) Protocol Version | ||||
1.2"; | ||||
} | ||||
enum TLS_DH_anon_WITH_AES_256_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DH_anon_WITH_AES_256_CBC_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5246: | ||||
The Transport Layer Security (TLS) Protocol Version | ||||
1.2"; | ||||
} | ||||
enum TLS_RSA_WITH_CAMELLIA_256_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_RSA_WITH_CAMELLIA_256_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5932: | ||||
Camellia Cipher Suites for TLS"; | ||||
} | ||||
enum TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5932: | ||||
Camellia Cipher Suites for TLS"; | ||||
} | ||||
enum TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5932: | ||||
Camellia Cipher Suites for TLS"; | ||||
} | ||||
enum TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA' algorithm."; | ||||
reference | ||||
"RFC 5932: | ||||
Camellia Cipher Suites for TLS"; | ||||
} | ||||
enum TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA' algorithm."; | ||||
reference | ||||
"RFC 5932: | ||||
Camellia Cipher Suites for TLS"; | ||||
} | ||||
enum TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA' algorithm."; | ||||
reference | ||||
"RFC 5932: | ||||
Camellia Cipher Suites for TLS"; | ||||
} | ||||
enum TLS_PSK_WITH_RC4_128_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_PSK_WITH_RC4_128_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4279: | ||||
Pre-Shared Key Ciphersuites for Transport Layer Security | ||||
(TLS) | ||||
RFC 6347: | ||||
Datagram Transport Layer Security Version 1.2"; | ||||
} | ||||
enum TLS_PSK_WITH_3DES_EDE_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_PSK_WITH_3DES_EDE_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4279: | ||||
Pre-Shared Key Ciphersuites for Transport Layer Security | ||||
(TLS)"; | ||||
} | ||||
enum TLS_PSK_WITH_AES_128_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_PSK_WITH_AES_128_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4279: | ||||
Pre-Shared Key Ciphersuites for Transport Layer Security | ||||
(TLS)"; | ||||
} | ||||
enum TLS_PSK_WITH_AES_256_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_PSK_WITH_AES_256_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4279: | ||||
Pre-Shared Key Ciphersuites for Transport Layer Security | ||||
(TLS)"; | ||||
} | ||||
enum TLS_DHE_PSK_WITH_RC4_128_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DHE_PSK_WITH_RC4_128_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4279: | ||||
Pre-Shared Key Ciphersuites for Transport Layer Security | ||||
(TLS) | ||||
RFC 6347: | ||||
Datagram Transport Layer Security Version 1.2"; | ||||
} | ||||
enum TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4279: | ||||
Pre-Shared Key Ciphersuites for Transport Layer Security | ||||
(TLS)"; | ||||
} | ||||
enum TLS_DHE_PSK_WITH_AES_128_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DHE_PSK_WITH_AES_128_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4279: | ||||
Pre-Shared Key Ciphersuites for Transport Layer Security | ||||
(TLS)"; | ||||
} | ||||
enum TLS_DHE_PSK_WITH_AES_256_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DHE_PSK_WITH_AES_256_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4279: | ||||
Pre-Shared Key Ciphersuites for Transport Layer Security | ||||
(TLS)"; | ||||
} | ||||
enum TLS_RSA_PSK_WITH_RC4_128_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_RSA_PSK_WITH_RC4_128_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4279: | ||||
Pre-Shared Key Ciphersuites for Transport Layer Security | ||||
(TLS) | ||||
RFC 6347: | ||||
Datagram Transport Layer Security Version 1.2"; | ||||
} | ||||
enum TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4279: | ||||
Pre-Shared Key Ciphersuites for Transport Layer Security | ||||
(TLS)"; | ||||
} | ||||
enum TLS_RSA_PSK_WITH_AES_128_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_RSA_PSK_WITH_AES_128_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4279: | ||||
Pre-Shared Key Ciphersuites for Transport Layer Security | ||||
(TLS)"; | ||||
} | ||||
enum TLS_RSA_PSK_WITH_AES_256_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_RSA_PSK_WITH_AES_256_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4279: | ||||
Pre-Shared Key Ciphersuites for Transport Layer Security | ||||
(TLS)"; | ||||
} | ||||
enum TLS_RSA_WITH_SEED_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_RSA_WITH_SEED_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4162: | ||||
Addition of SEED Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_DH_DSS_WITH_SEED_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DH_DSS_WITH_SEED_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4162: | ||||
Addition of SEED Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_DH_RSA_WITH_SEED_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DH_RSA_WITH_SEED_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4162: | ||||
Addition of SEED Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_DHE_DSS_WITH_SEED_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DHE_DSS_WITH_SEED_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4162: | ||||
Addition of SEED Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_DHE_RSA_WITH_SEED_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DHE_RSA_WITH_SEED_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4162: | ||||
Addition of SEED Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_DH_anon_WITH_SEED_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DH_anon_WITH_SEED_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4162: | ||||
Addition of SEED Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_RSA_WITH_AES_128_GCM_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_RSA_WITH_AES_128_GCM_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5288: | ||||
AES Galois Counter Mode (GCM) Cipher Suites for TLS"; | ||||
} | ||||
enum TLS_RSA_WITH_AES_256_GCM_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_RSA_WITH_AES_256_GCM_SHA384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5288: | ||||
AES Galois Counter Mode (GCM) Cipher Suites for TLS"; | ||||
} | ||||
enum TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 { | ||||
description | ||||
"Enumeration for the 'TLS_DHE_RSA_WITH_AES_128_GCM_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5288: | ||||
AES Galois Counter Mode (GCM) Cipher Suites for TLS"; | ||||
} | ||||
enum TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 { | ||||
description | ||||
"Enumeration for the 'TLS_DHE_RSA_WITH_AES_256_GCM_SHA384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5288: | ||||
AES Galois Counter Mode (GCM) Cipher Suites for TLS"; | ||||
} | ||||
enum TLS_DH_RSA_WITH_AES_128_GCM_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DH_RSA_WITH_AES_128_GCM_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5288: | ||||
AES Galois Counter Mode (GCM) Cipher Suites for TLS"; | ||||
} | ||||
enum TLS_DH_RSA_WITH_AES_256_GCM_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DH_RSA_WITH_AES_256_GCM_SHA384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5288: | ||||
AES Galois Counter Mode (GCM) Cipher Suites for TLS"; | ||||
} | ||||
enum TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DHE_DSS_WITH_AES_128_GCM_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5288: | ||||
AES Galois Counter Mode (GCM) Cipher Suites for TLS"; | ||||
} | ||||
enum TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DHE_DSS_WITH_AES_256_GCM_SHA384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5288: | ||||
AES Galois Counter Mode (GCM) Cipher Suites for TLS"; | ||||
} | ||||
enum TLS_DH_DSS_WITH_AES_128_GCM_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DH_DSS_WITH_AES_128_GCM_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5288: | ||||
AES Galois Counter Mode (GCM) Cipher Suites for TLS"; | ||||
} | ||||
enum TLS_DH_DSS_WITH_AES_256_GCM_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DH_DSS_WITH_AES_256_GCM_SHA384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5288: | ||||
AES Galois Counter Mode (GCM) Cipher Suites for TLS"; | ||||
} | ||||
enum TLS_DH_anon_WITH_AES_128_GCM_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DH_anon_WITH_AES_128_GCM_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5288: | ||||
AES Galois Counter Mode (GCM) Cipher Suites for TLS"; | ||||
} | ||||
enum TLS_DH_anon_WITH_AES_256_GCM_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DH_anon_WITH_AES_256_GCM_SHA384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5288: | ||||
AES Galois Counter Mode (GCM) Cipher Suites for TLS"; | ||||
} | ||||
enum TLS_PSK_WITH_AES_128_GCM_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_PSK_WITH_AES_128_GCM_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5487: | ||||
Pre-Shared Key Cipher Suites for TLS with SHA-256/384 | ||||
and AES Galois Counter Mode"; | ||||
} | ||||
enum TLS_PSK_WITH_AES_256_GCM_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_PSK_WITH_AES_256_GCM_SHA384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5487: | ||||
Pre-Shared Key Cipher Suites for TLS with SHA-256/384 | ||||
and AES Galois Counter Mode"; | ||||
} | ||||
enum TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 { | ||||
description | ||||
"Enumeration for the 'TLS_DHE_PSK_WITH_AES_128_GCM_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5487: | ||||
Pre-Shared Key Cipher Suites for TLS with SHA-256/384 | ||||
and AES Galois Counter Mode"; | ||||
} | ||||
enum TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 { | ||||
description | ||||
"Enumeration for the 'TLS_DHE_PSK_WITH_AES_256_GCM_SHA384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5487: | ||||
Pre-Shared Key Cipher Suites for TLS with SHA-256/384 | ||||
and AES Galois Counter Mode"; | ||||
} | ||||
enum TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_RSA_PSK_WITH_AES_128_GCM_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5487: | ||||
Pre-Shared Key Cipher Suites for TLS with SHA-256/384 | ||||
and AES Galois Counter Mode"; | ||||
} | ||||
enum TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_RSA_PSK_WITH_AES_256_GCM_SHA384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5487: | ||||
Pre-Shared Key Cipher Suites for TLS with SHA-256/384 | ||||
and AES Galois Counter Mode"; | ||||
} | ||||
enum TLS_PSK_WITH_AES_128_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_PSK_WITH_AES_128_CBC_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5487: | ||||
Pre-Shared Key Cipher Suites for TLS with SHA-256/384 | ||||
and AES Galois Counter Mode"; | ||||
} | ||||
enum TLS_PSK_WITH_AES_256_CBC_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_PSK_WITH_AES_256_CBC_SHA384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5487: | ||||
Pre-Shared Key Cipher Suites for TLS with SHA-256/384 | ||||
and AES Galois Counter Mode"; | ||||
} | ||||
enum TLS_PSK_WITH_NULL_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_PSK_WITH_NULL_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5487: | ||||
Pre-Shared Key Cipher Suites for TLS with SHA-256/384 | ||||
and AES Galois Counter Mode"; | ||||
} | ||||
enum TLS_PSK_WITH_NULL_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_PSK_WITH_NULL_SHA384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5487: | ||||
Pre-Shared Key Cipher Suites for TLS with SHA-256/384 | ||||
and AES Galois Counter Mode"; | ||||
} | ||||
enum TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DHE_PSK_WITH_AES_128_CBC_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5487: | ||||
Pre-Shared Key Cipher Suites for TLS with SHA-256/384 | ||||
and AES Galois Counter Mode"; | ||||
} | ||||
enum TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DHE_PSK_WITH_AES_256_CBC_SHA384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5487: | ||||
Pre-Shared Key Cipher Suites for TLS with SHA-256/384 | ||||
and AES Galois Counter Mode"; | ||||
} | ||||
enum TLS_DHE_PSK_WITH_NULL_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DHE_PSK_WITH_NULL_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5487: | ||||
Pre-Shared Key Cipher Suites for TLS with SHA-256/384 | ||||
and AES Galois Counter Mode"; | ||||
} | ||||
enum TLS_DHE_PSK_WITH_NULL_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DHE_PSK_WITH_NULL_SHA384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5487: | ||||
Pre-Shared Key Cipher Suites for TLS with SHA-256/384 | ||||
and AES Galois Counter Mode"; | ||||
} | ||||
enum TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_RSA_PSK_WITH_AES_128_CBC_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5487: | ||||
Pre-Shared Key Cipher Suites for TLS with SHA-256/384 | ||||
and AES Galois Counter Mode"; | ||||
} | ||||
enum TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_RSA_PSK_WITH_AES_256_CBC_SHA384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5487: | ||||
Pre-Shared Key Cipher Suites for TLS with SHA-256/384 | ||||
and AES Galois Counter Mode"; | ||||
} | ||||
enum TLS_RSA_PSK_WITH_NULL_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_RSA_PSK_WITH_NULL_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5487: | ||||
Pre-Shared Key Cipher Suites for TLS with SHA-256/384 | ||||
and AES Galois Counter Mode"; | ||||
} | ||||
enum TLS_RSA_PSK_WITH_NULL_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_RSA_PSK_WITH_NULL_SHA384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5487: | ||||
Pre-Shared Key Cipher Suites for TLS with SHA-256/384 | ||||
and AES Galois Counter Mode"; | ||||
} | ||||
enum TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5932: | ||||
Camellia Cipher Suites for TLS"; | ||||
} | ||||
enum TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256' algorithm."; | ||||
reference | ||||
"RFC 5932: | ||||
Camellia Cipher Suites for TLS"; | ||||
} | ||||
enum TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256' algorithm."; | ||||
reference | ||||
"RFC 5932: | ||||
Camellia Cipher Suites for TLS"; | ||||
} | ||||
enum TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256' algorithm."; | ||||
reference | ||||
"RFC 5932: | ||||
Camellia Cipher Suites for TLS"; | ||||
} | ||||
enum TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256' algorithm."; | ||||
reference | ||||
"RFC 5932: | ||||
Camellia Cipher Suites for TLS"; | ||||
} | ||||
enum TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256' algorithm."; | ||||
reference | ||||
"RFC 5932: | ||||
Camellia Cipher Suites for TLS"; | ||||
} | ||||
enum TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5932: | ||||
Camellia Cipher Suites for TLS"; | ||||
} | ||||
enum TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256' algorithm."; | ||||
reference | ||||
"RFC 5932: | ||||
Camellia Cipher Suites for TLS"; | ||||
} | ||||
enum TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256' algorithm."; | ||||
reference | ||||
"RFC 5932: | ||||
Camellia Cipher Suites for TLS"; | ||||
} | ||||
enum TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256' algorithm."; | ||||
reference | ||||
"RFC 5932: | ||||
Camellia Cipher Suites for TLS"; | ||||
} | ||||
enum TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256' algorithm."; | ||||
reference | ||||
"RFC 5932: | ||||
Camellia Cipher Suites for TLS"; | ||||
} | ||||
enum TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256' algorithm."; | ||||
reference | ||||
"RFC 5932: | ||||
Camellia Cipher Suites for TLS"; | ||||
} | ||||
enum TLS_SM4_GCM_SM3 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_SM4_GCM_SM3' algorithm."; | ||||
reference | ||||
"RFC 8998: | ||||
ShangMi (SM) Cipher Suites for TLS 1.3"; | ||||
} | ||||
enum TLS_SM4_CCM_SM3 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_SM4_CCM_SM3' algorithm."; | ||||
reference | ||||
"RFC 8998: | ||||
ShangMi (SM) Cipher Suites for TLS 1.3"; | ||||
} | ||||
enum TLS_EMPTY_RENEGOTIATION_INFO_SCSV { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_EMPTY_RENEGOTIATION_INFO_SCSV' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5746: | ||||
Transport Layer Security (TLS) Renegotiation Indication | ||||
Extension"; | ||||
} | ||||
enum TLS_AES_128_GCM_SHA256 { | ||||
description | ||||
"Enumeration for the 'TLS_AES_128_GCM_SHA256' algorithm."; | ||||
reference | ||||
"RFC 8446: | ||||
The Transport Layer Security (TLS) Protocol Version | ||||
1.3"; | ||||
} | ||||
enum TLS_AES_256_GCM_SHA384 { | ||||
description | ||||
"Enumeration for the 'TLS_AES_256_GCM_SHA384' algorithm."; | ||||
reference | ||||
"RFC 8446: | ||||
The Transport Layer Security (TLS) Protocol Version | ||||
1.3"; | ||||
} | ||||
enum TLS_CHACHA20_POLY1305_SHA256 { | ||||
description | ||||
"Enumeration for the 'TLS_CHACHA20_POLY1305_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8446: | ||||
The Transport Layer Security (TLS) Protocol Version | ||||
1.3"; | ||||
} | ||||
enum TLS_AES_128_CCM_SHA256 { | ||||
description | ||||
"Enumeration for the 'TLS_AES_128_CCM_SHA256' algorithm."; | ||||
reference | ||||
"RFC 8446: | ||||
The Transport Layer Security (TLS) Protocol Version | ||||
1.3"; | ||||
} | ||||
enum TLS_AES_128_CCM_8_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_AES_128_CCM_8_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8446: | ||||
The Transport Layer Security (TLS) Protocol Version 1.3 | ||||
IESG Action: | ||||
IESG Action 2018-08-16"; | ||||
} | ||||
enum TLS_AEGIS_256_SHA512 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_AEGIS_256_SHA512' algorithm."; | ||||
reference | ||||
"draft-irtf-cfrg-aegis-aead-08: | ||||
The AEGIS Family of Authenticated Encryption | ||||
Algorithms"; | ||||
} | ||||
enum TLS_AEGIS_128L_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_AEGIS_128L_SHA256' algorithm."; | ||||
reference | ||||
"draft-irtf-cfrg-aegis-aead-08: | ||||
The AEGIS Family of Authenticated Encryption | ||||
Algorithms"; | ||||
} | ||||
enum TLS_FALLBACK_SCSV { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_FALLBACK_SCSV' algorithm."; | ||||
reference | ||||
"RFC 7507: | ||||
TLS Fallback Signaling Cipher Suite Value (SCSV) for | ||||
Preventing Protocol Downgrade Attacks"; | ||||
} | ||||
enum TLS_ECDH_ECDSA_WITH_NULL_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_ECDH_ECDSA_WITH_NULL_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8422: | ||||
Elliptic Curve Cryptography (ECC) Cipher Suites for | ||||
Transport Layer Security (TLS) Versions 1.2 and | ||||
Earlier"; | ||||
} | ||||
enum TLS_ECDH_ECDSA_WITH_RC4_128_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_ECDH_ECDSA_WITH_RC4_128_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8422: | ||||
Elliptic Curve Cryptography (ECC) Cipher Suites for | ||||
Transport Layer Security (TLS) Versions 1.2 and Earlier | ||||
RFC 6347: | ||||
Datagram Transport Layer Security Version 1.2"; | ||||
} | ||||
enum TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8422: | ||||
Elliptic Curve Cryptography (ECC) Cipher Suites for | ||||
Transport Layer Security (TLS) Versions 1.2 and | ||||
Earlier"; | ||||
} | ||||
enum TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8422: | ||||
Elliptic Curve Cryptography (ECC) Cipher Suites for | ||||
Transport Layer Security (TLS) Versions 1.2 and | ||||
Earlier"; | ||||
} | ||||
enum TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8422: | ||||
Elliptic Curve Cryptography (ECC) Cipher Suites for | ||||
Transport Layer Security (TLS) Versions 1.2 and | ||||
Earlier"; | ||||
} | ||||
enum TLS_ECDHE_ECDSA_WITH_NULL_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_ECDHE_ECDSA_WITH_NULL_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8422: | ||||
Elliptic Curve Cryptography (ECC) Cipher Suites for | ||||
Transport Layer Security (TLS) Versions 1.2 and | ||||
Earlier"; | ||||
} | ||||
enum TLS_ECDHE_ECDSA_WITH_RC4_128_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_ECDHE_ECDSA_WITH_RC4_128_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8422: | ||||
Elliptic Curve Cryptography (ECC) Cipher Suites for | ||||
Transport Layer Security (TLS) Versions 1.2 and Earlier | ||||
RFC 6347: | ||||
Datagram Transport Layer Security Version 1.2"; | ||||
} | ||||
enum TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA' algorithm."; | ||||
reference | ||||
"RFC 8422: | ||||
Elliptic Curve Cryptography (ECC) Cipher Suites for | ||||
Transport Layer Security (TLS) Versions 1.2 and | ||||
Earlier"; | ||||
} | ||||
enum TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8422: | ||||
Elliptic Curve Cryptography (ECC) Cipher Suites for | ||||
Transport Layer Security (TLS) Versions 1.2 and | ||||
Earlier"; | ||||
} | ||||
enum TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8422: | ||||
Elliptic Curve Cryptography (ECC) Cipher Suites for | ||||
Transport Layer Security (TLS) Versions 1.2 and | ||||
Earlier"; | ||||
} | ||||
enum TLS_ECDH_RSA_WITH_NULL_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_ECDH_RSA_WITH_NULL_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8422: | ||||
Elliptic Curve Cryptography (ECC) Cipher Suites for | ||||
Transport Layer Security (TLS) Versions 1.2 and | ||||
Earlier"; | ||||
} | ||||
enum TLS_ECDH_RSA_WITH_RC4_128_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_ECDH_RSA_WITH_RC4_128_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8422: | ||||
Elliptic Curve Cryptography (ECC) Cipher Suites for | ||||
Transport Layer Security (TLS) Versions 1.2 and Earlier | ||||
RFC 6347: | ||||
Datagram Transport Layer Security Version 1.2"; | ||||
} | ||||
enum TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8422: | ||||
Elliptic Curve Cryptography (ECC) Cipher Suites for | ||||
Transport Layer Security (TLS) Versions 1.2 and | ||||
Earlier"; | ||||
} | ||||
enum TLS_ECDH_RSA_WITH_AES_128_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_ECDH_RSA_WITH_AES_128_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8422: | ||||
Elliptic Curve Cryptography (ECC) Cipher Suites for | ||||
Transport Layer Security (TLS) Versions 1.2 and | ||||
Earlier"; | ||||
} | ||||
enum TLS_ECDH_RSA_WITH_AES_256_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_ECDH_RSA_WITH_AES_256_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8422: | ||||
Elliptic Curve Cryptography (ECC) Cipher Suites for | ||||
Transport Layer Security (TLS) Versions 1.2 and | ||||
Earlier"; | ||||
} | ||||
enum TLS_ECDHE_RSA_WITH_NULL_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_ECDHE_RSA_WITH_NULL_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8422: | ||||
Elliptic Curve Cryptography (ECC) Cipher Suites for | ||||
Transport Layer Security (TLS) Versions 1.2 and | ||||
Earlier"; | ||||
} | ||||
enum TLS_ECDHE_RSA_WITH_RC4_128_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_ECDHE_RSA_WITH_RC4_128_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8422: | ||||
Elliptic Curve Cryptography (ECC) Cipher Suites for | ||||
Transport Layer Security (TLS) Versions 1.2 and Earlier | ||||
RFC 6347: | ||||
Datagram Transport Layer Security Version 1.2"; | ||||
} | ||||
enum TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8422: | ||||
Elliptic Curve Cryptography (ECC) Cipher Suites for | ||||
Transport Layer Security (TLS) Versions 1.2 and | ||||
Earlier"; | ||||
} | ||||
enum TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8422: | ||||
Elliptic Curve Cryptography (ECC) Cipher Suites for | ||||
Transport Layer Security (TLS) Versions 1.2 and | ||||
Earlier"; | ||||
} | ||||
enum TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8422: | ||||
Elliptic Curve Cryptography (ECC) Cipher Suites for | ||||
Transport Layer Security (TLS) Versions 1.2 and | ||||
Earlier"; | ||||
} | ||||
enum TLS_ECDH_anon_WITH_NULL_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_ECDH_anon_WITH_NULL_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8422: | ||||
Elliptic Curve Cryptography (ECC) Cipher Suites for | ||||
Transport Layer Security (TLS) Versions 1.2 and | ||||
Earlier"; | ||||
} | ||||
enum TLS_ECDH_anon_WITH_RC4_128_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_ECDH_anon_WITH_RC4_128_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8422: | ||||
Elliptic Curve Cryptography (ECC) Cipher Suites for | ||||
Transport Layer Security (TLS) Versions 1.2 and Earlier | ||||
RFC 6347: | ||||
Datagram Transport Layer Security Version 1.2"; | ||||
} | ||||
enum TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8422: | ||||
Elliptic Curve Cryptography (ECC) Cipher Suites for | ||||
Transport Layer Security (TLS) Versions 1.2 and | ||||
Earlier"; | ||||
} | ||||
enum TLS_ECDH_anon_WITH_AES_128_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_ECDH_anon_WITH_AES_128_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8422: | ||||
Elliptic Curve Cryptography (ECC) Cipher Suites for | ||||
Transport Layer Security (TLS) Versions 1.2 and | ||||
Earlier"; | ||||
} | ||||
enum TLS_ECDH_anon_WITH_AES_256_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_ECDH_anon_WITH_AES_256_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8422: | ||||
Elliptic Curve Cryptography (ECC) Cipher Suites for | ||||
Transport Layer Security (TLS) Versions 1.2 and | ||||
Earlier"; | ||||
} | ||||
enum TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5054: | ||||
Using the Secure Remote Password (SRP) Protocol for TLS | ||||
Authentication"; | ||||
} | ||||
enum TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA' algorithm."; | ||||
reference | ||||
"RFC 5054: | ||||
Using the Secure Remote Password (SRP) Protocol for TLS | ||||
Authentication"; | ||||
} | ||||
enum TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA' algorithm."; | ||||
reference | ||||
"RFC 5054: | ||||
Using the Secure Remote Password (SRP) Protocol for TLS | ||||
Authentication"; | ||||
} | ||||
enum TLS_SRP_SHA_WITH_AES_128_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_SRP_SHA_WITH_AES_128_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5054: | ||||
Using the Secure Remote Password (SRP) Protocol for TLS | ||||
Authentication"; | ||||
} | ||||
enum TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5054: | ||||
Using the Secure Remote Password (SRP) Protocol for TLS | ||||
Authentication"; | ||||
} | ||||
enum TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5054: | ||||
Using the Secure Remote Password (SRP) Protocol for TLS | ||||
Authentication"; | ||||
} | ||||
enum TLS_SRP_SHA_WITH_AES_256_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_SRP_SHA_WITH_AES_256_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5054: | ||||
Using the Secure Remote Password (SRP) Protocol for TLS | ||||
Authentication"; | ||||
} | ||||
enum TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5054: | ||||
Using the Secure Remote Password (SRP) Protocol for TLS | ||||
Authentication"; | ||||
} | ||||
enum TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5054: | ||||
Using the Secure Remote Password (SRP) Protocol for TLS | ||||
Authentication"; | ||||
} | ||||
enum TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256' algorithm."; | ||||
reference | ||||
"RFC 5289: | ||||
TLS Elliptic Curve Cipher Suites with SHA-256/384 and | ||||
AES Galois Counter Mode (GCM)"; | ||||
} | ||||
enum TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384' algorithm."; | ||||
reference | ||||
"RFC 5289: | ||||
TLS Elliptic Curve Cipher Suites with SHA-256/384 and | ||||
AES Galois Counter Mode (GCM)"; | ||||
} | ||||
enum TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256' algorithm."; | ||||
reference | ||||
"RFC 5289: | ||||
TLS Elliptic Curve Cipher Suites with SHA-256/384 and | ||||
AES Galois Counter Mode (GCM)"; | ||||
} | ||||
enum TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384' algorithm."; | ||||
reference | ||||
"RFC 5289: | ||||
TLS Elliptic Curve Cipher Suites with SHA-256/384 and | ||||
AES Galois Counter Mode (GCM)"; | ||||
} | ||||
enum TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256' algorithm."; | ||||
reference | ||||
"RFC 5289: | ||||
TLS Elliptic Curve Cipher Suites with SHA-256/384 and | ||||
AES Galois Counter Mode (GCM)"; | ||||
} | ||||
enum TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384' algorithm."; | ||||
reference | ||||
"RFC 5289: | ||||
TLS Elliptic Curve Cipher Suites with SHA-256/384 and | ||||
AES Galois Counter Mode (GCM)"; | ||||
} | ||||
enum TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5289: | ||||
TLS Elliptic Curve Cipher Suites with SHA-256/384 and | ||||
AES Galois Counter Mode (GCM)"; | ||||
} | ||||
enum TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5289: | ||||
TLS Elliptic Curve Cipher Suites with SHA-256/384 and | ||||
AES Galois Counter Mode (GCM)"; | ||||
} | ||||
enum TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 { | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256' algorithm."; | ||||
reference | ||||
"RFC 5289: | ||||
TLS Elliptic Curve Cipher Suites with SHA-256/384 and | ||||
AES Galois Counter Mode (GCM)"; | ||||
} | ||||
enum TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 { | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384' algorithm."; | ||||
reference | ||||
"RFC 5289: | ||||
TLS Elliptic Curve Cipher Suites with SHA-256/384 and | ||||
AES Galois Counter Mode (GCM)"; | ||||
} | ||||
enum TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256' algorithm."; | ||||
reference | ||||
"RFC 5289: | ||||
TLS Elliptic Curve Cipher Suites with SHA-256/384 and | ||||
AES Galois Counter Mode (GCM)"; | ||||
} | ||||
enum TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384' algorithm."; | ||||
reference | ||||
"RFC 5289: | ||||
TLS Elliptic Curve Cipher Suites with SHA-256/384 and | ||||
AES Galois Counter Mode (GCM)"; | ||||
} | ||||
enum TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 { | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256' algorithm."; | ||||
reference | ||||
"RFC 5289: | ||||
TLS Elliptic Curve Cipher Suites with SHA-256/384 and | ||||
AES Galois Counter Mode (GCM)"; | ||||
} | ||||
enum TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 { | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384' algorithm."; | ||||
reference | ||||
"RFC 5289: | ||||
TLS Elliptic Curve Cipher Suites with SHA-256/384 and | ||||
AES Galois Counter Mode (GCM)"; | ||||
} | ||||
enum TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5289: | ||||
TLS Elliptic Curve Cipher Suites with SHA-256/384 and | ||||
AES Galois Counter Mode (GCM)"; | ||||
} | ||||
enum TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5289: | ||||
TLS Elliptic Curve Cipher Suites with SHA-256/384 and | ||||
AES Galois Counter Mode (GCM)"; | ||||
} | ||||
enum TLS_ECDHE_PSK_WITH_RC4_128_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_ECDHE_PSK_WITH_RC4_128_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5489: | ||||
ECDHE_PSK Cipher Suites for Transport Layer Security | ||||
(TLS) | ||||
RFC 6347: | ||||
Datagram Transport Layer Security Version 1.2"; | ||||
} | ||||
enum TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5489: | ||||
ECDHE_PSK Cipher Suites for Transport Layer Security | ||||
(TLS)"; | ||||
} | ||||
enum TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5489: | ||||
ECDHE_PSK Cipher Suites for Transport Layer Security | ||||
(TLS)"; | ||||
} | ||||
enum TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5489: | ||||
ECDHE_PSK Cipher Suites for Transport Layer Security | ||||
(TLS)"; | ||||
} | ||||
enum TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256' algorithm."; | ||||
reference | ||||
"RFC 5489: | ||||
ECDHE_PSK Cipher Suites for Transport Layer Security | ||||
(TLS)"; | ||||
} | ||||
enum TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384' algorithm."; | ||||
reference | ||||
"RFC 5489: | ||||
ECDHE_PSK Cipher Suites for Transport Layer Security | ||||
(TLS)"; | ||||
} | ||||
enum TLS_ECDHE_PSK_WITH_NULL_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_ECDHE_PSK_WITH_NULL_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5489: | ||||
ECDHE_PSK Cipher Suites for Transport Layer Security | ||||
(TLS)"; | ||||
} | ||||
enum TLS_ECDHE_PSK_WITH_NULL_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_ECDHE_PSK_WITH_NULL_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5489: | ||||
ECDHE_PSK Cipher Suites for Transport Layer Security | ||||
(TLS)"; | ||||
} | ||||
enum TLS_ECDHE_PSK_WITH_NULL_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_ECDHE_PSK_WITH_NULL_SHA384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5489: | ||||
ECDHE_PSK Cipher Suites for Transport Layer Security | ||||
(TLS)"; | ||||
} | ||||
enum TLS_RSA_WITH_ARIA_128_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_RSA_WITH_ARIA_128_CBC_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_RSA_WITH_ARIA_256_CBC_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_RSA_WITH_ARIA_256_CBC_SHA384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_DH_anon_WITH_ARIA_128_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DH_anon_WITH_ARIA_128_CBC_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_DH_anon_WITH_ARIA_256_CBC_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DH_anon_WITH_ARIA_256_CBC_SHA384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256' algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384' algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256' algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384' algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256' algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384' algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256' algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384' algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_RSA_WITH_ARIA_128_GCM_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_RSA_WITH_ARIA_128_GCM_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_RSA_WITH_ARIA_256_GCM_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_RSA_WITH_ARIA_256_GCM_SHA384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_DH_anon_WITH_ARIA_128_GCM_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DH_anon_WITH_ARIA_128_GCM_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_DH_anon_WITH_ARIA_256_GCM_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DH_anon_WITH_ARIA_256_GCM_SHA384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256' algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384' algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256' algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384' algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256' algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384' algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256' algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384' algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_PSK_WITH_ARIA_128_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_PSK_WITH_ARIA_128_CBC_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_PSK_WITH_ARIA_256_CBC_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_PSK_WITH_ARIA_256_CBC_SHA384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_PSK_WITH_ARIA_128_GCM_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_PSK_WITH_ARIA_128_GCM_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_PSK_WITH_ARIA_256_GCM_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_PSK_WITH_ARIA_256_GCM_SHA384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256' algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384' algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6367: | ||||
Addition of the Camellia Cipher Suites to Transport | ||||
Layer Security (TLS)"; | ||||
} | ||||
enum TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6367: | ||||
Addition of the Camellia Cipher Suites to Transport | ||||
Layer Security (TLS)"; | ||||
} | ||||
enum TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256' algorithm."; | ||||
reference | ||||
"RFC 6367: | ||||
Addition of the Camellia Cipher Suites to Transport | ||||
Layer Security (TLS)"; | ||||
} | ||||
enum TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384' algorithm."; | ||||
reference | ||||
"RFC 6367: | ||||
Addition of the Camellia Cipher Suites to Transport | ||||
Layer Security (TLS)"; | ||||
} | ||||
enum TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256' algorithm."; | ||||
reference | ||||
"RFC 6367: | ||||
Addition of the Camellia Cipher Suites to Transport | ||||
Layer Security (TLS)"; | ||||
} | ||||
enum TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384' algorithm."; | ||||
reference | ||||
"RFC 6367: | ||||
Addition of the Camellia Cipher Suites to Transport | ||||
Layer Security (TLS)"; | ||||
} | ||||
enum TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256' algorithm."; | ||||
reference | ||||
"RFC 6367: | ||||
Addition of the Camellia Cipher Suites to Transport | ||||
Layer Security (TLS)"; | ||||
} | ||||
enum TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384' algorithm."; | ||||
reference | ||||
"RFC 6367: | ||||
Addition of the Camellia Cipher Suites to Transport | ||||
Layer Security (TLS)"; | ||||
} | ||||
enum TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6367: | ||||
Addition of the Camellia Cipher Suites to Transport | ||||
Layer Security (TLS)"; | ||||
} | ||||
enum TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6367: | ||||
Addition of the Camellia Cipher Suites to Transport | ||||
Layer Security (TLS)"; | ||||
} | ||||
enum TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256' algorithm."; | ||||
reference | ||||
"RFC 6367: | ||||
Addition of the Camellia Cipher Suites to Transport | ||||
Layer Security (TLS)"; | ||||
} | ||||
enum TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384' algorithm."; | ||||
reference | ||||
"RFC 6367: | ||||
Addition of the Camellia Cipher Suites to Transport | ||||
Layer Security (TLS)"; | ||||
} | ||||
enum TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256' algorithm."; | ||||
reference | ||||
"RFC 6367: | ||||
Addition of the Camellia Cipher Suites to Transport | ||||
Layer Security (TLS)"; | ||||
} | ||||
enum TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384' algorithm."; | ||||
reference | ||||
"RFC 6367: | ||||
Addition of the Camellia Cipher Suites to Transport | ||||
Layer Security (TLS)"; | ||||
} | ||||
enum TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256' algorithm."; | ||||
reference | ||||
"RFC 6367: | ||||
Addition of the Camellia Cipher Suites to Transport | ||||
Layer Security (TLS)"; | ||||
} | ||||
enum TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384' algorithm."; | ||||
reference | ||||
"RFC 6367: | ||||
Addition of the Camellia Cipher Suites to Transport | ||||
Layer Security (TLS)"; | ||||
} | ||||
enum TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256' algorithm."; | ||||
reference | ||||
"RFC 6367: | ||||
Addition of the Camellia Cipher Suites to Transport | ||||
Layer Security (TLS)"; | ||||
} | ||||
enum TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384' algorithm."; | ||||
reference | ||||
"RFC 6367: | ||||
Addition of the Camellia Cipher Suites to Transport | ||||
Layer Security (TLS)"; | ||||
} | ||||
enum TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256' algorithm."; | ||||
reference | ||||
"RFC 6367: | ||||
Addition of the Camellia Cipher Suites to Transport | ||||
Layer Security (TLS)"; | ||||
} | ||||
enum TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384' algorithm."; | ||||
reference | ||||
"RFC 6367: | ||||
Addition of the Camellia Cipher Suites to Transport | ||||
Layer Security (TLS)"; | ||||
} | ||||
enum TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6367: | ||||
Addition of the Camellia Cipher Suites to Transport | ||||
Layer Security (TLS)"; | ||||
} | ||||
enum TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6367: | ||||
Addition of the Camellia Cipher Suites to Transport | ||||
Layer Security (TLS)"; | ||||
} | ||||
enum TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256' algorithm."; | ||||
reference | ||||
"RFC 6367: | ||||
Addition of the Camellia Cipher Suites to Transport | ||||
Layer Security (TLS)"; | ||||
} | ||||
enum TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384' algorithm."; | ||||
reference | ||||
"RFC 6367: | ||||
Addition of the Camellia Cipher Suites to Transport | ||||
Layer Security (TLS)"; | ||||
} | ||||
enum TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256' algorithm."; | ||||
reference | ||||
"RFC 6367: | ||||
Addition of the Camellia Cipher Suites to Transport | ||||
Layer Security (TLS)"; | ||||
} | ||||
enum TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384' algorithm."; | ||||
reference | ||||
"RFC 6367: | ||||
Addition of the Camellia Cipher Suites to Transport | ||||
Layer Security (TLS)"; | ||||
} | ||||
enum TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256' algorithm."; | ||||
reference | ||||
"RFC 6367: | ||||
Addition of the Camellia Cipher Suites to Transport | ||||
Layer Security (TLS)"; | ||||
} | ||||
enum TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384' algorithm."; | ||||
reference | ||||
"RFC 6367: | ||||
Addition of the Camellia Cipher Suites to Transport | ||||
Layer Security (TLS)"; | ||||
} | ||||
enum TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6367: | ||||
Addition of the Camellia Cipher Suites to Transport | ||||
Layer Security (TLS)"; | ||||
} | ||||
enum TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6367: | ||||
Addition of the Camellia Cipher Suites to Transport | ||||
Layer Security (TLS)"; | ||||
} | ||||
enum TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256' algorithm."; | ||||
reference | ||||
"RFC 6367: | ||||
Addition of the Camellia Cipher Suites to Transport | ||||
Layer Security (TLS)"; | ||||
} | ||||
enum TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384' algorithm."; | ||||
reference | ||||
"RFC 6367: | ||||
Addition of the Camellia Cipher Suites to Transport | ||||
Layer Security (TLS)"; | ||||
} | ||||
enum TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256' algorithm."; | ||||
reference | ||||
"RFC 6367: | ||||
Addition of the Camellia Cipher Suites to Transport | ||||
Layer Security (TLS)"; | ||||
} | ||||
enum TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384' algorithm."; | ||||
reference | ||||
"RFC 6367: | ||||
Addition of the Camellia Cipher Suites to Transport | ||||
Layer Security (TLS)"; | ||||
} | ||||
enum TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6367: | ||||
Addition of the Camellia Cipher Suites to Transport | ||||
Layer Security (TLS)"; | ||||
} | ||||
enum TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6367: | ||||
Addition of the Camellia Cipher Suites to Transport | ||||
Layer Security (TLS)"; | ||||
} | ||||
enum TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256' algorithm."; | ||||
reference | ||||
"RFC 6367: | ||||
Addition of the Camellia Cipher Suites to Transport | ||||
Layer Security (TLS)"; | ||||
} | ||||
enum TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384' algorithm."; | ||||
reference | ||||
"RFC 6367: | ||||
Addition of the Camellia Cipher Suites to Transport | ||||
Layer Security (TLS)"; | ||||
} | ||||
enum TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256' algorithm."; | ||||
reference | ||||
"RFC 6367: | ||||
Addition of the Camellia Cipher Suites to Transport | ||||
Layer Security (TLS)"; | ||||
} | ||||
enum TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384' algorithm."; | ||||
reference | ||||
"RFC 6367: | ||||
Addition of the Camellia Cipher Suites to Transport | ||||
Layer Security (TLS)"; | ||||
} | ||||
enum TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256' algorithm."; | ||||
reference | ||||
"RFC 6367: | ||||
Addition of the Camellia Cipher Suites to Transport | ||||
Layer Security (TLS)"; | ||||
} | ||||
enum TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384' algorithm."; | ||||
reference | ||||
"RFC 6367: | ||||
Addition of the Camellia Cipher Suites to Transport | ||||
Layer Security (TLS)"; | ||||
} | ||||
enum TLS_RSA_WITH_AES_128_CCM { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_RSA_WITH_AES_128_CCM' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6655: | ||||
AES-CCM Cipher Suites for Transport Layer Security | ||||
(TLS)"; | ||||
} | ||||
enum TLS_RSA_WITH_AES_256_CCM { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_RSA_WITH_AES_256_CCM' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6655: | ||||
AES-CCM Cipher Suites for Transport Layer Security | ||||
(TLS)"; | ||||
} | ||||
enum TLS_DHE_RSA_WITH_AES_128_CCM { | ||||
description | ||||
"Enumeration for the 'TLS_DHE_RSA_WITH_AES_128_CCM' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6655: | ||||
AES-CCM Cipher Suites for Transport Layer Security | ||||
(TLS)"; | ||||
} | ||||
enum TLS_DHE_RSA_WITH_AES_256_CCM { | ||||
description | ||||
"Enumeration for the 'TLS_DHE_RSA_WITH_AES_256_CCM' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6655: | ||||
AES-CCM Cipher Suites for Transport Layer Security | ||||
(TLS)"; | ||||
} | ||||
enum TLS_RSA_WITH_AES_128_CCM_8 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_RSA_WITH_AES_128_CCM_8' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6655: | ||||
AES-CCM Cipher Suites for Transport Layer Security | ||||
(TLS)"; | ||||
} | ||||
enum TLS_RSA_WITH_AES_256_CCM_8 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_RSA_WITH_AES_256_CCM_8' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6655: | ||||
AES-CCM Cipher Suites for Transport Layer Security | ||||
(TLS)"; | ||||
} | ||||
enum TLS_DHE_RSA_WITH_AES_128_CCM_8 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DHE_RSA_WITH_AES_128_CCM_8' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6655: | ||||
AES-CCM Cipher Suites for Transport Layer Security | ||||
(TLS)"; | ||||
} | ||||
enum TLS_DHE_RSA_WITH_AES_256_CCM_8 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DHE_RSA_WITH_AES_256_CCM_8' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6655: | ||||
AES-CCM Cipher Suites for Transport Layer Security | ||||
(TLS)"; | ||||
} | ||||
enum TLS_PSK_WITH_AES_128_CCM { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_PSK_WITH_AES_128_CCM' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6655: | ||||
AES-CCM Cipher Suites for Transport Layer Security | ||||
(TLS)"; | ||||
} | ||||
enum TLS_PSK_WITH_AES_256_CCM { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_PSK_WITH_AES_256_CCM' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6655: | ||||
AES-CCM Cipher Suites for Transport Layer Security | ||||
(TLS)"; | ||||
} | ||||
enum TLS_DHE_PSK_WITH_AES_128_CCM { | ||||
description | ||||
"Enumeration for the 'TLS_DHE_PSK_WITH_AES_128_CCM' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6655: | ||||
AES-CCM Cipher Suites for Transport Layer Security | ||||
(TLS)"; | ||||
} | ||||
enum TLS_DHE_PSK_WITH_AES_256_CCM { | ||||
description | ||||
"Enumeration for the 'TLS_DHE_PSK_WITH_AES_256_CCM' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6655: | ||||
AES-CCM Cipher Suites for Transport Layer Security | ||||
(TLS)"; | ||||
} | ||||
enum TLS_PSK_WITH_AES_128_CCM_8 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_PSK_WITH_AES_128_CCM_8' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6655: | ||||
AES-CCM Cipher Suites for Transport Layer Security | ||||
(TLS)"; | ||||
} | ||||
enum TLS_PSK_WITH_AES_256_CCM_8 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_PSK_WITH_AES_256_CCM_8' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6655: | ||||
AES-CCM Cipher Suites for Transport Layer Security | ||||
(TLS)"; | ||||
} | ||||
enum TLS_PSK_DHE_WITH_AES_128_CCM_8 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_PSK_DHE_WITH_AES_128_CCM_8' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6655: | ||||
AES-CCM Cipher Suites for Transport Layer Security | ||||
(TLS)"; | ||||
} | ||||
enum TLS_PSK_DHE_WITH_AES_256_CCM_8 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_PSK_DHE_WITH_AES_256_CCM_8' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6655: | ||||
AES-CCM Cipher Suites for Transport Layer Security | ||||
(TLS)"; | ||||
} | ||||
enum TLS_ECDHE_ECDSA_WITH_AES_128_CCM { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_ECDHE_ECDSA_WITH_AES_128_CCM' | ||||
algorithm."; | ||||
reference | ||||
"RFC 7251: | ||||
AES-CCM Elliptic Curve Cryptography (ECC) Cipher Suites | ||||
for TLS"; | ||||
} | ||||
enum TLS_ECDHE_ECDSA_WITH_AES_256_CCM { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_ECDHE_ECDSA_WITH_AES_256_CCM' | ||||
algorithm."; | ||||
reference | ||||
"RFC 7251: | ||||
AES-CCM Elliptic Curve Cryptography (ECC) Cipher Suites | ||||
for TLS"; | ||||
} | ||||
enum TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8' | ||||
algorithm."; | ||||
reference | ||||
"RFC 7251: | ||||
AES-CCM Elliptic Curve Cryptography (ECC) Cipher Suites | ||||
for TLS"; | ||||
} | ||||
enum TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8' | ||||
algorithm."; | ||||
reference | ||||
"RFC 7251: | ||||
AES-CCM Elliptic Curve Cryptography (ECC) Cipher Suites | ||||
for TLS"; | ||||
} | ||||
enum TLS_ECCPWD_WITH_AES_128_GCM_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_ECCPWD_WITH_AES_128_GCM_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8492: | ||||
Secure Password Ciphersuites for Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_ECCPWD_WITH_AES_256_GCM_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_ECCPWD_WITH_AES_256_GCM_SHA384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8492: | ||||
Secure Password Ciphersuites for Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_ECCPWD_WITH_AES_128_CCM_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_ECCPWD_WITH_AES_128_CCM_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8492: | ||||
Secure Password Ciphersuites for Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_ECCPWD_WITH_AES_256_CCM_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_ECCPWD_WITH_AES_256_CCM_SHA384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8492: | ||||
Secure Password Ciphersuites for Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_SHA256_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_SHA256_SHA256' algorithm."; | ||||
reference | ||||
"RFC 9150: | ||||
TLS 1.3 Authentication and Integrity-Only Cipher | ||||
Suites"; | ||||
} | ||||
enum TLS_SHA384_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_SHA384_SHA384' algorithm."; | ||||
reference | ||||
"RFC 9150: | ||||
TLS 1.3 Authentication and Integrity-Only Cipher | ||||
Suites"; | ||||
} | ||||
enum TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC' | ||||
algorithm."; | ||||
reference | ||||
"RFC 9189: | ||||
GOST Cipher Suites for Transport Layer Security (TLS) | ||||
Protocol Version 1.2"; | ||||
} | ||||
enum TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC' algorithm."; | ||||
reference | ||||
"RFC 9189: | ||||
GOST Cipher Suites for Transport Layer Security (TLS) | ||||
Protocol Version 1.2"; | ||||
} | ||||
enum TLS_GOSTR341112_256_WITH_28147_CNT_IMIT { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_GOSTR341112_256_WITH_28147_CNT_IMIT' algorithm."; | ||||
reference | ||||
"RFC 9189: | ||||
GOST Cipher Suites for Transport Layer Security (TLS) | ||||
Protocol Version 1.2"; | ||||
} | ||||
enum TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_L { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_L' algorithm."; | ||||
reference | ||||
"RFC 9367: | ||||
GOST Cipher Suites for Transport Layer Security (TLS) | ||||
Protocol Version 1.3"; | ||||
} | ||||
enum TLS_GOSTR341112_256_WITH_MAGMA_MGM_L { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_GOSTR341112_256_WITH_MAGMA_MGM_L' | ||||
algorithm."; | ||||
reference | ||||
"RFC 9367: | ||||
GOST Cipher Suites for Transport Layer Security (TLS) | ||||
Protocol Version 1.3"; | ||||
} | ||||
enum TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_S { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_S' algorithm."; | ||||
reference | ||||
"RFC 9367: | ||||
GOST Cipher Suites for Transport Layer Security (TLS) | ||||
Protocol Version 1.3"; | ||||
} | ||||
enum TLS_GOSTR341112_256_WITH_MAGMA_MGM_S { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_GOSTR341112_256_WITH_MAGMA_MGM_S' | ||||
algorithm."; | ||||
reference | ||||
"RFC 9367: | ||||
GOST Cipher Suites for Transport Layer Security (TLS) | ||||
Protocol Version 1.3"; | ||||
} | ||||
enum TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 { | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256' algorithm."; | ||||
reference | ||||
"RFC 7905: | ||||
ChaCha20-Poly1305 Cipher Suites for Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 { | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 7905: | ||||
ChaCha20-Poly1305 Cipher Suites for Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 { | ||||
description | ||||
"Enumeration for the | ||||
'TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256' algorithm."; | ||||
reference | ||||
"RFC 7905: | ||||
ChaCha20-Poly1305 Cipher Suites for Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_PSK_WITH_CHACHA20_POLY1305_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_PSK_WITH_CHACHA20_POLY1305_SHA256' algorithm."; | ||||
reference | ||||
"RFC 7905: | ||||
ChaCha20-Poly1305 Cipher Suites for Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 { | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256' algorithm."; | ||||
reference | ||||
"RFC 7905: | ||||
ChaCha20-Poly1305 Cipher Suites for Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 { | ||||
description | ||||
"Enumeration for the | ||||
'TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256' algorithm."; | ||||
reference | ||||
"RFC 7905: | ||||
ChaCha20-Poly1305 Cipher Suites for Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256' algorithm."; | ||||
reference | ||||
"RFC 7905: | ||||
ChaCha20-Poly1305 Cipher Suites for Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256 { | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256' algorithm."; | ||||
reference | ||||
"RFC 8442: | ||||
ECDHE_PSK with AES-GCM and AES-CCM Cipher Suites for TLS | ||||
1.2 and DTLS 1.2"; | ||||
} | ||||
enum TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384 { | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384' algorithm."; | ||||
reference | ||||
"RFC 8442: | ||||
ECDHE_PSK with AES-GCM and AES-CCM Cipher Suites for TLS | ||||
1.2 and DTLS 1.2"; | ||||
} | ||||
enum TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256' algorithm."; | ||||
reference | ||||
"RFC 8442: | ||||
ECDHE_PSK with AES-GCM and AES-CCM Cipher Suites for TLS | ||||
1.2 and DTLS 1.2"; | ||||
} | ||||
enum TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256 { | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256' algorithm."; | ||||
reference | ||||
"RFC 8442: | ||||
ECDHE_PSK with AES-GCM and AES-CCM Cipher Suites for TLS | ||||
1.2 and DTLS 1.2"; | ||||
} | ||||
} | ||||
description | ||||
"An enumeration for TLS cipher-suite algorithms."; | ||||
} | ||||
} | ||||
<CODE ENDS> | ||||
Appendix B. Change Log | ||||
B.1. 00 to 01 | ||||
* Noted that '0.0.0.0' and '::' might have special meanings. | ||||
* Renamed "keychain" to "keystore". | ||||
B.2. 01 to 02 | ||||
* Removed the groupings containing transport-level configuration. | ||||
Now modules contain only the transport-independent groupings. | ||||
* Filled in previously incomplete 'ietf-tls-client' module. | ||||
* Added cipher suites for various algorithms into new 'ietf-tls- | ||||
common' module. | ||||
B.3. 02 to 03 | ||||
* Added a 'must' statement to container 'server-auth' asserting that | ||||
at least one of the various auth mechanisms must be specified. | ||||
* Fixed description statement for leaf 'trusted-ca-certs'. | ||||
B.4. 03 to 04 | ||||
* Updated title to "YANG Groupings for TLS Clients and TLS Servers" | ||||
* Updated leafref paths to point to new keystore path | ||||
* Changed the YANG prefix for ietf-tls-common from 'tlscom' to | ||||
'tlscmn'. | ||||
* Added TLS protocol verions 1.0 and 1.1. | ||||
* Made author lists consistent | ||||
* Now tree diagrams reference ietf-netmod-yang-tree-diagrams | ||||
* Updated YANG to use typedefs around leafrefs to common keystore | ||||
paths | ||||
* Now inlines key and certificates (no longer a leafref to keystore) | ||||
B.5. 04 to 05 | ||||
* Merged changes from co-author. | ||||
B.6. 05 to 06 | ||||
* Updated to use trust anchors from trust-anchors draft (was | ||||
keystore draft) | ||||
* Now Uses new keystore grouping enabling asymmetric key to be | ||||
either locally defined or a reference to the keystore. | ||||
B.7. 06 to 07 | ||||
* factored the tls-[client|server]-groupings into more reusable | ||||
groupings. | ||||
* added if-feature statements for the new "x509-certificates" | ||||
feature defined in draft-ietf-netconf-trust-anchors. | ||||
B.8. 07 to 08 | ||||
* Added a number of compatibility matrices to Section 5 (thanks | ||||
Frank!) | ||||
* Clarified that any configured "cipher-suite" values need to be | ||||
compatible with the configured private key. | ||||
B.9. 08 to 09 | ||||
* Updated examples to reflect update to groupings defined in the | ||||
keystore draft. | ||||
* Add TLS keepalives features and groupings. | ||||
* Prefixed top-level TLS grouping nodes with 'tls-' and support | ||||
mashups. | ||||
* Updated copyright date, boilerplate template, affiliation, and | ||||
folding algorithm. | ||||
B.10. 09 to 10 | ||||
* Reformatted the YANG modules. | ||||
B.11. 10 to 11 | ||||
* Collapsed all the inner groupings into the top-level grouping. | ||||
* Added a top-level "demux container" inside the top-level grouping. | ||||
* Added NACM statements and updated the Security Considerations | ||||
section. | ||||
* Added "presence" statements on the "keepalive" containers, as was | ||||
needed to address a validation error that appeared after adding | ||||
the "must" statements into the NETCONF/RESTCONF client/server | ||||
modules. | ||||
* Updated the boilerplate text in module-level "description" | ||||
statement to match copyeditor convention. | ||||
B.12. 11 to 12 | ||||
* In server model, made 'client-authentication' a 'presence' node | ||||
indicating that the server supports client authentication. | ||||
* In the server model, added a 'required-or-optional' choice to | ||||
'client-authentication' to better support protocols such as | ||||
RESTCONF. | ||||
* In the server model, added a 'inline-or-external' choice to | ||||
'client-authentication' to better support consuming data models | ||||
that prefer to keep client auth with client definitions than in a | ||||
model principally concerned with the "transport". | ||||
* In both models, removed the "demux containers", floating the | ||||
nacm:default-deny-write to each descendant node, and adding a note | ||||
to model designers regarding the potential need to add their own | ||||
demux containers. | ||||
* Fixed a couple references (section 2 --> section 3) | ||||
B.13. 12 to 13 | ||||
* Updated to reflect changes in trust-anchors drafts (e.g., s/trust- | ||||
anchors/truststore/g + s/pinned.//) | ||||
B.14. 12 to 13 | ||||
* Removed 'container' under 'client-identity' to match server model. | ||||
* Updated examples to reflect change grouping in keystore module. | ||||
B.15. 13 to 14 | ||||
* Removed the "certificate" container from "client-identity" in the | ||||
ietf-tls-client module. | ||||
* Updated examples to reflect ietf-crypto-types change (e.g., | ||||
identities --> enumerations) | ||||
B.16. 14 to 15 | ||||
* Updated "server-authentication" and "client-authentication" nodes | ||||
from being a leaf of type "ts:certificates-ref" to a container | ||||
that uses "ts:inline-or-truststore-certs-grouping". | ||||
B.17. 15 to 16 | ||||
* Removed unnecessary if-feature statements in the -client and | ||||
-server modules. | ||||
* Cleaned up some description statements in the -client and -server | ||||
modules. | ||||
* Fixed a canonical ordering issue in ietf-tls-common detected by | ||||
new pyang. | ||||
B.18. 16 to 17 | ||||
* Removed choice inline-or-external by removing the 'external' case | ||||
and flattening the 'local' case and adding a "client-auth- | ||||
supported" feature. | ||||
* Removed choice required-or-optional. | ||||
* Updated examples to include the "*-key-format" nodes. | ||||
* Augmented-in "must" expressions ensuring that locally-defined | ||||
public-key-format are "ct:tls-public-key-format" (must expr for | ||||
ref'ed keys are TBD). | ||||
B.19. 17 to 18 | ||||
* Removed the unused "external-client-auth-supported" feature. | ||||
* Made client-indentity optional, as there may be over-the-top auth | ||||
instead. | ||||
* Added augment to uses of inline-or-keystore-symmetric-key-grouping | ||||
for a psk "id" node. | ||||
* Added missing presence container "psks" to ietf-tls-server's | ||||
"client-authentication" container. | ||||
* Updated examples to reflect new "bag" addition to truststore. | ||||
* Removed feature-limited caseless 'case' statements to improve tree | ||||
diagram rendering. | ||||
* Refined truststore/keystore groupings to ensure the key formats | ||||
"must" be particular values. | ||||
* Switched to using truststore's new "public-key" bag (instead of | ||||
separate "ssh-public-key" and "raw-public-key" bags). | ||||
* Updated client/server examples to cover ALL cases (local/ref x | ||||
cert/raw-key/psk). | ||||
B.20. 18 to 19 | ||||
* Updated the "keepalives" containers in part to address Michal | ||||
Vasko's request to align with RFC 8071, and in part to better | ||||
align to RFC 6520. | ||||
* Removed algorithm-mapping tables from the "TLS Common Model" | ||||
section | ||||
* Removed the 'algorithm' node from the examples. | ||||
* Renamed both "client-certs" and "server-certs" to "ee-certs" | ||||
* Added a "Note to Reviewers" note to first page. | ||||
B.21. 19 to 20 | ||||
* Modified the 'must' expression in the "ietf-tls-client:server- | ||||
authention" node to cover the "raw-public-keys" and "psks" nodes | ||||
also. | ||||
* Added a "must 'ca-certs or ee-certs or raw-public-keys or psks'" | ||||
statement to the ietf-tls-server:client-authentication" node. | ||||
* Added "mandatory true" to "choice auth-type" and a "presence" | ||||
statement to its ancestor. | ||||
* Expanded "Data Model Overview section(s) [remove "wall" of tree | ||||
diagrams]. | ||||
* Moved the "ietf-tls-common" module section to proceed the other | ||||
two module sections. | ||||
* Updated the Security Considerations section. | ||||
B.22. 20 to 21 | ||||
* Updated examples to reflect new "cleartext-" prefix in the crypto- | ||||
types draft. | ||||
B.23. 21 to 22 | ||||
* In both the "client-authentication" and "server-authentication" | ||||
subtrees, replaced the "psks" node from being a P-container to a | ||||
leaf of type "empty". | ||||
* Cleaned up examples (e.g., removed FIXMEs) | ||||
* Fixed issues found by the SecDir review of the "keystore" draft. | ||||
* Updated the "psk" sections in the "ietf-tls-client" and "ietf-tls- | ||||
server" modules to more correctly reflect RFC 4279. | ||||
B.24. 22 to 23 | ||||
* Addressed comments raised by YANG Doctor in the ct/ts/ks drafts. | ||||
B.25. 23 to 24 | ||||
* Added missing reference to "FIPS PUB 180-4". | ||||
* Added identity "tls-1.3" and updated description statement in | ||||
other identities indicating that the protocol version is obsolete | ||||
and enabling the feature is NOT RECOMMENDED. | ||||
* Added XML-comment above examples explaining the reason for the | ||||
unexpected top-most element's presence. | ||||
* Added missing "client-ident-raw-public-key" and "client-ident-psk" | ||||
featutes. | ||||
* Aligned modules with `pyang -f` formatting. | ||||
* Fixed nits found by YANG Doctor reviews. | ||||
* Added a 'Contributors' section. | ||||
B.26. 24 to 25 | ||||
* Added TLS 1.3 references. | ||||
* Clarified support for various TLS protocol versions. | ||||
* Moved algorithms in ietf-tls-common (plus more) to IANA-maintained | ||||
modules | ||||
* Added "config false" lists for algorithms supported by the server. | ||||
* Fixed issues found during YANG Doctor review. | ||||
B.27. 25 to 26 | ||||
* Replaced "base64encodedvalue==" with "BASE64VALUE=" in examples. | ||||
* Minor editorial nits | ||||
B.28. 26 to 27 | ||||
* Fixed up the 'WG Web' and 'WG List' lines in YANG module(s) | ||||
* Fixed up copyright (i.e., s/Simplified/Revised/) in YANG | ||||
module(s). | ||||
* Created identityref-based typedef for the IANA alg identity base. | ||||
* Major update to support TLS 1.3. | ||||
B.29. 27 to 28 | ||||
* Fixed draft text to refer to new "identity" values (e.g., s/tls- | ||||
1.3/tls13). | ||||
* Added ietf-tls-common:generate-public-key() RPC. | ||||
B.30. 28 to 29 | ||||
* Updated modules to IANA-maintained module in Appendix A to | ||||
2022-06-16. | ||||
B.31. 29 to 30 | ||||
* Fixed 'must' expressions. | ||||
* Added missing 'revision' statement. | ||||
B.32. 30 to 31 | ||||
* Updated per Shepherd reviews impacting the suite of drafts. | ||||
B.33. 31 to 32 | ||||
* Updated per Shepherd reviews impacting the suite of drafts. | ||||
B.34. 32 to 33 | ||||
* Updated per Tom Petch review. | ||||
* Added RPC-reply to 'generate-public-key" RPC example. | ||||
B.35. 33 to 34 | ||||
* Addresses AD review comments. | ||||
* Added note to Editor to fix line foldings. | ||||
* Introduction now more clearly identifies the "ietf-" and "iana-" | ||||
modules defined. | ||||
* Clarified that the modules, when implemented, do not define any | ||||
protocol-accessible nodes. | ||||
* Clarified that IANA may deprecate and/or obsolete identities over | ||||
time. | ||||
* Added Security Consideration for the "generate-public-key" RPC. | ||||
* Added Security Considerations text to also look a SC-section from | ||||
imported modules. | ||||
* Added missing if-feature statements. | ||||
* Fixed private-key "must" expressions to not require public-key | ||||
nodes to be present. | ||||
* Fixed ident-tls12-psk and ident-tls13-psk YANG and references. | ||||
* Renamed leaf from "bits" to "num-bits". | ||||
* Added missing "ordered-by user" statement. | ||||
* Added container "private-key-encoding" to wrap existing choice. | ||||
* Renamed container "encrypt-with" to "encrypted". | ||||
* Renamed leaf from "hide" to "hidden". | ||||
* Removed "public-key-format" and "public-key" nodes from examples. | ||||
B.36. 34 to 35 | ||||
* Addresses AD review by Rob Wilton. | ||||
B.37. 35 to 36 | ||||
* Complete tls10/tls11 removal and update Jeff's email. | ||||
B.38. 36 to 37 | ||||
* Addresses 1st-round of IESG reviews. | ||||
B.39. 37 to 39 | ||||
* Addresses issues found in OpsDir review of the ssh-client-server | ||||
draft. | ||||
* Replaced identities with enums in the IANA module. | ||||
* Add refs to where the 'operational' and 'system' datastores are | ||||
defined. | ||||
* Updated Introduction to read more like the Abstract | ||||
* Updated Editor-notes to NOT remove the script (just remove the | ||||
initial IANA module) | ||||
* Renamed Security Considerations section s/Template for/ | ||||
Considerations for/ | ||||
* s/defines/presents/ in a few places. | ||||
* Renamed script from 'gen-identities.py' to 'gen-yang-module.py' | ||||
* Removed the removeInRFC="true" attribute in Appendix sections | ||||
B.40. 39 to 40 | ||||
* Address IESG review comments. | ||||
B.41. 40 to 41 | ||||
* Updated to reflect comments from Paul Wouters. | ||||
* Fixed the "generate-asymmetric-key-pair" RPC to return the | ||||
location to where hidden keys are created. | ||||
Acknowledgements | Acknowledgements | |||
The authors would like to thank the following for lively discussions | The authors would like to thank the following for lively discussions | |||
on list and in the halls (ordered by first name): Alan Luchuk, Andy | on list and in the halls (ordered by first name): Alan Luchuk, Andy | |||
Bierman, Balázs Kovács, Benoit Claise, Bert Wijnen, David Lamparter, | Bierman, Balázs Kovács, Benoit Claise, Bert Wijnen, David Lamparter, | |||
Dhruv Dhody, Éric Vyncke, Gary Wu, Henk Birkholz, Jeff Hartley, | Dhruv Dhody, Éric Vyncke, Gary Wu, Henk Birkholz, Jeff Hartley, | |||
Jürgen Schönwälder, Ladislav Lhotka, Liang Xia, Martin Björklund, | Jürgen Schönwälder, Ladislav Lhotka, Liang Xia, Martin Björklund, | |||
Martin Thomson, Mehmet Ersue, Michal Vaško, Murray Kucherawy, Paul | Martin Thomson, Mehmet Ersue, Michal Vaško, Murray Kucherawy, Paul | |||
Wouters, Phil Shafer, Qin Wu, Radek Krejci, Rob Wilton, Roman | Wouters, Phil Shafer, Qin Wu, Radek Krejci, Rob Wilton, Roman | |||
Danyliw, Russ Housley, Sean Turner, Tom Petch, and Thomas Martin. | Danyliw, Russ Housley, Sean Turner, Thomas Martin, and Tom Petch. | |||
Contributors | Contributors | |||
Special acknowledgement goes to Gary Wu who contributed the "ietf- | Special acknowledgement goes to Gary Wu who contributed the "ietf- | |||
tls-common" module, and Tom Petch who carefully ensured that | tls-common" module and Tom Petch who carefully ensured that | |||
references were set correctly throughout. | references were set correctly throughout. | |||
Author's Address | Author's Address | |||
Kent Watsen | Kent Watsen | |||
Watsen Networks | Watsen Networks | |||
Email: kent+ietf@watsen.net | Email: kent+ietf@watsen.net | |||
End of changes. 303 change blocks. | ||||
4928 lines changed or deleted | 723 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. |