rfc9645.original.xml | rfc9645.xml | |||
---|---|---|---|---|
<?xml version='1.0' encoding='utf-8'?> | <?xml version='1.0' encoding='UTF-8'?> | |||
<!-- draft submitted in xml v3 --> | ||||
<!DOCTYPE rfc [ | <!DOCTYPE rfc [ | |||
<!ENTITY nbsp " "> | <!ENTITY nbsp " "> | |||
<!ENTITY zwsp "​"> | <!ENTITY zwsp "​"> | |||
<!ENTITY nbhy "‑"> | <!ENTITY nbhy "‑"> | |||
<!ENTITY wj "⁠"> | <!ENTITY wj "⁠"> | |||
]> | ]> | |||
<?rfc toc="yes"?> | ||||
<?rfc symrefs="yes"?> | <rfc xmlns:xi="http://www.w3.org/2001/XInclude" category="std" consensus="true" | |||
<?rfc sortrefs="yes" ?> | submissionType="IETF" docName="draft-ietf-netconf-tls-client-server-41" number=" | |||
<?rfc compact="yes"?> | 9645" ipr="trust200902" tocInclude="true" symRefs="true" sortRefs="true" updates | |||
<?rfc subcompact="no"?> | ="" obsoletes="" xml:lang="en" version="3"> | |||
<?rfc linkmailto="no" ?> | ||||
<?rfc editing="no" ?> | ||||
<?rfc comments="yes" ?> | ||||
<?rfc inline="yes"?> | ||||
<?rfc rfcedstyle="yes"?> | ||||
<?rfc-ext allow-markup-in-artwork="yes" ?> | ||||
<?rfc-ext include-index="no" ?> | ||||
<!--<?rfc strict="no"?> --> | ||||
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" category="std" consensus="true" | ||||
submissionType="IETF" docName="draft-ietf-netconf-tls-client-server-41" ipr="tru | ||||
st200902" tocInclude="true" symRefs="true" sortRefs="true" version="3"> | ||||
<!-- xml2rfc v2v3 conversion 3.17.4 --> | ||||
<front> | <front> | |||
<title abbrev="Groupings for TLS Clients and Servers">YANG Groupings for | <title abbrev="Groupings for TLS Clients and Servers">YANG Groupings for | |||
TLS Clients and TLS Servers</title> | TLS Clients and TLS Servers</title> | |||
<seriesInfo name="Internet-Draft" value="draft-ietf-netconf-tls-client-serve | <seriesInfo name="RFC" value="9645"/> | |||
r-41"/> | ||||
<author fullname="Kent Watsen" initials="K." surname="Watsen"> | <author fullname="Kent Watsen" initials="K." surname="Watsen"> | |||
<organization>Watsen Networks</organization> | <organization>Watsen Networks</organization> | |||
<address> | <address> | |||
<email>kent+ietf@watsen.net</email> | <email>kent+ietf@watsen.net</email> | |||
</address> | </address> | |||
</author> | </author> | |||
<date/> | <date year="2024" month="October"/> | |||
<area>Operations</area> | <area>OPS</area> | |||
<workgroup>NETCONF Working Group</workgroup> | <workgroup>netconf</workgroup> | |||
<abstract> | <abstract> | |||
<t>This document presents four YANG 1.1 modules. Three IETF modules, | <t>This document presents four YANG 1.1 modules -- three IETF modules | |||
and one supporting IANA module.</t> | and one supporting IANA module.</t> | |||
<t>The three IETF modules are: ietf-tls-common, ietf-tls-client, and | <t>The three IETF modules are "ietf-tls-common", "ietf-tls-client", and | |||
ietf-tls-server. The "ietf-tls-client" and "ietf-tls-server" modules | "ietf-tls-server". The "ietf-tls-client" and "ietf-tls-server" modules | |||
are the primary productions of this work, supporting the configuration | are the primary productions of this work, supporting the configuration | |||
and monitoring of TLS clients and servers.</t> | and monitoring of TLS clients and servers.</t> | |||
<t>The IANA module is: iana-tls-cipher-suite-algs. This module | <t>The IANA module is "iana-tls-cipher-suite-algs". This module | |||
defines YANG enumerations providing support for an IANA-maintained | defines YANG enumerations that provide support for an IANA-maintained | |||
algorithm registry.</t> | algorithm registry.</t> | |||
</abstract> | </abstract> | |||
<note> | ||||
<name>Editorial Note (To be removed by RFC Editor)</name> | ||||
<t>This draft contains placeholder values that need to be replaced | ||||
with finalized values at the time of publication. This note summarizes | ||||
all of the substitutions that are needed. No other RFC Editor | ||||
instructions are specified elsewhere in this document.</t> | ||||
<t>Artwork in this document contains shorthand references to drafts in | ||||
progress. Please apply the following replacements: | ||||
</t> | ||||
<ul spacing="normal"> | ||||
<li> | ||||
<tt>AAAA</tt> --> the assigned RFC value for draft-ietf-netconf-cry | ||||
pto-types</li> | ||||
<li> | ||||
<tt>BBBB</tt> --> the assigned RFC value for draft-ietf-netconf-tru | ||||
st-anchors</li> | ||||
<li> | ||||
<tt>CCCC</tt> --> the assigned RFC value for draft-ietf-netconf-key | ||||
store</li> | ||||
<li> | ||||
<tt>DDDD</tt> --> the assigned RFC value for draft-ietf-netconf-tcp | ||||
-client-server</li> | ||||
<li> | ||||
<tt>FFFF</tt> --> the assigned RFC value for this draft</li> | ||||
</ul> | ||||
<t>Artwork in this document contains placeholder values for the date of | ||||
publication of this draft. Please apply the following replacement: | ||||
</t> | ||||
<ul spacing="normal"> | ||||
<li> | ||||
<tt>2024-03-16</tt> --> the publication date of this draft</li> | ||||
</ul> | ||||
<t>The "Relation to other RFCs" section <xref target="collective-effort"/> | ||||
contains | ||||
the text "one or more YANG modules" and, later, "modules". This text is | ||||
sourced | ||||
from a file in a context where it is unknown how many modules a draft de | ||||
fines. | ||||
The text is not wrong as is, but it may be improved by stating more dire | ||||
ctly how | ||||
many modules are defined.</t> | ||||
<t>The "Relation to other RFCs" section <xref target="collective-effort"/> | ||||
contains | ||||
a self-reference to this draft, along with a corresponding reference i | ||||
n | ||||
the Appendix. Please replace the self-reference in this section with | ||||
"This RFC" | ||||
(or similar) and remove the self-reference in the "Normative/Informati | ||||
ve References" | ||||
section, whichever it is in.</t> | ||||
<t>Tree-diagrams in this draft may use the '\' line-folding mode defined i | ||||
n RFC 8792. | ||||
However, nicer-to-the-eye is when the '\\' line-folding mode is used. | ||||
The AD suggested | ||||
suggested putting a request here for the RFC Editor to help convert "u | ||||
gly" '\' folded | ||||
examples to use the '\\' folding mode. "Help convert" may be interpre | ||||
ted as, identify | ||||
what looks ugly and ask the authors to make the adjustment.</t> | ||||
<t>The following Appendix sections are to be removed prior to publication: | ||||
</t> | ||||
<ul spacing="normal"> | ||||
<li> | ||||
<xref target="tls-cipher-algs-model"/>. Initial Module for the "TLS C | ||||
ipher Suites" Registry</li> | ||||
<li> | ||||
<xref target="change-log"/>. Change Log</li> | ||||
</ul> | ||||
</note> | ||||
</front> | </front> | |||
<middle> | <middle> | |||
<section> | <section> | |||
<name>Introduction</name> | <name>Introduction</name> | |||
<t>This document presents four YANG 1.1 <xref target="RFC7950"/> | <t>This document presents four YANG 1.1 <xref target="RFC7950"/> | |||
modules. Three "IETF" modules and one "IANA" module.</t> | modules -- three IETF modules and one IANA module.</t> | |||
<t>The three IETF modules are ietf-tls-common (<xref target="tls-common-mo | <t>The three IETF modules are "ietf-tls-common" (<xref target="tls-common- | |||
del"/>), | model"/>), | |||
ietf-tls-client (<xref target="tls-client-model"/>), and ietf-tls-server | "ietf-tls-client" (<xref target="tls-client-model"/>), and "ietf-tls-ser | |||
ver" | ||||
(<xref target="tls-server-model"/>). The "ietf-tls-client" and | (<xref target="tls-server-model"/>). The "ietf-tls-client" and | |||
"ietf-tls-server" modules are the primary productions of this work, | "ietf-tls-server" modules are the primary productions of this work, | |||
supporting the configuration and monitoring of TLS clients and servers.< /t> | supporting the configuration and monitoring of TLS clients and servers.< /t> | |||
<t>The groupings defined in this document are expected to be used in | <t>The groupings defined in this document are expected to be used in | |||
conjunction with the groupings defined in an underlying transport-level | conjunction with the groupings defined in an underlying transport-level | |||
module, such as the groupings defined in <xref target="I-D.ietf-net conf-tcp-client-server"/>. | module, such as the groupings defined in <xref target="RFC9643"/>. | |||
The transport-level data model enables the configuration of transport-le vel | The transport-level data model enables the configuration of transport-le vel | |||
values such as a remote address, a remote port, a local address, and a | values such as a remote address, a remote port, a local address, and a | |||
local port.</t> | local port.</t> | |||
<t>The IANA module is iana-tls-cipher-suite-algs (<xref target="tls-cipher | <t>The IANA module is "iana-tls-cipher-suite-algs". | |||
-algs-model"/>). | This module defines YANG enumerations that provide support for an IANA-m | |||
This module defines YANG enumerations providing support for an IANA-main | aintained | |||
tained | ||||
algorithm registry.</t> | algorithm registry.</t> | |||
<t>This document assumes that the IANA module exists, | ||||
and presents a script in <xref target="iana-script"/> that IANA | <t>IANA used the script in <xref target="iana-script"/> to generate the "i | |||
may use to generate the YANG module. This document does not | ana-tls-cipher-suite-algs" YANG module. This document does not | |||
publish initial version of this module. IANA publishes | publish the initial version of the module; it is published and maintaine | |||
this module.</t> | d by IANA.</t> | |||
<section> | <section> | |||
<name>Regarding the IETF Modules</name> | ||||
<name>Regarding the Three IETF Modules</name> | ||||
<t>The three IETF modules define features and groupings to model "generi c" TLS | <t>The three IETF modules define features and groupings to model "generi c" TLS | |||
clients and TLS servers, where "generic" should be interpreted as "lea st | clients and TLS servers, where "generic" should be interpreted as "lea st | |||
common denominator" rather than "complete." Basic TLS protocol suppor t | common denominator" rather than "complete." Basic TLS protocol suppor t | |||
is afforded by these modules, leaving configuration of advance feature s | is afforded by these modules, leaving configuration of advance feature s | |||
to augmentations made by consuming modules.</t> | to augmentations made by consuming modules.</t> | |||
<t>It is intended that the YANG groupings will be used by applications n eeding | <t>It is intended that the YANG groupings will be used by applications n eeding | |||
to configure TLS client and server protocol stacks. For instance, the se | to configure TLS client and server protocol stacks. For instance, the se | |||
groupings are used to help define the data model for HTTPS <xref targe | groupings are used to help define the data model for HTTPS <xref targe | |||
t="RFC2818"/> | t="RFC9110"/> | |||
and NETCONF over TLS <xref target="RFC7589"/> based clients and server | and clients and servers based on the Network Configuration Protocol (N | |||
s in | ETCONF) over TLS <xref target="RFC7589"/> in <xref target="I-D.ietf-netconf-http | |||
<xref target="I-D.ietf-netconf-http-client-server"/> and | -client-server"/> and <xref target="I-D.ietf-netconf-netconf-client-server"/>, r | |||
<xref target="I-D.ietf-netconf-netconf-client-server"/> respectively.< | espectively.</t> | |||
/t> | <t>The "ietf-tls-client" and "ietf-tls-server" YANG modules each define | |||
<t>The ietf-tls-client and ietf-tls-server YANG modules each define one | one | |||
grouping, which is focused on just TLS-specific configuration, and | grouping, which is focused on just TLS-specific configuration, and | |||
specifically avoids any transport-level configuration, such as what | specifically avoid any transport-level configuration, such as what | |||
ports to listen-on or connect-to. This affords applications the | ports to listen on or connect to. This affords applications the | |||
opportunity to define their own strategy for how the underlying TCP | opportunity to define their own strategy for how the underlying TCP | |||
connection is established. For instance, applications supporting NETCO NF | connection is established. For instance, applications supporting NETCO NF | |||
Call Home <xref target="RFC8071"/> could use the "tls-server-grouping" | Call Home <xref target="RFC8071"/> could use the "tls-server-grouping" | |||
grouping for the TLS parts it provides, while adding data nodes for th e | grouping for the TLS parts it provides, while adding data nodes for th e | |||
TCP-level call-home configuration.</t> | TCP-level call-home configuration.</t> | |||
<t>Both TLS 1.2 and TLS 1.3 may be configured. TLS 1.2 | <t>Both TLS 1.2 and TLS 1.3 may be configured. TLS 1.2 | |||
<xref target="RFC5246"/> is obsoleted by TLS 1.3 <xref target="RFC8446 "/> | <xref target="RFC5246"/> is obsoleted by TLS 1.3 <xref target="RFC8446 "/> | |||
but still in common use, and hence its "feature" statement is marked | but is still in common use, and hence its "feature" statement is marke d | |||
"status deprecated".</t> | "status deprecated".</t> | |||
</section> | </section> | |||
<section anchor="collective-effort"> | <section anchor="collective-effort"> | |||
<name>Relation to other RFCs</name> | <name>Relation to Other RFCs</name> | |||
<t>This document presents one or more YANG modules <xref target="RFC7950 | <t>This document presents four YANG modules <xref target="RFC7950"/> | |||
"/> | ||||
that are part of a collection of RFCs that work together | that are part of a collection of RFCs that work together | |||
to, ultimately, support the configuration of both the clients | to ultimately support the configuration of both the clients | |||
and servers of both the NETCONF <xref target="RFC6241"/> and | and servers of the NETCONF <xref target="RFC6241"/> and | |||
RESTCONF <xref target="RFC8040"/> protocols.</t> | RESTCONF <xref target="RFC8040"/> protocols.</t> | |||
<t> The dependency relationship between the primary YANG groupings | <t> The dependency relationship between the primary YANG groupings | |||
defined in the various RFCs is presented in the below diagram. | defined in the various RFCs is presented in the diagram below. | |||
In some cases, a draft may define secondary groupings that | In some cases, a document may define secondary groupings that | |||
introduce dependencies not illustrated in the diagram. | introduce dependencies not illustrated in the diagram. | |||
The labels in the diagram are a shorthand name for the defining | The labels in the diagram are shorthand names for the defining | |||
RFC. The citation reference for shorthand name is provided below | RFCs. The citation references for the shorthand names are provided | |||
below | ||||
the diagram.</t> | the diagram.</t> | |||
<t>Please note that the arrows in the diagram point from referencer | <t>Please note that the arrows in the diagram point from referencer | |||
to referenced. For example, the "crypto-types" RFC does not | to referenced. For example, the "crypto-types" RFC does not | |||
have any dependencies, whilst the "keystore" RFC depends on the | have any dependencies, whilst the "keystore" RFC depends on the | |||
"crypto-types" RFC.</t> | "crypto-types" RFC.</t> | |||
<artwork><![CDATA[ | <artwork><![CDATA[ | |||
crypto-types | crypto-types | |||
^ ^ | ^ ^ | |||
/ \ | / \ | |||
/ \ | / \ | |||
skipping to change at line 192 ¶ | skipping to change at line 130 ¶ | |||
| | | ^ ^ http-client-server | | | | ^ ^ http-client-server | |||
| | | | | ^ | | | | | | ^ | |||
| | | +-----+ +---------+ | | | | | +-----+ +---------+ | | |||
| | | | | | | | | | | | | | |||
| +-----------|--------|--------------+ | | | | +-----------|--------|--------------+ | | | |||
| | | | | | | | | | | | | | |||
+-----------+ | | | | | | +-----------+ | | | | | | |||
| | | | | | | | | | | | | | |||
| | | | | | | | | | | | | | |||
netconf-client-server restconf-client-server | netconf-client-server restconf-client-server | |||
]]></artwork> | ]]></artwork> | |||
<!-- RFC Editor: is there anyway to flush-left the table in PDF/HTML vie | <table align="left"> | |||
ws? --> | <name>Labels in Diagram to RFC Mapping</name> | |||
<table> | ||||
<name>Label in Diagram to RFC Mapping</name> | ||||
<tbody> | <tbody> | |||
<tr> | <tr> | |||
<th>Label in Diagram</th> | <th>Label in Diagram</th> | |||
<th>Originating RFC</th> | <th>Originating RFC</th> | |||
</tr> | </tr> | |||
<tr> | <tr> | |||
<td>crypto-types</td> | <td>crypto-types</td> | |||
<td> | <td> | |||
<xref target="I-D.ietf-netconf-crypto-types"/></td> | <xref target="RFC9640"/></td> | |||
</tr> | </tr> | |||
<tr> | <tr> | |||
<td>truststore</td> | <td>truststore</td> | |||
<td> | <td> | |||
<xref target="I-D.ietf-netconf-trust-anchors"/></td> | <xref target="RFC9641"/></td> | |||
</tr> | </tr> | |||
<tr> | <tr> | |||
<td>keystore</td> | <td>keystore</td> | |||
<td> | <td> | |||
<xref target="I-D.ietf-netconf-keystore"/></td> | <xref target="RFC9642"/></td> | |||
</tr> | </tr> | |||
<tr> | <tr> | |||
<td>tcp-client-server</td> | <td>tcp-client-server</td> | |||
<td> | <td> | |||
<xref target="I-D.ietf-netconf-tcp-client-server"/></td> | <xref target="RFC9643"/></td> | |||
</tr> | </tr> | |||
<tr> | <tr> | |||
<td>ssh-client-server</td> | <td>ssh-client-server</td> | |||
<td> | <td> | |||
<xref target="I-D.ietf-netconf-ssh-client-server"/></td> | <xref target="RFC9644"/></td> | |||
</tr> | </tr> | |||
<tr> | <tr> | |||
<td>tls-client-server</td> | <td>tls-client-server</td> | |||
<td> | <td> | |||
<xref target="I-D.ietf-netconf-tls-client-server"/></td> | RFC 9645</td> | |||
</tr> | </tr> | |||
<tr> | <tr> | |||
<td>http-client-server</td> | <td>http-client-server</td> | |||
<td> | <td> | |||
<xref target="I-D.ietf-netconf-http-client-server"/></td> | <xref target="I-D.ietf-netconf-http-client-server"/></td> | |||
</tr> | </tr> | |||
<tr> | <tr> | |||
<td>netconf-client-server</td> | <td>netconf-client-server</td> | |||
<td> | <td> | |||
<xref target="I-D.ietf-netconf-netconf-client-server"/></td> | <xref target="I-D.ietf-netconf-netconf-client-server"/></td> | |||
skipping to change at line 252 ¶ | skipping to change at line 188 ¶ | |||
<tr> | <tr> | |||
<td>restconf-client-server</td> | <td>restconf-client-server</td> | |||
<td> | <td> | |||
<xref target="I-D.ietf-netconf-restconf-client-server"/></td> | <xref target="I-D.ietf-netconf-restconf-client-server"/></td> | |||
</tr> | </tr> | |||
</tbody> | </tbody> | |||
</table> | </table> | |||
</section> | </section> | |||
<section> | <section> | |||
<name>Specification Language</name> | <name>Specification Language</name> | |||
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL | <t> | |||
NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", | The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", | |||
"MAY", and "OPTIONAL" in this document are to be interpreted as | "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL NOT</bcp14> | |||
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/ | ", | |||
> | "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", | |||
when, and only when, they appear in all capitals, as shown here.</t> | "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>", | |||
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to | ||||
be | ||||
interpreted as described in BCP 14 <xref target="RFC2119"/> <xref | ||||
target="RFC8174"/> when, and only when, they appear in all capitals, as | ||||
shown here. | ||||
</t> | ||||
</section> | </section> | |||
<section> | <section> | |||
<name>Adherence to the NMDA</name> | <name>Adherence to the NMDA</name> | |||
<t>This document is compliant with the Network Management Datastore | <t>This document is compliant with the Network Management Datastore | |||
Architecture (NMDA) <xref target="RFC8342"/>. For instance, as | Architecture (NMDA) <xref target="RFC8342"/>. For instance, as | |||
described in <xref target="I-D.ietf-netconf-trust-anchors"/> and | described in <xref target="RFC9641"/> and | |||
<xref target="I-D.ietf-netconf-keystore"/>, trust anchors and keys | <xref target="RFC9642"/>, trust anchors and keys | |||
installed during manufacturing are expected to appear | installed during manufacturing are expected to appear | |||
in <operational> (<xref section="5.3" target="RFC8342"/>), and & | in <operational> (<xref section="5.3" target="RFC8342"/>) and &l | |||
lt;system> | t;system> | |||
<xref target="I-D.ietf-netmod-system-config"/>, if implemented.</t> | <xref target="I-D.ietf-netmod-system-config"/> if implemented.</t> | |||
</section> | </section> | |||
<section> | <section> | |||
<name>Conventions</name> | <name>Conventions</name> | |||
<t>Various examples in this document use "BASE64VALUE=" as a | <t>Various examples in this document use "BASE64VALUE=" as a | |||
placeholder value for binary data that has been base64 | placeholder value for binary data that has been base64 encoded | |||
encoded (per <xref section="9.8" target="RFC7950"/>). This | (per <xref section="9.8" target="RFC7950"/>). This | |||
placeholder value is used because real base64 encoded structures | placeholder value is used because real base64-encoded structures | |||
are often many lines long and hence distracting to the example | are often many lines long and hence distracting to the example | |||
being presented.</t> | being presented.</t> | |||
<t> | ||||
Various examples in this document use the XML <xref | ||||
target="W3C.REC-xml-20081126"/> encoding. Other encodings, such as | ||||
JSON <xref target="RFC8259"/>, could alternatively be used. | ||||
</t> | ||||
<t> | ||||
Various examples in this document contain long lines that may be folded, | ||||
as described in [RFC8792]. | ||||
</t> | ||||
</section> | </section> | |||
</section> | </section> | |||
<section anchor="tls-common-model"> | <section anchor="tls-common-model"> | |||
<name>The "ietf-tls-common" Module</name> | <name>The "ietf-tls-common" Module</name> | |||
<t>The TLS common model presented in this section contains features | <t>The TLS common model presented in this section contains features | |||
and groupings common to both TLS clients and TLS servers. The | and groupings common to both TLS clients and TLS servers. The | |||
"hello-params-grouping" grouping can be used to configure the list of TLS | "hello-params-grouping" grouping can be used to configure the list of TLS | |||
algorithms permitted by the TLS client or TLS server. The lists of | algorithms permitted by the TLS client or TLS server. The lists of | |||
algorithms are ordered such that, if multiple algorithms are permitted | algorithms are ordered such that, if multiple algorithms are permitted | |||
by the client, the algorithm that appears first in its list that is also | by the client, the algorithm that appears first in its list and that is al so | |||
permitted by the server is used for the TLS transport layer connection. | permitted by the server is used for the TLS transport layer connection. | |||
The ability to restrict the algorithms allowed is provided in this | The ability to restrict the algorithms allowed is provided in this | |||
grouping for TLS clients and TLS servers that are capable of doing so | grouping for TLS clients and TLS servers that are capable of doing so | |||
and may serve to make TLS clients and TLS servers compliant with local | and that may serve to make TLS clients and TLS servers compliant with loca l | |||
security policies. This model supports both TLS 1.2 <xref target="RFC5246" /> and TLS 1.3 <xref target="RFC8446"/>.</t> | security policies. This model supports both TLS 1.2 <xref target="RFC5246" /> and TLS 1.3 <xref target="RFC8446"/>.</t> | |||
<!-- | ||||
<t>TLS 1.2 and TLS 1.3 have different ways defining their own supported | ||||
cryptographic algorithms, see TLS and DTLS IANA registries page | ||||
(https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml):</t | ||||
> | ||||
<t><list style="symbols"> | ||||
<t>TLS 1.2 defines four categories of registries for cryptographic | ||||
algorithms: TLS Cipher Suites, TLS SignatureAlgorithm, TLS | ||||
HashAlgorithm, TLS Supported Groups. TLS Cipher Suites plays the | ||||
role of combining all of them into one set, as each value of the set | ||||
represents a unique and feasible combination of all the | ||||
cryptographic algorithms, and thus the other three registry | ||||
categories do not need to be considered here. In this document, the | ||||
TLS common model only chooses those TLS1.2 algorithms in TLS Cipher | ||||
Suites which are marked as recommended: | ||||
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, | ||||
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, | ||||
TLS_DHE_PSK_WITH_AES_128_GCM_SHA256, | ||||
TLS_DHE_PSK_WITH_AES_256_GCM_SHA384, and so on. All chosen | ||||
algorithms are enumerated in Table 1-1 below;</t> | ||||
<t>TLS 1.3 defines its supported algorithms differently. Firstly, it | <t>Thus, in order to support both TLS 1.2 and TLS 1.3, the cipher suites | |||
defines three categories of registries for cryptographic algorithms: | part of the "hello-params-grouping" grouping should include the following | |||
TLS Cipher Suites, TLS SignatureScheme, TLS Supported Groups. | three parameters for | |||
Secondly, all three of these categories are useful, since they | configuring its permitted TLS algorithms: TLS Cipher Suites, | |||
represent different parts of all the supported algorithms | TLS SignatureScheme, and TLS Supported Groups.</t> | |||
respectively. Thus, all of these registries categories are | ||||
considered here. In this draft, the TLS common model chooses only | ||||
those TLS1.3 algorithms specified in B.4, 4.2.3, 4.2.7 of <xref | ||||
target="RFC8446"/>.</t> | ||||
</list></t> | ||||
--> | ||||
<!-- FIXME - is there an open item below? --> | ||||
<t>Thus, in order to support both TLS1.2 and TLS1.3, the cipher-suites | ||||
part of the "hello-params-grouping" grouping should include three paramete | ||||
rs for | ||||
configuring its permitted TLS algorithms, which are: TLS Cipher Suites, | ||||
TLS SignatureScheme, TLS Supported Groups.</t> | ||||
<!-- | ||||
<t>Features are defined for algorithms that are OPTIONAL or are not | ||||
widely supported by popular implementations. Note that the list of | ||||
algorithms is not exhaustive.</t> | ||||
--> | ||||
<section> | <section> | |||
<name>Data Model Overview</name> | <name>Data Model Overview</name> | |||
<t>This section provides an overview of the "ietf-tls-common" module | <t>This section provides an overview of the "ietf-tls-common" module | |||
in terms of its features, identities, and groupings.</t> | in terms of its features, identities, and groupings.</t> | |||
<section anchor="common-features" toc="exclude"> | <section anchor="common-features" toc="exclude"> | |||
<name>Features</name> | <name>Features</name> | |||
<t>The following diagram lists all the "feature" statements | <t>The following diagram lists all the "feature" statements | |||
defined in the "ietf-tls-common" module:</t> | defined in the "ietf-tls-common" module:</t> | |||
<artwork><![CDATA[ | ||||
<sourcecode type="yangtree"><![CDATA[ | ||||
Features: | Features: | |||
+-- tls12 | +-- tls12 | |||
+-- tls13 | +-- tls13 | |||
+-- hello-params | +-- hello-params | |||
+-- asymmetric-key-pair-generation | +-- asymmetric-key-pair-generation | |||
+-- supported-algorithms | +-- supported-algorithms | |||
]]></artwork> | ]]></sourcecode> | |||
<t>The diagram above uses syntax that is similar to but not | <t>The diagram above uses syntax that is similar to but not | |||
defined in <xref target="RFC8340"/>.</t> | defined in <xref target="RFC8340"/>.</t> | |||
<t>Please refer to the YANG module for a description of each feature.< /t> | <t>Please refer to the YANG module for a description of each feature.< /t> | |||
</section> | </section> | |||
<section anchor="identities" toc="exclude"> | <section anchor="identities" toc="exclude"> | |||
<name>Identities</name> | <name>Identities</name> | |||
<t>The following diagram illustrates the relationship amongst the | <t>The following diagram illustrates the relationship amongst the | |||
"identity" statements defined in the "ietf-tls-common" module:</t> | "identity" statements defined in the "ietf-tls-common" module:</t> | |||
<artwork><![CDATA[ | <sourcecode type="yangtree"><![CDATA[ | |||
Identities: | Identities: | |||
+-- tls-version-base | +-- tls-version-base | |||
+-- tls12 | +-- tls12 | |||
+-- tls13 | +-- tls13 | |||
]]></artwork> | ]]></sourcecode> | |||
<!--<aside>--> | ||||
<t>The diagram above uses syntax that is similar to but not | <t>The diagram above uses syntax that is similar to but not | |||
defined in <xref target="RFC8340"/>.</t> | defined in <xref target="RFC8340"/>.</t> | |||
<!--</aside>--> | ||||
<t>Comments:</t> | <t>Comments:</t> | |||
<ul spacing="compact"> | <ul spacing="compact"> | |||
<li>The diagram shows that there are two base identities.</li> | <li>The diagram shows that there are two base identities.</li> | |||
<li>One base identity is used to specific TLS versions, while | <li>One base identity is used to specify TLS versions. This base id | |||
the other is used to specify cipher-suites.</li> | entity is "abstract" in the object-oriented programming sense because it defines | |||
<li>These base identities are "abstract", in the object oriented | a "class" of things rather than a specific thing. | |||
programming sense, in that they only define a "class" of things, | </li> | |||
<li>These base identities are "abstract" in the object-oriented | ||||
programming sense because they only define a "class" of things | ||||
rather than a specific thing.</li> | rather than a specific thing.</li> | |||
</ul> | </ul> | |||
</section> | </section> | |||
<section toc="exclude"> | <section toc="exclude"> | |||
<name>Groupings</name> | <name>Groupings</name> | |||
<t>The "ietf-tls-common" module defines the following "grouping" state ment:</t> | <t>The "ietf-tls-common" module defines the following "grouping" state ment:</t> | |||
<ul spacing="compact"> | <ul spacing="compact"> | |||
<li>hello-params-grouping</li> | <li>hello-params-grouping</li> | |||
</ul> | </ul> | |||
<t>This grouping is presented in the following subsection.</t> | <t>This grouping is presented in the following subsection.</t> | |||
<section anchor="hello-params-grouping"> | <section anchor="hello-params-grouping"> | |||
<name>The "hello-params-grouping" Grouping</name> | <name>The "hello-params-grouping" Grouping</name> | |||
<t>The following tree diagram <xref target="RFC8340"/> illustrates t he | <t>The following tree diagram <xref target="RFC8340"/> illustrates t he | |||
"hello-params-grouping" grouping:</t> | "hello-params-grouping" grouping:</t> | |||
<artwork><![CDATA[ | <sourcecode type="yangtree"><![CDATA[ | |||
grouping hello-params-grouping: | grouping hello-params-grouping: | |||
+-- tls-versions | +-- tls-versions | |||
| +-- min? identityref | | +-- min? identityref | |||
| +-- max? identityref | | +-- max? identityref | |||
+-- cipher-suites | +-- cipher-suites | |||
+-- cipher-suite* tlscsa:tls-cipher-suite-algorithm | +-- cipher-suite* tlscsa:tls-cipher-suite-algorithm | |||
]]></artwork> | ]]></sourcecode> | |||
<t>Comments:</t> | <t>Comments:</t> | |||
<ul> | <ul> | |||
<li>This grouping is used by both the "tls-client-grouping" and th e | <li>This grouping is used by both the "tls-client-grouping" and th e | |||
"tls-server-grouping" groupings defined in <xref target="tls-cli | "tls-server-grouping" groupings defined in Sections <xref target | |||
ent-grouping"/> | ="tls-client-grouping" format="counter"/> | |||
and <xref target="tls-server-grouping"/>, respectively.</li> | and <xref target="tls-server-grouping" format="counter"/>, respe | |||
ctively.</li> | ||||
<li>This grouping enables client and server configurations to | <li>This grouping enables client and server configurations to | |||
specify the TLS versions and cipher suites that are to be used | specify the TLS versions and cipher suites that are to be used | |||
when establishing TLS sessions.</li> | when establishing TLS sessions.</li> | |||
<li>The "cipher-suites" list is "ordered-by user".</li> | <li>The "cipher-suites" list is "ordered-by user".</li> | |||
</ul> | </ul> | |||
</section> | </section> | |||
</section> | </section> | |||
<section toc="exclude"> | <section toc="exclude"> | |||
<name>Protocol-accessible Nodes</name> | <name>Protocol-Accessible Nodes</name> | |||
<t>The following tree diagram <xref target="RFC8340"/> lists all the | <t>The following tree diagram <xref target="RFC8340"/> lists all the | |||
protocol-accessible nodes defined in the "ietf-tls-common" module, | protocol-accessible nodes defined in the "ietf-tls-common" module, | |||
without expanding the "grouping" statements:</t> | without expanding the "grouping" statements:</t> | |||
<artwork><![CDATA[ | <sourcecode type="yangtree"><![CDATA[ | |||
module: ietf-tls-common | module: ietf-tls-common | |||
+--ro supported-algorithms {algorithm-discovery}? | +--ro supported-algorithms {algorithm-discovery}? | |||
+--ro supported-algorithm* tlscsa:tls-cipher-suite-algorithm | +--ro supported-algorithm* tlscsa:tls-cipher-suite-algorithm | |||
rpcs: | rpcs: | |||
+---x generate-asymmetric-key-pair | +---x generate-asymmetric-key-pair | |||
{asymmetric-key-pair-generation}? | {asymmetric-key-pair-generation}? | |||
+---w input | +---w input | |||
| +---w algorithm | | +---w algorithm | |||
| | tlscsa:tls-cipher-suite-algorithm | | | tlscsa:tls-cipher-suite-algorithm | |||
skipping to change at line 443 ¶ | skipping to change at line 357 ¶ | |||
| | +---w ks:encrypted-by-grouping | | | +---w ks:encrypted-by-grouping | |||
| +--:(hidden) {ct:hidden-private-keys}? | | +--:(hidden) {ct:hidden-private-keys}? | |||
| +---w hidden? empty | | +---w hidden? empty | |||
+--ro output | +--ro output | |||
+--ro (key-or-hidden)? | +--ro (key-or-hidden)? | |||
+--:(key) | +--:(key) | |||
| +---u ct:asymmetric-key-pair-grouping | | +---u ct:asymmetric-key-pair-grouping | |||
+--:(hidden) | +--:(hidden) | |||
+--ro location? | +--ro location? | |||
instance-identifier | instance-identifier | |||
]]></artwork> | ]]></sourcecode> | |||
<t>Comments:</t> | <t>Comments:</t> | |||
<ul> | <ul> | |||
<li>Protocol-accessible nodes are those nodes that are accessible | <li>Protocol-accessible nodes are nodes that are accessible | |||
when the module is "implemented", as described in <xref section="5 .6.5" target="RFC7950"/>.</li> | when the module is "implemented", as described in <xref section="5 .6.5" target="RFC7950"/>.</li> | |||
<li>The protocol-accessible nodes for the "ietf-tls-common" module | <li>The protocol-accessible nodes for the "ietf-tls-common" module | |||
are limited to the "supported-algorithms" container, which is cons trained | are limited to the "supported-algorithms" container, which is cons trained | |||
by the "algorithm-discovery" feature, and the RPC "generate-asymme tric-key-pair", | by the "algorithm-discovery" feature, and the "generate-asymmetric -key-pair" RPC, | |||
which is constrained by the "asymmetric-key-pair-generation" featu re.</li> | which is constrained by the "asymmetric-key-pair-generation" featu re.</li> | |||
<li>The "encrypted-by-grouping" grouping is discussed in | <li>The "encrypted-by-grouping" grouping is discussed in | |||
<xref section="2.1.3.1" target="I-D.ietf-netconf-keystore"/>.</li> | <xref section="2.1.3.1" target="RFC9642"/>.</li> | |||
<li>The "asymmetric-key-pair-grouping" grouping is discussed in | <li>The "asymmetric-key-pair-grouping" grouping is discussed in | |||
<xref section="2.1.4.6" target="I-D.ietf-netconf-crypto-types"/>.< /li> | <xref section="2.1.4.6" target="RFC9640"/>.</li> | |||
</ul> | </ul> | |||
</section> | </section> | |||
</section> | </section> | |||
<section> | <section> | |||
<name>Example Usage</name> | <name>Example Usage</name> | |||
<t>The following example illustrates the "hello-params-grouping' | <t>The following example illustrates the "hello-params-grouping" | |||
grouping when populated with some data.</t> | grouping when populated with some data.</t> | |||
<artwork><![CDATA[ | ||||
<sourcecode type="xml"><![CDATA[ | ||||
<!-- The outermost element below doesn't exist in the data model. --> | <!-- The outermost element below doesn't exist in the data model. --> | |||
<!-- It simulates if the "grouping" were a "container" instead. --> | <!-- It simulates if the "grouping" were a "container" instead. --> | |||
<hello-params | <hello-params | |||
xmlns="urn:ietf:params:xml:ns:yang:ietf-tls-common" | xmlns="urn:ietf:params:xml:ns:yang:ietf-tls-common" | |||
xmlns:tlscmn="urn:ietf:params:xml:ns:yang:ietf-tls-common"> | xmlns:tlscmn="urn:ietf:params:xml:ns:yang:ietf-tls-common"> | |||
<tls-versions> | <tls-versions> | |||
<min>tlscmn:tls12</min> | <min>tlscmn:tls12</min> | |||
<max>tlscmn:tls13</max> | <max>tlscmn:tls13</max> | |||
</tls-versions> | </tls-versions> | |||
<cipher-suites> | <cipher-suites> | |||
<cipher-suite>TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA</cipher-suite> | <cipher-suite>TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA</cipher-suite> | |||
<cipher-suite>TLS_DHE_RSA_WITH_AES_128_CBC_SHA256</cipher-suite> | <cipher-suite>TLS_DHE_RSA_WITH_AES_128_CBC_SHA256</cipher-suite> | |||
<cipher-suite>TLS_RSA_WITH_3DES_EDE_CBC_SHA</cipher-suite> | <cipher-suite>TLS_RSA_WITH_3DES_EDE_CBC_SHA</cipher-suite> | |||
</cipher-suites> | </cipher-suites> | |||
</hello-params> | </hello-params> | |||
]]></artwork> | ]]></sourcecode> | |||
<t>The following example illustrates operational state data indicating | <t>The following example illustrates operational state data indicating | |||
the TLS algorithms supported by the server.</t> | the TLS algorithms supported by the server.</t> | |||
<artwork><![CDATA[ | ||||
<sourcecode type="xml"><![CDATA[ | ||||
=============== NOTE: '\' line wrapping per RFC 8792 ================ | =============== NOTE: '\' line wrapping per RFC 8792 ================ | |||
<supported-algorithms | <supported-algorithms | |||
xmlns="urn:ietf:params:xml:ns:yang:ietf-tls-common"> | xmlns="urn:ietf:params:xml:ns:yang:ietf-tls-common"> | |||
<supported-algorithm>TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA</support\ | <supported-algorithm>TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA</support\ | |||
ed-algorithm> | ed-algorithm> | |||
<supported-algorithm>TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384</supp\ | <supported-algorithm>TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384</supp\ | |||
orted-algorithm> | orted-algorithm> | |||
<supported-algorithm>TLS_DHE_RSA_WITH_AES_128_CBC_SHA256</supporte\ | <supported-algorithm>TLS_DHE_RSA_WITH_AES_128_CBC_SHA256</supporte\ | |||
d-algorithm> | d-algorithm> | |||
skipping to change at line 514 ¶ | skipping to change at line 431 ¶ | |||
hm> | hm> | |||
<supported-algorithm>TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384</sup\ | <supported-algorithm>TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384</sup\ | |||
ported-algorithm> | ported-algorithm> | |||
<supported-algorithm>TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384</support\ | <supported-algorithm>TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384</support\ | |||
ed-algorithm> | ed-algorithm> | |||
<supported-algorithm>TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA</supported\ | <supported-algorithm>TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA</supported\ | |||
-algorithm> | -algorithm> | |||
<supported-algorithm>TLS_DH_DSS_WITH_AES_128_GCM_SHA256</supported\ | <supported-algorithm>TLS_DH_DSS_WITH_AES_128_GCM_SHA256</supported\ | |||
-algorithm> | -algorithm> | |||
</supported-algorithms> | </supported-algorithms> | |||
]]></artwork> | ]]></sourcecode> | |||
<t>The following example illustrates the "generate-asymmetric-key-pair" RPC.</t> | <t>The following example illustrates the "generate-asymmetric-key-pair" RPC.</t> | |||
<t keepWithNext="true">REQUEST</t> | <t keepWithNext="true">REQUEST</t> | |||
<artwork><![CDATA[ | <sourcecode type="xml"><![CDATA[ | |||
=============== NOTE: '\' line wrapping per RFC 8792 ================ | =============== NOTE: '\' line wrapping per RFC 8792 ================ | |||
<rpc message-id="101" | <rpc message-id="101" | |||
xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> | xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> | |||
<generate-asymmetric-key-pair | <generate-asymmetric-key-pair | |||
xmlns="urn:ietf:params:xml:ns:yang:ietf-tls-common"> | xmlns="urn:ietf:params:xml:ns:yang:ietf-tls-common"> | |||
<algorithm>TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256</algorithm> | <algorithm>TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256</algorithm> | |||
<num-bits>521</num-bits> | <num-bits>521</num-bits> | |||
<private-key-encoding> | <private-key-encoding> | |||
<encrypted> | <encrypted> | |||
<asymmetric-key-ref>hidden-asymmetric-key</asymmetric-key-re\ | <asymmetric-key-ref>hidden-asymmetric-key</asymmetric-key-re\ | |||
f> | f> | |||
</encrypted> | </encrypted> | |||
</private-key-encoding> | </private-key-encoding> | |||
</generate-asymmetric-key-pair> | </generate-asymmetric-key-pair> | |||
</rpc> | </rpc> | |||
]]></artwork> | ]]></sourcecode> | |||
<t keepWithNext="true">RESPONSE</t> | <t keepWithNext="true">RESPONSE</t> | |||
<artwork><![CDATA[ | <sourcecode type="xml"><![CDATA[ | |||
=============== NOTE: '\' line wrapping per RFC 8792 ================ | =============== NOTE: '\' line wrapping per RFC 8792 ================ | |||
<rpc-reply message-id="101" | <rpc-reply message-id="101" | |||
xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" | xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" | |||
xmlns:ct="urn:ietf:params:xml:ns:yang:ietf-crypto-types" | xmlns:ct="urn:ietf:params:xml:ns:yang:ietf-crypto-types" | |||
xmlns:tlscmn="urn:ietf:params:xml:ns:yang:ietf-tls-common"> | xmlns:tlscmn="urn:ietf:params:xml:ns:yang:ietf-tls-common"> | |||
<tlscmn:public-key-format>ct:subject-public-key-info-format</tlscm\ | <tlscmn:public-key-format>ct:subject-public-key-info-format</tlscm\ | |||
n:public-key-format> | n:public-key-format> | |||
<tlscmn:public-key>BASE64VALUE=</tlscmn:public-key> | <tlscmn:public-key>BASE64VALUE=</tlscmn:public-key> | |||
<tlscmn:private-key-format>ct:ec-private-key-format</tlscmn:privat\ | <tlscmn:private-key-format>ct:ec-private-key-format</tlscmn:privat\ | |||
e-key-format> | e-key-format> | |||
<tlscmn:cleartext-private-key>BASE64VALUE=</tlscmn:cleartext-priva\ | <tlscmn:cleartext-private-key>BASE64VALUE=</tlscmn:cleartext-priva\ | |||
te-key> | te-key> | |||
</rpc-reply> | </rpc-reply> | |||
]]></artwork> | ]]></sourcecode> | |||
</section> | </section> | |||
<section anchor="tls-common-yang-module"> | <section anchor="tls-common-yang-module"> | |||
<name>YANG Module</name> | <name>YANG Module</name> | |||
<t>This YANG module has a normative references to | ||||
<xref target="RFC5288"/>, <xref target="RFC5289"/>, <xref target="RFC8 | <t>This YANG module has normative references to | |||
422"/>, | <xref target="RFC5288"/>, <xref target="RFC5289"/>, <xref target="RFC8 | |||
and FIPS PUB 180-4.</t> | 422"/>, <xref target="RFC9640"/>, <xref target="RFC9642"/>, <xref target="FIPS18 | |||
<t>This YANG module has a informative references to | 0-4"/>, and | |||
<xref target="RFC5246"/>, and <xref target="RFC8446"/>.</t> | <xref target="FIPS186-5"/>.</t> | |||
<t keepWithNext="true"><CODE BEGINS> file "ietf-tls-common@2024-03 | <t>This YANG module has informative references to | |||
-16.yang"</t> | <xref target="RFC5246"/> and <xref target="RFC8446"/>.</t> | |||
<artwork><![CDATA[ | ||||
<!--Section 2.3 YANG Module--> | ||||
<sourcecode name="ietf-tls-common@2024-03-16.yang" type="yang" markers=" | ||||
true"><![CDATA[ | ||||
module ietf-tls-common { | module ietf-tls-common { | |||
yang-version 1.1; | yang-version 1.1; | |||
namespace "urn:ietf:params:xml:ns:yang:ietf-tls-common"; | namespace "urn:ietf:params:xml:ns:yang:ietf-tls-common"; | |||
prefix tlscmn; | prefix tlscmn; | |||
import iana-tls-cipher-suite-algs { | import iana-tls-cipher-suite-algs { | |||
prefix tlscsa; | prefix tlscsa; | |||
reference | reference | |||
"RFC FFFF: YANG Groupings for TLS Clients and SSH Servers"; | "RFC 9645: YANG Groupings for TLS Clients and TLS Servers"; | |||
} | } | |||
import ietf-crypto-types { | import ietf-crypto-types { | |||
prefix ct; | prefix ct; | |||
reference | reference | |||
"RFC AAAA: YANG Data Types and Groupings for Cryptography"; | "RFC 9640: YANG Data Types and Groupings for Cryptography"; | |||
} | } | |||
import ietf-keystore { | import ietf-keystore { | |||
prefix ks; | prefix ks; | |||
reference | reference | |||
"RFC CCCC: A YANG Data Model for a Keystore"; | "RFC 9642: A YANG Data Model for a Keystore"; | |||
} | } | |||
organization | organization | |||
"IETF NETCONF (Network Configuration) Working Group"; | "IETF NETCONF (Network Configuration) Working Group"; | |||
contact | contact | |||
"WG List: NETCONF WG list <mailto:netconf@ietf.org> | "WG List: NETCONF WG list <mailto:netconf@ietf.org> | |||
WG Web: https://datatracker.ietf.org/wg/netconf | WG Web: https://datatracker.ietf.org/wg/netconf | |||
Author: Kent Watsen <mailto:kent+ietf@watsen.net> | Author: Kent Watsen <mailto:kent+ietf@watsen.net> | |||
Author: Jeff Hartley <mailto:intensifysecurity@gmail.com> | Author: Jeff Hartley <mailto:intensifysecurity@gmail.com> | |||
Author: Gary Wu <mailto:garywu@cisco.com>"; | Author: Gary Wu <mailto:garywu@cisco.com>"; | |||
description | description | |||
"This module defines a common features and groupings for | "This module defines common features and groupings for | |||
Transport Layer Security (TLS). | Transport Layer Security (TLS). | |||
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', | ||||
'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', | ||||
'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document | ||||
are to be interpreted as described in BCP 14 (RFC 2119) | ||||
(RFC 8174) when, and only when, they appear in all | ||||
capitals, as shown here. | ||||
Copyright (c) 2024 IETF Trust and the persons identified | Copyright (c) 2024 IETF Trust and the persons identified | |||
as authors of the code. All rights reserved. | as authors of the code. All rights reserved. | |||
Redistribution and use in source and binary forms, with | Redistribution and use in source and binary forms, with | |||
or without modification, is permitted pursuant to, and | or without modification, is permitted pursuant to, and | |||
subject to the license terms contained in, the Revised | subject to the license terms contained in, the Revised | |||
BSD License set forth in Section 4.c of the IETF Trust's | BSD License set forth in Section 4.c of the IETF Trust's | |||
Legal Provisions Relating to IETF Documents | Legal Provisions Relating to IETF Documents | |||
(https://trustee.ietf.org/license-info). | (https://trustee.ietf.org/license-info). | |||
This version of this YANG module is part of RFC FFFF | This version of this YANG module is part of RFC 9645 | |||
(https://www.rfc-editor.org/info/rfcFFFF); see the RFC | (https://www.rfc-editor.org/info/rfc9645); see the RFC | |||
itself for full legal notices. | itself for full legal notices."; | |||
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', | ||||
'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', | ||||
'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document | ||||
are to be interpreted as described in BCP 14 (RFC 2119) | ||||
(RFC 8174) when, and only when, they appear in all | ||||
capitals, as shown here."; | ||||
revision 2024-03-16 { | revision 2024-03-16 { | |||
description | description | |||
"Initial version"; | "Initial version."; | |||
reference | reference | |||
"RFC FFFF: YANG Groupings for TLS Clients and TLS Servers"; | "RFC 9645: YANG Groupings for TLS Clients and TLS Servers"; | |||
} | } | |||
// Features | // Features | |||
feature tls12 { | feature tls12 { | |||
description | description | |||
"TLS Protocol Version 1.2 is supported. TLS 1.2 is obsolete | "TLS Protocol Version 1.2 is supported. TLS 1.2 is obsolete, | |||
and thus it is NOT RECOMMENDED to enable this feature."; | and thus it is NOT RECOMMENDED to enable this feature."; | |||
reference | reference | |||
"RFC 5246: The Transport Layer Security (TLS) Protocol | "RFC 5246: The Transport Layer Security (TLS) Protocol | |||
Version 1.2"; | Version 1.2"; | |||
} | } | |||
feature tls13 { | feature tls13 { | |||
description | description | |||
"TLS Protocol Version 1.3 is supported."; | "TLS Protocol Version 1.3 is supported."; | |||
reference | reference | |||
skipping to change at line 696 ¶ | skipping to change at line 615 ¶ | |||
"RFC 8446: The Transport Layer Security (TLS) | "RFC 8446: The Transport Layer Security (TLS) | |||
Protocol Version 1.3"; | Protocol Version 1.3"; | |||
} | } | |||
// Typedefs | // Typedefs | |||
typedef epsk-supported-hash { | typedef epsk-supported-hash { | |||
type enumeration { | type enumeration { | |||
enum sha-256 { | enum sha-256 { | |||
description | description | |||
"The SHA-256 Hash."; | "The SHA-256 hash."; | |||
} | } | |||
enum sha-384 { | enum sha-384 { | |||
description | description | |||
"The SHA-384 Hash."; | "The SHA-384 hash."; | |||
} | } | |||
} | } | |||
description | description | |||
"As per Section 4.2.11 of RFC 8446, the hash algorithm | "As per Section 4.2.11 of RFC 8446, the hash algorithm | |||
supported by an instance of an External Pre-Shared | supported by an instance of an External Pre-Shared | |||
Key (EPSK)."; | Key (EPSK)."; | |||
reference | reference | |||
"RFC 8446: The Transport Layer Security (TLS) | "RFC 8446: The Transport Layer Security (TLS) | |||
Protocol Version 1.3"; | Protocol Version 1.3"; | |||
} | } | |||
skipping to change at line 754 ¶ | skipping to change at line 673 ¶ | |||
container cipher-suites { | container cipher-suites { | |||
description | description | |||
"Parameters regarding cipher suites."; | "Parameters regarding cipher suites."; | |||
leaf-list cipher-suite { | leaf-list cipher-suite { | |||
type tlscsa:tls-cipher-suite-algorithm; | type tlscsa:tls-cipher-suite-algorithm; | |||
ordered-by user; | ordered-by user; | |||
description | description | |||
"Acceptable cipher suites in order of descending | "Acceptable cipher suites in order of descending | |||
preference. The configured host key algorithms should | preference. The configured host key algorithms should | |||
be compatible with the algorithm used by the configured | be compatible with the algorithm used by the configured | |||
private key. Please see Section 5 of RFC FFFF for | private key. Please see Section 5 of RFC 9645 for | |||
valid combinations. | valid combinations. | |||
If this leaf-list is not configured (has zero elements) | If this leaf-list is not configured (has zero elements), | |||
the acceptable cipher suites are implementation- | the acceptable cipher suites are implementation- | |||
defined."; | defined."; | |||
reference | reference | |||
"RFC FFFF: YANG Groupings for TLS Clients and TLS Servers"; | "RFC 9645: YANG Groupings for TLS Clients and TLS Servers"; | |||
} | } | |||
} | } | |||
} // hello-params-grouping | } // hello-params-grouping | |||
// Protocol-accessible Nodes | // Protocol-accessible Nodes | |||
container supported-algorithms { | container supported-algorithms { | |||
if-feature "algorithm-discovery"; | if-feature "algorithm-discovery"; | |||
config false; | config false; | |||
description | description | |||
skipping to change at line 784 ¶ | skipping to change at line 703 ¶ | |||
leaf-list supported-algorithm { | leaf-list supported-algorithm { | |||
type tlscsa:tls-cipher-suite-algorithm; | type tlscsa:tls-cipher-suite-algorithm; | |||
description | description | |||
"A cipher suite algorithm supported by the server."; | "A cipher suite algorithm supported by the server."; | |||
} | } | |||
} | } | |||
rpc generate-asymmetric-key-pair { | rpc generate-asymmetric-key-pair { | |||
if-feature "asymmetric-key-pair-generation"; | if-feature "asymmetric-key-pair-generation"; | |||
description | description | |||
"Requests the device to generate an asymmetric-key-pair | "Requests the device to generate an 'asymmetric-key-pair' | |||
key using the specified key algorithm."; | key using the specified key algorithm."; | |||
input { | input { | |||
leaf algorithm { | leaf algorithm { | |||
type tlscsa:tls-cipher-suite-algorithm; | type tlscsa:tls-cipher-suite-algorithm; | |||
mandatory true; | mandatory true; | |||
description | description | |||
"The cipher suite algorithm that the generated key is | "The cipher suite algorithm that the generated key | |||
to work with. Implementations derive the public key | works with. Implementations derive the public key | |||
algorithm from the cipher suite algorithm. Example: | algorithm from the cipher suite algorithm. For | |||
cipher suite 'tls-rsa-with-aes-256-cbc-sha256' maps | example, cipher suite | |||
to the RSA public key."; | 'tls-rsa-with-aes-256-cbc-sha256' maps to the RSA | |||
public key."; | ||||
} | } | |||
leaf num-bits { | leaf num-bits { | |||
type uint16; | type uint16; | |||
description | description | |||
"Specifies the number of bits in the key to create. | "Specifies the number of bits to create in the key. | |||
For RSA keys, the minimum size is 1024 bits and | For RSA keys, the minimum size is 1024 bits, and | |||
the default is 3072 bits. Generally, 3072 bits is | the default is 3072 bits. Generally, 3072 bits is | |||
considered sufficient. DSA keys must be exactly 1024 | considered sufficient. DSA keys must be exactly | |||
bits as specified by FIPS 186-2. For elliptical | 1024 bits as specified by FIPS 186-2. For | |||
keys, the 'num-bits' value determines the key length | elliptical keys, the 'num-bits' value determines | |||
of the curve (e.g., 256, 384 or 521), where valid | the key length of the curve (e.g., 256, 384, or 521), | |||
values supported by the server are conveyed via an | where valid values supported by the server are | |||
unspecified mechanism. For some public algorithms, | conveyed via an unspecified mechanism. For some | |||
the keys have a fixed length and thus the 'num-bits' | public algorithms, the keys have a fixed length, and | |||
value is not specified."; | thus the 'num-bits' value is not specified."; | |||
} | } | |||
container private-key-encoding { | container private-key-encoding { | |||
description | description | |||
"Indicates how the private key is to be encoded."; | "Indicates how the private key is to be encoded."; | |||
choice private-key-encoding { | choice private-key-encoding { | |||
mandatory true; | mandatory true; | |||
description | description | |||
"A choice amongst optional private key handling."; | "A choice amongst optional private key handling."; | |||
case cleartext { | case cleartext { | |||
if-feature "ct:cleartext-private-keys"; | if-feature "ct:cleartext-private-keys"; | |||
skipping to change at line 832 ¶ | skipping to change at line 752 ¶ | |||
type empty; | type empty; | |||
description | description | |||
"Indicates that the private key is to be returned | "Indicates that the private key is to be returned | |||
as a cleartext value."; | as a cleartext value."; | |||
} | } | |||
} | } | |||
case encrypted { | case encrypted { | |||
if-feature "ct:encrypted-private-keys"; | if-feature "ct:encrypted-private-keys"; | |||
container encrypted { | container encrypted { | |||
description | description | |||
"Indicates that the key is to be encrypted using | "Indicates that the key is to be encrypted using | |||
the specified symmetric or asymmetric key."; | the specified symmetric or asymmetric key."; | |||
uses ks:encrypted-by-grouping; | uses ks:encrypted-by-grouping; | |||
} | } | |||
} | } | |||
case hidden { | case hidden { | |||
if-feature "ct:hidden-private-keys"; | if-feature "ct:hidden-private-keys"; | |||
leaf hidden { | leaf hidden { | |||
type empty; | type empty; | |||
description | description | |||
"Indicates that the private key is to be hidden. | "Indicates that the private key is to be hidden. | |||
Unlike the 'cleartext' and 'encrypt' options, the | Unlike the 'cleartext' and 'encrypt' options, the | |||
key returned is a placeholder for an internally | key returned is a placeholder for an internally | |||
stored key. See the 'Support for Built-in Keys' | stored key. See Section 3 of RFC 9642 ('Support | |||
section in RFC CCCC for information about hidden | for Built-In Keys') for information about hidden | |||
keys."; | keys."; | |||
} | } | |||
} | } | |||
} | } | |||
} | } | |||
} | } | |||
output { | output { | |||
choice key-or-hidden { | choice key-or-hidden { | |||
case key { | case key { | |||
uses ct:asymmetric-key-pair-grouping; | uses ct:asymmetric-key-pair-grouping; | |||
skipping to change at line 875 ¶ | skipping to change at line 795 ¶ | |||
} | } | |||
description | description | |||
"The output can be either a key (for cleartext and | "The output can be either a key (for cleartext and | |||
encrypted keys) or the location to where the key | encrypted keys) or the location to where the key | |||
was created (for hidden keys)."; | was created (for hidden keys)."; | |||
} | } | |||
} | } | |||
} // end generate-asymmetric-key-pair | } // end generate-asymmetric-key-pair | |||
} | } | |||
]]></artwork> | ]]></sourcecode> | |||
<t keepWithPrevious="true"><CODE ENDS></t> | ||||
</section> | </section> | |||
</section> | </section> | |||
<section anchor="tls-client-model"> | <section anchor="tls-client-model"> | |||
<name>The "ietf-tls-client" Module</name> | <name>The "ietf-tls-client" Module</name> | |||
<t>This section defines a YANG 1.1 <xref target="RFC7950"/> module called | <t>This section defines a YANG 1.1 <xref target="RFC7950"/> module called | |||
"ietf-tls-client". A high-level overview of the module is provided in | "ietf-tls-client". A high-level overview of the module is provided in | |||
<xref target="client-overview"/>. Examples illustrating the module's use | <xref target="client-overview"/>. Examples illustrating the module's use | |||
are provided in <xref target="client-examples">Examples</xref>. The YANG | are provided in <xref target="client-examples"/> ("Example Usage"). The YANG | |||
module itself is defined in <xref target="client-yang-module"/>.</t> | module itself is defined in <xref target="client-yang-module"/>.</t> | |||
<section anchor="client-overview"> | <section anchor="client-overview"> | |||
<name>Data Model Overview</name> | <name>Data Model Overview</name> | |||
<t>This section provides an overview of the "ietf-tls-client" module | <t>This section provides an overview of the "ietf-tls-client" module | |||
in terms of its features and groupings.</t> | in terms of its features and groupings.</t> | |||
<section anchor="client-features" toc="exclude"> | <section anchor="client-features" toc="exclude"> | |||
<name>Features</name> | <name>Features</name> | |||
<t>The following diagram lists all the "feature" statements | <t>The following diagram lists all the "feature" statements | |||
defined in the "ietf-tls-client" module:</t> | defined in the "ietf-tls-client" module:</t> | |||
<artwork><![CDATA[ | <sourcecode type="yangtree"><![CDATA[ | |||
Features: | Features: | |||
+-- tls-client-keepalives | +-- tls-client-keepalives | |||
+-- client-ident-x509-cert | +-- client-ident-x509-cert | |||
+-- client-ident-raw-public-key | +-- client-ident-raw-public-key | |||
+-- client-ident-psk | +-- client-ident-psk | |||
+-- server-auth-x509-cert | +-- server-auth-x509-cert | |||
+-- server-auth-raw-public-key | +-- server-auth-raw-public-key | |||
+-- server-auth-psk | +-- server-auth-psk | |||
]]></artwork> | ]]></sourcecode> | |||
<t>The diagram above uses syntax that is similar to but not | <t>The diagram above uses syntax that is similar to but not | |||
defined in <xref target="RFC8340"/>.</t> | defined in <xref target="RFC8340"/>.</t> | |||
<t>Please refer to the YANG module for a description of each feature.< /t> | <t>Please refer to the YANG module for a description of each feature.< /t> | |||
</section> | </section> | |||
<section toc="exclude"> | <section toc="exclude"> | |||
<name>Groupings</name> | <name>Groupings</name> | |||
<t>The "ietf-tls-client" module defines the following "grouping" state ment:</t> | <t>The "ietf-tls-client" module defines the following "grouping" state ment:</t> | |||
<ul spacing="compact"> | <ul spacing="compact"> | |||
<li>tls-client-grouping</li> | <li>tls-client-grouping</li> | |||
</ul> | </ul> | |||
<t>This grouping is presented in the following subsection.</t> | <t>This grouping is presented in the following subsection.</t> | |||
<section anchor="tls-client-grouping"> | <section anchor="tls-client-grouping"> | |||
<name>The "tls-client-grouping" Grouping</name> | <name>The "tls-client-grouping" Grouping</name> | |||
<t>The following tree diagram <xref target="RFC8340"/> illustrates t he | <t>The following tree diagram <xref target="RFC8340"/> illustrates t he | |||
"tls-client-grouping" grouping:</t> | "tls-client-grouping" grouping:</t> | |||
<artwork><![CDATA[ | <sourcecode type="yangtree"><![CDATA[ | |||
=============== NOTE: '\' line wrapping per RFC 8792 ================ | =============== NOTE: '\' line wrapping per RFC 8792 ================ | |||
grouping tls-client-grouping: | grouping tls-client-grouping: | |||
+-- client-identity! | +-- client-identity! | |||
| +-- (auth-type) | | +-- (auth-type) | |||
| +--:(certificate) {client-ident-x509-cert}? | | +--:(certificate) {client-ident-x509-cert}? | |||
| | +-- certificate | | | +-- certificate | |||
| | +---u ks:inline-or-keystore-end-entity-cert-with-key\ | | | +---u ks:inline-or-keystore-end-entity-cert-with-key\ | |||
-grouping | -grouping | |||
| +--:(raw-public-key) {client-ident-raw-public-key}? | | +--:(raw-public-key) {client-ident-raw-public-key}? | |||
skipping to change at line 966 ¶ | skipping to change at line 887 ¶ | |||
| | +---u ts:inline-or-truststore-public-keys-grouping | | | +---u ts:inline-or-truststore-public-keys-grouping | |||
| +-- tls12-psks? empty {server-auth-tls12-psk}? | | +-- tls12-psks? empty {server-auth-tls12-psk}? | |||
| +-- tls13-epsks? empty {server-auth-tls13-epsk}? | | +-- tls13-epsks? empty {server-auth-tls13-epsk}? | |||
+-- hello-params {tlscmn:hello-params}? | +-- hello-params {tlscmn:hello-params}? | |||
| +---u tlscmn:hello-params-grouping | | +---u tlscmn:hello-params-grouping | |||
+-- keepalives {tls-client-keepalives}? | +-- keepalives {tls-client-keepalives}? | |||
+-- peer-allowed-to-send? empty | +-- peer-allowed-to-send? empty | |||
+-- test-peer-aliveness! | +-- test-peer-aliveness! | |||
+-- max-wait? uint16 | +-- max-wait? uint16 | |||
+-- max-attempts? uint8 | +-- max-attempts? uint8 | |||
]]></artwork> | ]]></sourcecode> | |||
<t>Comments:</t> | <t>Comments:</t> | |||
<ul> | <ul> | |||
<li>The "client-identity" node, which is optionally configured (as client | <li>The "client-identity" node, which is optionally configured (as client | |||
authentication MAY occur at a higher protocol layer), configures | authentication <bcp14>MAY</bcp14> occur at a higher protocol lay er), configures | |||
identity credentials, each enabled by a "feature" statement defi ned in | identity credentials, each enabled by a "feature" statement defi ned in | |||
<xref target="client-features"/>.</li> | <xref target="client-features"/>.</li> | |||
<li>The "server-authentication" node configures trust anchors for | <li>The "server-authentication" node configures trust anchors for | |||
authenticating the TLS server, with each option enabled by a "fe ature" statement.</li> | authenticating the TLS server, with each option enabled by a "fe ature" statement.</li> | |||
<li>The "hello-params" node, which must be enabled by a feature, c onfigures | <li>The "hello-params" node, which must be enabled by a feature, c onfigures | |||
parameters for the TLS sessions established by this configuratio n.</li> | parameters for the TLS sessions established by this configuratio n.</li> | |||
<li>The "keepalives" node, which must be enabled by a feature, con figures | <li>The "keepalives" node, which must be enabled by a feature, con figures | |||
a "presence" container for testing the aliveness of the TLS serv er. The | a "presence" container to test the aliveness of the TLS server. Th e | |||
aliveness-test occurs at the TLS protocol layer.</li> | aliveness-test occurs at the TLS protocol layer.</li> | |||
<li> | <li> | |||
<t>For the referenced grouping statement(s): | <t>For the referenced grouping statement(s): | |||
</t> | </t> | |||
<ul spacing="compact"> | <ul spacing="compact"> | |||
<li>The "inline-or-keystore-end-entity-cert-with-key-grouping" grouping is | <li>The "inline-or-keystore-end-entity-cert-with-key-grouping" grouping is | |||
discussed in <xref section="2.1.3.6" target="I-D.ietf-netcon f-keystore"/>.</li> | discussed in <xref section="2.1.3.6" target="RFC9642"/>.</li > | |||
<li>The "inline-or-keystore-asymmetric-key-grouping" grouping is | <li>The "inline-or-keystore-asymmetric-key-grouping" grouping is | |||
discussed in <xref section="2.1.3.4" target="I-D.ietf-netcon f-keystore"/>.</li> | discussed in <xref section="2.1.3.4" target="RFC9642"/>.</li > | |||
<li>The "inline-or-keystore-symmetric-key-grouping" grouping i s | <li>The "inline-or-keystore-symmetric-key-grouping" grouping i s | |||
discussed in <xref section="2.1.3.3" target="I-D.ietf-netcon f-keystore"/>.</li> | discussed in <xref section="2.1.3.3" target="RFC9642"/>.</li > | |||
<li>The "inline-or-truststore-certs-grouping" grouping is | <li>The "inline-or-truststore-certs-grouping" grouping is | |||
discussed in <xref section="2.1.3.3" target="I-D.ietf-netcon f-trust-anchors"/>.</li> | discussed in <xref section="2.1.3.3" target="RFC9641"/>.</li > | |||
<li>The "inline-or-truststore-public-keys-grouping" grouping i s | <li>The "inline-or-truststore-public-keys-grouping" grouping i s | |||
discussed in <xref section="2.1.3.4" target="I-D.ietf-netcon f-trust-anchors"/>.</li> | discussed in <xref section="2.1.3.4" target="RFC9641"/>.</li > | |||
<li>The "hello-params-grouping" grouping is discussed in | <li>The "hello-params-grouping" grouping is discussed in | |||
<xref target="hello-params-grouping"/> in this document.</li> | <xref target="hello-params-grouping"/> in this document.</li> | |||
</ul> | </ul> | |||
</li> | </li> | |||
</ul> | </ul> | |||
</section> | </section> | |||
</section> | </section> | |||
<section toc="exclude"> | <section toc="exclude"> | |||
<name>Protocol-accessible Nodes</name> | <name>Protocol-Accessible Nodes</name> | |||
<t>The "ietf-tls-client" module defines only "grouping" statements tha t are | <t>The "ietf-tls-client" module defines only "grouping" statements tha t are | |||
used by other modules to instantiate protocol-accessible nodes. Thus | used by other modules to instantiate protocol-accessible nodes. Thus, | |||
this | this module does not itself define any protocol-accessible nodes when implement | |||
module, when implemented, does not itself define any protocol-accessib | ed.</t> | |||
le nodes.</t> | ||||
</section> | </section> | |||
</section> | </section> | |||
<section anchor="client-examples"> | <section anchor="client-examples"> | |||
<name>Example Usage</name> | <name>Example Usage</name> | |||
<t>This section presents two examples showing the "tls-client-grouping" | <t>This section presents two examples showing the "tls-client-grouping" | |||
grouping populated with some data. These examples are effectively the sa me | grouping populated with some data. These examples are effectively the sa me | |||
except the first configures the client identity using a local key | except the first configures the client identity using a local key | |||
while the second uses a key configured in a keystore. Both examples | while the second uses a key configured in a keystore. Both examples | |||
are consistent with the examples presented in | are consistent with the examples presented in | |||
<xref section="2.2.1" target="I-D.ietf-netconf-trust-anchors"/> and | <xref section="2.2.1" target="RFC9641"/> and | |||
<xref section="2.2.1" target="I-D.ietf-netconf-keystore"/>.</t> | <xref section="2.2.1" target="RFC9642"/>.</t> | |||
<t>The following configuration example uses inline-definitions for the | <t>The following configuration example uses inline-definitions for the | |||
client identity and server authentication: | client identity and server authentication: | |||
</t> | </t> | |||
<artwork><![CDATA[ | <sourcecode type="xml"><![CDATA[ | |||
=============== NOTE: '\' line wrapping per RFC 8792 ================ | =============== NOTE: '\' line wrapping per RFC 8792 ================ | |||
<!-- The outermost element below doesn't exist in the data model. --> | <!-- The outermost element below doesn't exist in the data model. --> | |||
<!-- It simulates if the "grouping" were a "container" instead. --> | <!-- It simulates if the "grouping" were a "container" instead. --> | |||
<tls-client | <tls-client | |||
xmlns="urn:ietf:params:xml:ns:yang:ietf-tls-client" | xmlns="urn:ietf:params:xml:ns:yang:ietf-tls-client" | |||
xmlns:ct="urn:ietf:params:xml:ns:yang:ietf-crypto-types"> | xmlns:ct="urn:ietf:params:xml:ns:yang:ietf-crypto-types"> | |||
<!-- how this client will authenticate itself to the server --> | <!-- how this client will authenticate itself to the server --> | |||
<client-identity> | <client-identity> | |||
<certificate> | <certificate> | |||
<inline-definition> | <inline-definition> | |||
<private-key-format>ct:rsa-private-key-format</priva\ | <private-key-format>ct:rsa-private-key-format</priva\ | |||
te-key-format> | te-key-format> | |||
<cleartext-private-key>BASE64VALUE=</cleartext-priva\ | <cleartext-private-key>BASE64VALUE=</cleartext-priva\ | |||
te-key> | te-key> | |||
<cert-data>BASE64VALUE=</cert-data> | <cert-data>BASE64VALUE=</cert-data> | |||
</inline-definition> | </inline-definition> | |||
</certificate> | </certificate> | |||
skipping to change at line 1097 ¶ | skipping to change at line 1017 ¶ | |||
</server-authentication> | </server-authentication> | |||
<keepalives> | <keepalives> | |||
<test-peer-aliveness> | <test-peer-aliveness> | |||
<max-wait>30</max-wait> | <max-wait>30</max-wait> | |||
<max-attempts>3</max-attempts> | <max-attempts>3</max-attempts> | |||
</test-peer-aliveness> | </test-peer-aliveness> | |||
</keepalives> | </keepalives> | |||
</tls-client> | </tls-client> | |||
]]></artwork> | ]]></sourcecode> | |||
<t>The following configuration example uses central-keystore-references for the | <t>The following configuration example uses central-keystore-references for the | |||
client identity and central-truststore-references for server authentic ation: | client identity and central-truststore-references for server authentic ation | |||
from the keystore: | from the keystore: | |||
</t> | </t> | |||
<artwork><![CDATA[ | <sourcecode type="xml"><![CDATA[ | |||
=============== NOTE: '\' line wrapping per RFC 8792 ================ | =============== NOTE: '\' line wrapping per RFC 8792 ================ | |||
<!-- The outermost element below doesn't exist in the data model. --> | <!-- The outermost element below doesn't exist in the data model. --> | |||
<!-- It simulates if the "grouping" were a "container" instead. --> | <!-- It simulates if the "grouping" were a "container" instead. --> | |||
<tls-client xmlns="urn:ietf:params:xml:ns:yang:ietf-tls-client"> | <tls-client xmlns="urn:ietf:params:xml:ns:yang:ietf-tls-client"> | |||
<!-- how this client will authenticate itself to the server --> | <!-- how this client will authenticate itself to the server --> | |||
<client-identity> | <client-identity> | |||
<certificate> | <certificate> | |||
skipping to change at line 1146 ¶ | skipping to change at line 1066 ¶ | |||
</server-authentication> | </server-authentication> | |||
<keepalives> | <keepalives> | |||
<test-peer-aliveness> | <test-peer-aliveness> | |||
<max-wait>30</max-wait> | <max-wait>30</max-wait> | |||
<max-attempts>3</max-attempts> | <max-attempts>3</max-attempts> | |||
</test-peer-aliveness> | </test-peer-aliveness> | |||
</keepalives> | </keepalives> | |||
</tls-client> | </tls-client> | |||
]]></artwork> | ]]></sourcecode> | |||
</section> | </section> | |||
<section anchor="client-yang-module"> | <section anchor="client-yang-module"> | |||
<name>YANG Module</name> | ||||
<t>This YANG module has normative references to <xref target="I-D.ietf-n | <name>YANG Module</name> | |||
etconf-trust-anchors"/> | ||||
and <xref target="I-D.ietf-netconf-keystore"/>, and Informative refere | <t>This YANG module has normative references to <xref target="RFC4279"/> | |||
nces to | , <xref target="RFC5280"/>, <xref target="RFC6520"/>, <xref target="RFC7250"/ | |||
<xref target="RFC5246"/>, <xref target="RFC8446"/>, <xref target="RFC9 | >, <xref target="RFC9640"/>, <xref target="RFC9641"/>, and <xref target="RFC964 | |||
258"/> and | 2"/> and informative references to <xref target="RFC5056"/>, | |||
<xref target="RFC5246"/>, <xref target="RFC8446"/>, <xref target="RFC9 | ||||
258"/>, and | ||||
<xref target="RFC9257"/>.</t> | <xref target="RFC9257"/>.</t> | |||
<t keepWithNext="true"><CODE BEGINS> file "ietf-tls-client@2024-03 | <sourcecode name="ietf-tls-client@2024-03-16.yang" type="yang" markers=" | |||
-16.yang"</t> | true"><![CDATA[module ietf-tls-client { | |||
<artwork><![CDATA[ | ||||
module ietf-tls-client { | ||||
yang-version 1.1; | yang-version 1.1; | |||
namespace "urn:ietf:params:xml:ns:yang:ietf-tls-client"; | namespace "urn:ietf:params:xml:ns:yang:ietf-tls-client"; | |||
prefix tlsc; | prefix tlsc; | |||
import ietf-netconf-acm { | import ietf-netconf-acm { | |||
prefix nacm; | prefix nacm; | |||
reference | reference | |||
"RFC 8341: Network Configuration Access Control Model"; | "RFC 8341: Network Configuration Access Control Model"; | |||
} | } | |||
import ietf-crypto-types { | import ietf-crypto-types { | |||
prefix ct; | prefix ct; | |||
reference | reference | |||
"RFC AAAA: YANG Data Types and Groupings for Cryptography"; | "RFC 9640: YANG Data Types and Groupings for Cryptography"; | |||
} | } | |||
import ietf-truststore { | import ietf-truststore { | |||
prefix ts; | prefix ts; | |||
reference | reference | |||
"RFC BBBB: A YANG Data Model for a Truststore"; | "RFC 9641: A YANG Data Model for a Truststore"; | |||
} | } | |||
import ietf-keystore { | import ietf-keystore { | |||
prefix ks; | prefix ks; | |||
reference | reference | |||
"RFC CCCC: A YANG Data Model for a Keystore"; | "RFC 9642: A YANG Data Model for a Keystore"; | |||
} | } | |||
import ietf-tls-common { | import ietf-tls-common { | |||
prefix tlscmn; | prefix tlscmn; | |||
reference | reference | |||
"RFC FFFF: YANG Groupings for TLS Clients and TLS Servers"; | "RFC 9645: YANG Groupings for TLS Clients and TLS Servers"; | |||
} | } | |||
organization | organization | |||
"IETF NETCONF (Network Configuration) Working Group"; | "IETF NETCONF (Network Configuration) Working Group"; | |||
contact | contact | |||
"WG List: NETCONF WG list <mailto:netconf@ietf.org> | "WG List: NETCONF WG list <mailto:netconf@ietf.org> | |||
WG Web: https://datatracker.ietf.org/wg/netconf | WG Web: https://datatracker.ietf.org/wg/netconf | |||
Author: Kent Watsen <mailto:kent+ietf@watsen.net> | Author: Kent Watsen <mailto:kent+ietf@watsen.net> | |||
Author: Jeff Hartley <mailto:intensifysecurity@gmail.com>"; | Author: Jeff Hartley <mailto:intensifysecurity@gmail.com>"; | |||
description | description | |||
"This module defines reusable groupings for TLS clients that | "This module defines reusable groupings for TLS clients that | |||
can be used as a basis for specific TLS client instances. | can be used as a basis for specific TLS client instances. | |||
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', | ||||
'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', | ||||
'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document | ||||
are to be interpreted as described in BCP 14 (RFC 2119) | ||||
(RFC 8174) when, and only when, they appear in all | ||||
capitals, as shown here. | ||||
Copyright (c) 2024 IETF Trust and the persons identified | Copyright (c) 2024 IETF Trust and the persons identified | |||
as authors of the code. All rights reserved. | as authors of the code. All rights reserved. | |||
Redistribution and use in source and binary forms, with | Redistribution and use in source and binary forms, with | |||
or without modification, is permitted pursuant to, and | or without modification, is permitted pursuant to, and | |||
subject to the license terms contained in, the Revised | subject to the license terms contained in, the Revised | |||
BSD License set forth in Section 4.c of the IETF Trust's | BSD License set forth in Section 4.c of the IETF Trust's | |||
Legal Provisions Relating to IETF Documents | Legal Provisions Relating to IETF Documents | |||
(https://trustee.ietf.org/license-info). | (https://trustee.ietf.org/license-info). | |||
This version of this YANG module is part of RFC FFFF | This version of this YANG module is part of RFC 9645 | |||
(https://www.rfc-editor.org/info/rfcFFFF); see the RFC | (https://www.rfc-editor.org/info/rfc9645); see the RFC | |||
itself for full legal notices. | itself for full legal notices."; | |||
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', | ||||
'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', | ||||
'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document | ||||
are to be interpreted as described in BCP 14 (RFC 2119) | ||||
(RFC 8174) when, and only when, they appear in all | ||||
capitals, as shown here."; | ||||
revision 2024-03-16 { | revision 2024-03-16 { | |||
description | description | |||
"Initial version"; | "Initial version"; | |||
reference | reference | |||
"RFC FFFF: YANG Groupings for TLS Clients and TLS Servers"; | "RFC 9645: YANG Groupings for TLS Clients and TLS Servers"; | |||
} | } | |||
// Features | // Features | |||
feature tls-client-keepalives { | feature tls-client-keepalives { | |||
description | description | |||
"Per socket TLS keepalive parameters are configurable for | "Per-socket TLS keepalive parameters are configurable for | |||
TLS clients on the server implementing this feature."; | TLS clients on the server implementing this feature."; | |||
} | } | |||
feature client-ident-x509-cert { | feature client-ident-x509-cert { | |||
description | description | |||
"Indicates that the client supports identifying itself | "Indicates that the client supports identifying itself | |||
using X.509 certificates."; | using X.509 certificates."; | |||
reference | reference | |||
"RFC 5280: | "RFC 5280: | |||
Internet X.509 Public Key Infrastructure Certificate | Internet X.509 Public Key Infrastructure Certificate | |||
skipping to change at line 1264 ¶ | skipping to change at line 1177 ¶ | |||
reference | reference | |||
"RFC 7250: | "RFC 7250: | |||
Using Raw Public Keys in Transport Layer Security (TLS) | Using Raw Public Keys in Transport Layer Security (TLS) | |||
and Datagram Transport Layer Security (DTLS)"; | and Datagram Transport Layer Security (DTLS)"; | |||
} | } | |||
feature client-ident-tls12-psk { | feature client-ident-tls12-psk { | |||
if-feature "tlscmn:tls12"; | if-feature "tlscmn:tls12"; | |||
description | description | |||
"Indicates that the client supports identifying itself | "Indicates that the client supports identifying itself | |||
using TLS-1.2 PSKs (pre-shared or pairwise-symmetric keys)."; | using TLS 1.2 PSKs (pre-shared or pairwise symmetric keys)."; | |||
reference | reference | |||
"RFC 4279: | "RFC 4279: | |||
Pre-Shared Key Ciphersuites for Transport Layer Security | Pre-Shared Key Ciphersuites for Transport Layer Security | |||
(TLS)"; | (TLS)"; | |||
} | } | |||
feature client-ident-tls13-epsk { | feature client-ident-tls13-epsk { | |||
if-feature "tlscmn:tls13"; | if-feature "tlscmn:tls13"; | |||
description | description | |||
"Indicates that the client supports identifying itself | "Indicates that the client supports identifying itself | |||
using TLS-1.3 External PSKs (pre-shared keys)."; | using TLS 1.3 External PSKs (pre-shared keys)."; | |||
reference | reference | |||
"RFC 8446: | "RFC 8446: | |||
The Transport Layer Security (TLS) Protocol Version 1.3"; | The Transport Layer Security (TLS) Protocol Version 1.3"; | |||
} | } | |||
feature server-auth-x509-cert { | feature server-auth-x509-cert { | |||
description | description | |||
"Indicates that the client supports authenticating servers | "Indicates that the client supports authenticating servers | |||
using X.509 certificates."; | using X.509 certificates."; | |||
reference | reference | |||
skipping to change at line 1304 ¶ | skipping to change at line 1217 ¶ | |||
using raw public keys."; | using raw public keys."; | |||
reference | reference | |||
"RFC 7250: | "RFC 7250: | |||
Using Raw Public Keys in Transport Layer Security (TLS) | Using Raw Public Keys in Transport Layer Security (TLS) | |||
and Datagram Transport Layer Security (DTLS)"; | and Datagram Transport Layer Security (DTLS)"; | |||
} | } | |||
feature server-auth-tls12-psk { | feature server-auth-tls12-psk { | |||
description | description | |||
"Indicates that the client supports authenticating servers | "Indicates that the client supports authenticating servers | |||
using PSKs (pre-shared or pairwise-symmetric keys)."; | using PSKs (pre-shared or pairwise symmetric keys)."; | |||
reference | reference | |||
"RFC 4279: | "RFC 4279: | |||
Pre-Shared Key Ciphersuites for Transport Layer Security | Pre-Shared Key Ciphersuites for Transport Layer Security | |||
(TLS)"; | (TLS)"; | |||
} | } | |||
feature server-auth-tls13-epsk { | feature server-auth-tls13-epsk { | |||
description | description | |||
"Indicates that the client supports authenticating servers | "Indicates that the client supports authenticating servers | |||
using TLS-1.3 External PSKs (pre-shared keys)."; | using TLS 1.3 External PSKs (pre-shared keys)."; | |||
reference | reference | |||
"RFC 8446: | "RFC 8446: | |||
The Transport Layer Security (TLS) Protocol Version 1.3"; | The Transport Layer Security (TLS) Protocol Version 1.3"; | |||
} | } | |||
// Groupings | // Groupings | |||
grouping tls-client-grouping { | grouping tls-client-grouping { | |||
description | description | |||
"A reusable grouping for configuring a TLS client without | "A reusable grouping for configuring a TLS client without | |||
skipping to change at line 1336 ¶ | skipping to change at line 1249 ¶ | |||
established. | established. | |||
Note that this grouping uses fairly typical descendant | Note that this grouping uses fairly typical descendant | |||
node names such that a stack of 'uses' statements will | node names such that a stack of 'uses' statements will | |||
have name conflicts. It is intended that the consuming | have name conflicts. It is intended that the consuming | |||
data model will resolve the issue (e.g., by wrapping | data model will resolve the issue (e.g., by wrapping | |||
the 'uses' statement in a container called | the 'uses' statement in a container called | |||
'tls-client-parameters'). This model purposely does | 'tls-client-parameters'). This model purposely does | |||
not do this itself so as to provide maximum flexibility | not do this itself so as to provide maximum flexibility | |||
to consuming models."; | to consuming models."; | |||
container client-identity { | container client-identity { | |||
nacm:default-deny-write; | nacm:default-deny-write; | |||
presence | presence "Indicates that a TLS-level client identity has been | |||
"Indicates that a TLS-level client identity has been | configured. This statement is present so the | |||
configured. This statement is present so the mandatory | mandatory descendant nodes do not imply that this | |||
descendant do not imply that this node must be configured."; | node must be configured."; | |||
description | description | |||
"Identity credentials the TLS client MAY present when | "Identity credentials the TLS client MAY present when | |||
establishing a connection to a TLS server. If not | establishing a connection to a TLS server. If not | |||
configured, then client authentication is presumed to | configured, then client authentication is presumed to | |||
occur in a protocol layer above TLS. When configured, | occur in a protocol layer above TLS. When configured, | |||
and requested by the TLS server when establishing a | and requested by the TLS server when establishing a | |||
TLS session, these credentials are passed in the | TLS session, these credentials are passed in the | |||
Certificate message defined in Section 7.4.2 of | Certificate message defined in Section 7.4.2 of | |||
RFC 5246 and Section 4.4.2 in RFC 8446."; | RFC 5246 and Section 4.4.2 of RFC 8446."; | |||
reference | reference | |||
"RFC 5246: The Transport Layer Security (TLS) | "RFC 5246: The Transport Layer Security (TLS) | |||
Protocol Version 1.2 | Protocol Version 1.2 | |||
RFC 8446: The Transport Layer Security (TLS) | RFC 8446: The Transport Layer Security (TLS) | |||
Protocol Version 1.3 | Protocol Version 1.3 | |||
RFC CCCC: A YANG Data Model for a Keystore"; | RFC 9642: A YANG Data Model for a Keystore"; | |||
choice auth-type { | choice auth-type { | |||
mandatory true; | mandatory true; | |||
description | description | |||
"A choice amongst authentication types, of which one must | "A choice amongst authentication types, of which one must | |||
be enabled (via its associated 'feature') and selected."; | be enabled (via its associated 'feature') and selected."; | |||
case certificate { | case certificate { | |||
if-feature "client-ident-x509-cert"; | if-feature "client-ident-x509-cert"; | |||
container certificate { | container certificate { | |||
description | description | |||
"Specifies the client identity using a certificate."; | "Specifies the client identity using a certificate."; | |||
uses | uses "ks:inline-or-keystore-end-entity-cert-with-key-" | |||
"ks:inline-or-keystore-end-entity-cert-with-key-" | + "grouping" { | |||
+ "grouping" { | ||||
refine "inline-or-keystore/inline/inline-definition" { | refine "inline-or-keystore/inline/inline-definition" { | |||
must 'not(public-key-format) or derived-from-or-self' | must 'not(public-key-format) or derived-from-or-self' | |||
+ '(public-key-format, "ct:subject-public-key-' | + '(public-key-format, "ct:subject-public-key-' | |||
+ 'info-format")'; | + 'info-format")'; | |||
} | } | |||
refine "inline-or-keystore/central-keystore/" | refine "inline-or-keystore/central-keystore/" | |||
+ "central-keystore-reference/asymmetric-key" { | + "central-keystore-reference/asymmetric-key" { | |||
must 'not(deref(.)/../ks:public-key-format) or ' | must 'not(deref(.)/../ks:public-key-format) or ' | |||
+ 'derived-from-or-self(deref(.)/../ks:public-' | + 'derived-from-or-self(deref(.)/../ks:public-' | |||
+ 'key-format, "ct:subject-public-key-info-' | + 'key-format, "ct:subject-public-key-info-' | |||
skipping to change at line 1413 ¶ | skipping to change at line 1324 ¶ | |||
+ 'format")'; | + 'format")'; | |||
} | } | |||
} | } | |||
} | } | |||
} | } | |||
case tls12-psk { | case tls12-psk { | |||
if-feature "client-ident-tls12-psk"; | if-feature "client-ident-tls12-psk"; | |||
container tls12-psk { | container tls12-psk { | |||
description | description | |||
"Specifies the client identity using a PSK (pre-shared | "Specifies the client identity using a PSK (pre-shared | |||
or pairwise-symmetric key)."; | or pairwise symmetric key)."; | |||
uses ks:inline-or-keystore-symmetric-key-grouping; | uses ks:inline-or-keystore-symmetric-key-grouping; | |||
leaf id { | leaf id { | |||
type string; | type string; | |||
description | description | |||
"The key 'psk_identity' value used in the TLS | "The key 'psk_identity' value used in the TLS | |||
'ClientKeyExchange' message."; | 'ClientKeyExchange' message."; | |||
reference | reference | |||
"RFC 4279: Pre-Shared Key Ciphersuites for | "RFC 4279: Pre-Shared Key Ciphersuites for | |||
Transport Layer Security (TLS)"; | Transport Layer Security (TLS)"; | |||
} | } | |||
} | } | |||
} | } | |||
case tls13-epsk { | case tls13-epsk { | |||
if-feature "client-ident-tls13-epsk"; | if-feature "client-ident-tls13-epsk"; | |||
container tls13-epsk { | container tls13-epsk { | |||
description | description | |||
"An External Pre-Shared Key (EPSK) is established | "An External Pre-Shared Key (EPSK) is established | |||
or provisioned out-of-band, i.e., not from a TLS | or provisioned out of band, i.e., not from a TLS | |||
connection. An EPSK is a tuple of (Base Key, | connection. An EPSK is a tuple of (Base Key, | |||
External Identity, Hash). External PSKs MUST NOT | External Identity, Hash). EPSKs MUST NOT be | |||
be imported for (D)TLS 1.2 or prior versions. When | imported for (D)TLS 1.2 or prior versions. When | |||
PSKs are provisioned out of band, the PSK identity | PSKs are provisioned out of band, the PSK identity | |||
and the KDF hash algorithm to be used with the PSK | and the Key Derivation Function (KDF) hash algorithm | |||
MUST also be provisioned. | to be used with the PSK MUST also be provisioned. | |||
The structure of this container is designed to | The structure of this container is designed to satisfy | |||
satisfy the requirements of RFC 8446 Section | the requirements in Section 4.2.11 of RFC 8446, the | |||
4.2.11, the recommendations from Section 6 in | recommendations from Section 6 of RFC 9257, and the | |||
RFC 9257, and the EPSK input fields detailed in | EPSK input fields detailed in Section 5.1 of RFC 9258. | |||
Section 5.1 in RFC 9258. The base-key is based | The base-key is based upon | |||
upon ks:inline-or-keystore-symmetric-key-grouping | 'ks:inline-or-keystore-symmetric-key-grouping' in | |||
in order to provide users with flexible and | order to provide users with flexible and secure | |||
secure storage options."; | storage options."; | |||
reference | reference | |||
"RFC 8446: The Transport Layer Security (TLS) | "RFC 8446: The Transport Layer Security (TLS) | |||
Protocol Version 1.3 | Protocol Version 1.3 | |||
RFC 9257: Guidance for External Pre-Shared Key | RFC 9257: Guidance for External Pre-Shared Key | |||
(PSK) Usage in TLS | (PSK) Usage in TLS | |||
RFC 9258: Importing External Pre-Shared Keys | RFC 9258: Importing External Pre-Shared Keys | |||
(PSKs) for TLS 1.3"; | (PSKs) for TLS 1.3"; | |||
uses ks:inline-or-keystore-symmetric-key-grouping; | uses ks:inline-or-keystore-symmetric-key-grouping; | |||
leaf external-identity { | leaf external-identity { | |||
type string; | type string; | |||
mandatory true; | mandatory true; | |||
description | description | |||
"As per Section 4.2.11 of RFC 8446, and Section 4.1 | "As per Section 4.2.11 of RFC 8446 and Section 4.1 | |||
of RFC 9257, a sequence of bytes used to identify | of RFC 9257, a sequence of bytes used to identify | |||
an EPSK. A label for a pre-shared key established | an EPSK. A label for a pre-shared key established | |||
externally."; | externally."; | |||
reference | reference | |||
"RFC 8446: The Transport Layer Security (TLS) | "RFC 8446: The Transport Layer Security (TLS) | |||
Protocol Version 1.3 | Protocol Version 1.3 | |||
RFC 9257: Guidance for External Pre-Shared Key | RFC 9257: Guidance for External Pre-Shared Key | |||
(PSK) Usage in TLS"; | (PSK) Usage in TLS"; | |||
} | } | |||
leaf hash { | leaf hash { | |||
type tlscmn:epsk-supported-hash; | type tlscmn:epsk-supported-hash; | |||
default sha-256; | default "sha-256"; | |||
description | description | |||
"As per Section 4.2.11 of RFC 8446, for externally | "As per Section 4.2.11 of RFC 8446, for EPSKs, | |||
established PSKs, the Hash algorithm MUST be set | the hash algorithm MUST be set when the PSK is | |||
when the PSK is established or default to SHA-256 | established; otherwise, default to SHA-256 if | |||
if no such algorithm is defined. The server MUST | no such algorithm is defined. The server MUST | |||
ensure that it selects a compatible PSK (if any) | ensure that it selects a compatible PSK (if any) | |||
and cipher suite. Each PSK MUST only be used with | and cipher suite. Each PSK MUST only be used | |||
a single hash function."; | with a single hash function."; | |||
reference | reference | |||
"RFC 8446: The Transport Layer Security (TLS) | "RFC 8446: The Transport Layer Security (TLS) | |||
Protocol Version 1.3"; | Protocol Version 1.3"; | |||
} | } | |||
leaf context { | leaf context { | |||
type string; | type string; | |||
description | description | |||
"Per Section 5.1 of RFC 9258, context MUST include | "As per Section 5.1 of RFC 9258, context MUST | |||
the context used to determine the EPSK, if | include the context used to determine the EPSK, | |||
any exists. For example, context may include | if any exists. For example, context may include | |||
information about peer roles or identities | information about peer roles or identities | |||
to mitigate Selfie-style reflection attacks. | to mitigate Selfie-style reflection attacks. | |||
Since the EPSK is a key derived from an external | Since the EPSK is a key derived from an external | |||
protocol or sequence of protocols, context MUST | protocol or a sequence of protocols, context MUST | |||
include a channel binding for the deriving | include a channel binding for the deriving | |||
protocols [RFC5056]. The details of this | protocols (see RFC 5056). The details of this | |||
binding are protocol specfic and out of scope | binding are protocol specific and out of scope | |||
for this document."; | for this document."; | |||
reference | reference | |||
"RFC 9258: Importing External Pre-Shared Keys | "RFC 9258: Importing External Pre-Shared Keys | |||
(PSKs) for TLS 1.3"; | (PSKs) for TLS 1.3"; | |||
} | } | |||
leaf target-protocol { | leaf target-protocol { | |||
type uint16; | type uint16; | |||
description | description | |||
"As per Section 3 of RFC 9258, the protocol | "As per Section 3 of RFC 9258, the protocol | |||
for which a PSK is imported for use."; | for which a PSK is imported for use."; | |||
reference | reference | |||
"RFC 9258: Importing External Pre-Shared Keys | "RFC 9258: Importing External Pre-Shared Keys | |||
(PSKs) for TLS 1.3"; | (PSKs) for TLS 1.3"; | |||
} | } | |||
leaf target-kdf { | leaf target-kdf { | |||
type uint16; | type uint16; | |||
description | description | |||
"As per Section 3 of RFC 9258, the KDF for | "As per Section 3 of RFC 9258, the Key Derivation | |||
which a PSK is imported for use."; | Function (KDF) for which a PSK is imported for | |||
use."; | ||||
reference | reference | |||
"RFC 9258: Importing External Pre-Shared Keys | "RFC 9258: Importing External Pre-Shared Keys | |||
(PSKs) for TLS 1.3"; | (PSKs) for TLS 1.3"; | |||
} | } | |||
} | } | |||
} | } | |||
} | } | |||
} // container client-identity | } // container client-identity | |||
container server-authentication { | container server-authentication { | |||
nacm:default-deny-write; | nacm:default-deny-write; | |||
must 'ca-certs or ee-certs or raw-public-keys or tls12-psks | must "ca-certs or ee-certs or raw-public-keys or tls12-psks | |||
or tls13-epsks'; | or tls13-epsks"; | |||
description | description | |||
"Specifies how the TLS client can authenticate TLS servers. | "Specifies how the TLS client can authenticate TLS servers. | |||
Any combination of credentials is additive and unordered. | Any combination of credentials is additive and unordered. | |||
Note that no configuration is required for PSK (pre-shared | Note that no configuration is required for authentication | |||
or pairwise-symmetric key) based authentication as the key | based on PSK (pre-shared or pairwise symmetric key) as | |||
is necessarily the same as configured in the '../client- | the key is necessarily the same as configured in the | |||
identity' node."; | '../client-identity' node."; | |||
container ca-certs { | container ca-certs { | |||
if-feature "server-auth-x509-cert"; | if-feature "server-auth-x509-cert"; | |||
presence | presence "Indicates that Certification Authority (CA) | |||
"Indicates that CA certificates have been configured. | certificates have been configured. This | |||
This statement is present so the mandatory descendant | statement is present so the mandatory | |||
nodes do not imply that this node must be configured."; | descendant nodes do not imply that this | |||
node must be configured."; | ||||
description | description | |||
"A set of certificate authority (CA) certificates used by | "A set of CA certificates used by the TLS client to | |||
the TLS client to authenticate TLS server certificates. | authenticate TLS server certificates. A server | |||
A server certificate is authenticated if it has a valid | certificate is authenticated if it has a valid chain of | |||
chain of trust to a configured CA certificate."; | trust to a configured CA certificate."; | |||
reference | reference | |||
"RFC BBBB: A YANG Data Model for a Truststore"; | "RFC 9641: A YANG Data Model for a Truststore"; | |||
uses ts:inline-or-truststore-certs-grouping; | uses ts:inline-or-truststore-certs-grouping; | |||
} | } | |||
container ee-certs { | container ee-certs { | |||
if-feature "server-auth-x509-cert"; | if-feature "server-auth-x509-cert"; | |||
presence | presence "Indicates that End-Entity (EE) certificates have | |||
"Indicates that EE certificates have been configured. | been configured. This statement is present so | |||
This statement is present so the mandatory descendant | the mandatory descendant nodes do not imply | |||
nodes do not imply that this node must be configured."; | that this node must be configured."; | |||
description | description | |||
"A set of server certificates (i.e., end entity | "A set of server certificates (i.e., EE certificates) used | |||
certificates) used by the TLS client to authenticate | by the TLS client to authenticate certificates presented | |||
certificates presented by TLS servers. A server | by TLS servers. A server certificate is authenticated if | |||
certificate is authenticated if it is an exact | it is an exact match to a configured server certificate."; | |||
match to a configured server certificate."; | ||||
reference | reference | |||
"RFC BBBB: A YANG Data Model for a Truststore"; | "RFC 9641: A YANG Data Model for a Truststore"; | |||
uses ts:inline-or-truststore-certs-grouping; | uses ts:inline-or-truststore-certs-grouping; | |||
} | } | |||
container raw-public-keys { | container raw-public-keys { | |||
if-feature "server-auth-raw-public-key"; | if-feature "server-auth-raw-public-key"; | |||
presence | presence "Indicates that raw public keys have been | |||
"Indicates that raw public keys have been configured. | configured. This statement is present so | |||
This statement is present so the mandatory descendant | the mandatory descendant nodes do not imply | |||
nodes do not imply that this node must be configured."; | that this node must be configured."; | |||
description | description | |||
"A set of raw public keys used by the TLS client to | "A set of raw public keys used by the TLS client to | |||
authenticate raw public keys presented by the TLS | authenticate raw public keys presented by the TLS | |||
server. A raw public key is authenticated if it | server. A raw public key is authenticated if it | |||
is an exact match to a configured raw public key."; | is an exact match to a configured raw public key."; | |||
reference | reference | |||
"RFC BBBB: A YANG Data Model for a Truststore"; | "RFC 9641: A YANG Data Model for a Truststore"; | |||
uses ts:inline-or-truststore-public-keys-grouping { | uses ts:inline-or-truststore-public-keys-grouping { | |||
refine "inline-or-truststore/inline/inline-definition/" | refine "inline-or-truststore/inline/inline-definition/" | |||
+ "public-key" { | + "public-key" { | |||
must 'derived-from-or-self(public-key-format,' | must 'derived-from-or-self(public-key-format,' | |||
+ ' "ct:subject-public-key-info-format")'; | + ' "ct:subject-public-key-info-format")'; | |||
} | } | |||
refine "inline-or-truststore/central-truststore/" | refine "inline-or-truststore/central-truststore/" | |||
+ "central-truststore-reference" { | + "central-truststore-reference" { | |||
must 'not(deref(.)/../ts:public-key/ts:public-key-' | must 'not(deref(.)/../ts:public-key/ts:public-key-' | |||
+ 'format[not(derived-from-or-self(., "ct:subject-' | + 'format[not(derived-from-or-self(., "ct:subject-' | |||
+ 'public-key-info-format"))])'; | + 'public-key-info-format"))])'; | |||
} | } | |||
} | } | |||
} | } | |||
leaf tls12-psks { | leaf tls12-psks { | |||
if-feature "server-auth-tls12-psk"; | if-feature "server-auth-tls12-psk"; | |||
type empty; | type empty; | |||
description | description | |||
"Indicates that the TLS client can authenticate TLS servers | "Indicates that the TLS client can authenticate TLS servers | |||
using configured PSKs (pre-shared or pairwise-symmetric | using configured PSKs (pre-shared or pairwise symmetric | |||
keys). | keys). | |||
No configuration is required since the PSK value is the | No configuration is required since the PSK value is the | |||
same as PSK value configured in the 'client-identity' | same as the PSK value configured in the 'client-identity' | |||
node."; | node."; | |||
} | } | |||
leaf tls13-epsks { | leaf tls13-epsks { | |||
if-feature "server-auth-tls13-epsk"; | if-feature "server-auth-tls13-epsk"; | |||
type empty; | type empty; | |||
description | description | |||
"Indicates that the TLS client can authenticate TLS servers | "Indicates that the TLS client can authenticate TLS servers | |||
using configured external PSKs (pre-shared keys). | using configured External PSKs (pre-shared keys). | |||
No configuration is required since the PSK value is the | No configuration is required since the PSK value is the | |||
same as PSK value configured in the 'client-identity' | same as the PSK value configured in the 'client-identity' | |||
node."; | node."; | |||
} | } | |||
} // container server-authentication | } // container server-authentication | |||
container hello-params { | container hello-params { | |||
nacm:default-deny-write; | nacm:default-deny-write; | |||
if-feature "tlscmn:hello-params"; | if-feature "tlscmn:hello-params"; | |||
uses tlscmn:hello-params-grouping; | uses tlscmn:hello-params-grouping; | |||
description | description | |||
"Configurable parameters for the TLS hello message."; | "Configurable parameters for the TLS hello message."; | |||
} // container hello-params | } // container hello-params | |||
container keepalives { | container keepalives { | |||
nacm:default-deny-write; | nacm:default-deny-write; | |||
if-feature "tls-client-keepalives"; | if-feature "tls-client-keepalives"; | |||
description | description | |||
"Configures the keepalive policy for the TLS client."; | "Configures the keepalive policy for the TLS client."; | |||
leaf peer-allowed-to-send { | leaf peer-allowed-to-send { | |||
type empty; | type empty; | |||
description | description | |||
"Indicates that the remote TLS server is allowed to send | "Indicates that the remote TLS server is allowed to send | |||
HeartbeatRequest messages, as defined by RFC 6520 | HeartbeatRequest messages, as defined by RFC 6520, | |||
to this TLS client."; | to this TLS client."; | |||
reference | reference | |||
"RFC 6520: Transport Layer Security (TLS) and Datagram | "RFC 6520: Transport Layer Security (TLS) and Datagram | |||
Transport Layer Security (DTLS) Heartbeat Extension"; | Transport Layer Security (DTLS) Heartbeat Extension"; | |||
} | } | |||
container test-peer-aliveness { | container test-peer-aliveness { | |||
presence | presence "Indicates that the TLS client proactively tests the | |||
"Indicates that the TLS client proactively tests the | aliveness of the remote TLS server."; | |||
aliveness of the remote TLS server."; | ||||
description | description | |||
"Configures the keep-alive policy to proactively test | "Configures the keepalive policy to proactively test | |||
the aliveness of the TLS server. An unresponsive | the aliveness of the TLS server. An unresponsive | |||
TLS server is dropped after approximately max-wait | TLS server is dropped after approximately max-wait | |||
* max-attempts seconds. The TLS client MUST send | * max-attempts seconds. The TLS client MUST send | |||
HeartbeatRequest messages, as defined by RFC 6520."; | HeartbeatRequest messages, as defined in RFC 6520."; | |||
reference | reference | |||
"RFC 6520: Transport Layer Security (TLS) and Datagram | "RFC 6520: Transport Layer Security (TLS) and Datagram | |||
Transport Layer Security (DTLS) Heartbeat Extension"; | Transport Layer Security (DTLS) Heartbeat Extension"; | |||
leaf max-wait { | leaf max-wait { | |||
type uint16 { | type uint16 { | |||
range "1..max"; | range "1..max"; | |||
} | } | |||
units "seconds"; | units "seconds"; | |||
default "30"; | default "30"; | |||
description | description | |||
"Sets the amount of time in seconds after which if | "Sets the amount of time in seconds, after which a | |||
no data has been received from the TLS server, a | ||||
TLS-level message will be sent to test the | TLS-level message will be sent to test the | |||
aliveness of the TLS server."; | aliveness of the TLS server if no data has been | |||
received from the TLS server."; | ||||
} | } | |||
leaf max-attempts { | leaf max-attempts { | |||
type uint8; | type uint8; | |||
default "3"; | default "3"; | |||
description | description | |||
"Sets the maximum number of sequential keep-alive | "Sets the maximum number of sequential keepalive | |||
messages that can fail to obtain a response from | messages that can fail to obtain a response from | |||
the TLS server before assuming the TLS server is | the TLS server before assuming the TLS server is | |||
no longer alive."; | no longer alive."; | |||
} | } | |||
} | } | |||
} | } | |||
} // grouping tls-client-grouping | } // grouping tls-client-grouping | |||
} | } | |||
]]></artwork> | ]]> | |||
<t keepWithPrevious="true"><CODE ENDS></t> | </sourcecode> | |||
</section> | </section> | |||
</section> | </section> | |||
<section anchor="tls-server-model"> | <section anchor="tls-server-model"> | |||
<name>The "ietf-tls-server" Module</name> | <name>The "ietf-tls-server" Module</name> | |||
<t>This section defines a YANG 1.1 module called | <t>This section defines a YANG 1.1 module called | |||
"ietf-tls-server". A high-level overview of the module is provided in | "ietf-tls-server". A high-level overview of the module is provided in | |||
<xref target="server-overview"/>. Examples illustrating the module's use | <xref target="server-overview"/>. Examples illustrating the module's use | |||
are provided in <xref target="server-examples">Examples</xref>. The YANG | are provided in <xref target="server-examples"/> ("Example Usage"). The YANG | |||
module itself is defined in <xref target="server-yang-module"/>.</t> | module itself is defined in <xref target="server-yang-module"/>.</t> | |||
<section anchor="server-overview"> | <section anchor="server-overview"> | |||
<name>Data Model Overview</name> | <name>Data Model Overview</name> | |||
<t>This section provides an overview of the "ietf-tls-server" module | <t>This section provides an overview of the "ietf-tls-server" module | |||
in terms of its features and groupings.</t> | in terms of its features and groupings.</t> | |||
<section anchor="server-features" toc="exclude"> | <section anchor="server-features" toc="exclude"> | |||
<name>Features</name> | <name>Features</name> | |||
<t>The following diagram lists all the "feature" statements | <t>The following diagram lists all the "feature" statements | |||
defined in the "ietf-tls-server" module:</t> | defined in the "ietf-tls-server" module:</t> | |||
<artwork><![CDATA[ | <sourcecode type="yangtree"><![CDATA[ | |||
Features: | Features: | |||
+-- tls-server-keepalives | +-- tls-server-keepalives | |||
+-- server-ident-x509-cert | +-- server-ident-x509-cert | |||
+-- server-ident-raw-public-key | +-- server-ident-raw-public-key | |||
+-- server-ident-psk | +-- server-ident-psk | |||
+-- client-auth-supported | +-- client-auth-supported | |||
+-- client-auth-x509-cert | +-- client-auth-x509-cert | |||
+-- client-auth-raw-public-key | +-- client-auth-raw-public-key | |||
+-- client-auth-psk | +-- client-auth-psk | |||
]]></artwork> | ]]></sourcecode> | |||
<t>The diagram above uses syntax that is similar to but not | <t>The diagram above uses syntax that is similar to but not | |||
defined in <xref target="RFC8340"/>.</t> | defined in <xref target="RFC8340"/>.</t> | |||
<t>Please refer to the YANG module for a description of each feature.< /t> | <t>Please refer to the YANG module for a description of each feature.< /t> | |||
</section> | </section> | |||
<section toc="exclude"> | <section toc="exclude"> | |||
<name>Groupings</name> | <name>Groupings</name> | |||
<t>The "ietf-tls-server" module defines the following "grouping" state ment:</t> | <t>The "ietf-tls-server" module defines the following "grouping" state ment:</t> | |||
<ul spacing="compact"> | <ul spacing="compact"> | |||
<li>tls-server-grouping</li> | <li>tls-server-grouping</li> | |||
</ul> | </ul> | |||
<t>This grouping is presented in the following subsection.</t> | <t>This grouping is presented in the following subsection.</t> | |||
<section anchor="tls-server-grouping"> | <section anchor="tls-server-grouping"> | |||
<name>The "tls-server-grouping" Grouping</name> | <name>The "tls-server-grouping" Grouping</name> | |||
<t>The following tree diagram <xref target="RFC8340"/> illustrates t he | <t>The following tree diagram <xref target="RFC8340"/> illustrates t he | |||
"tls-server-grouping" grouping:</t> | "tls-server-grouping" grouping:</t> | |||
<artwork><![CDATA[ | <sourcecode type="yangtree"><![CDATA[ | |||
=============== NOTE: '\' line wrapping per RFC 8792 ================ | =============== NOTE: '\' line wrapping per RFC 8792 ================ | |||
grouping tls-server-grouping: | grouping tls-server-grouping: | |||
+-- server-identity | +-- server-identity | |||
| +-- (auth-type) | | +-- (auth-type) | |||
| +--:(certificate) {server-ident-x509-cert}? | | +--:(certificate) {server-ident-x509-cert}? | |||
| | +-- certificate | | | +-- certificate | |||
| | +---u ks:inline-or-keystore-end-entity-cert-with-key\ | | | +---u ks:inline-or-keystore-end-entity-cert-with-key\ | |||
-grouping | -grouping | |||
| +--:(raw-private-key) {server-ident-raw-public-key}? | | +--:(raw-private-key) {server-ident-raw-public-key}? | |||
skipping to change at line 1774 ¶ | skipping to change at line 1683 ¶ | |||
| | +---u ts:inline-or-truststore-public-keys-grouping | | | +---u ts:inline-or-truststore-public-keys-grouping | |||
| +-- tls12-psks? empty {client-auth-tls12-psk}? | | +-- tls12-psks? empty {client-auth-tls12-psk}? | |||
| +-- tls13-epsks? empty {client-auth-tls13-epsk}? | | +-- tls13-epsks? empty {client-auth-tls13-epsk}? | |||
+-- hello-params {tlscmn:hello-params}? | +-- hello-params {tlscmn:hello-params}? | |||
| +---u tlscmn:hello-params-grouping | | +---u tlscmn:hello-params-grouping | |||
+-- keepalives {tls-server-keepalives}? | +-- keepalives {tls-server-keepalives}? | |||
+-- peer-allowed-to-send? empty | +-- peer-allowed-to-send? empty | |||
+-- test-peer-aliveness! | +-- test-peer-aliveness! | |||
+-- max-wait? uint16 | +-- max-wait? uint16 | |||
+-- max-attempts? uint8 | +-- max-attempts? uint8 | |||
]]></artwork> | ]]></sourcecode> | |||
<t>Comments:</t> | <t>Comments:</t> | |||
<ul> | <ul> | |||
<li>The "server-identity" node configures identity credentials, ea ch of | <li>The "server-identity" node configures identity credentials, ea ch of | |||
which is enabled by a "feature".</li> | which is enabled by a "feature".</li> | |||
<li>The "client-authentication" node, which is optionally configur ed (as client | <li>The "client-authentication" node, which is optionally configur ed (as client | |||
authentication MAY occur at a higher protocol layer), configures trust | authentication <bcp14>MAY</bcp14> occur at a higher protocol lay er), configures trust | |||
anchors for authenticating the TLS client, with each option enab led | anchors for authenticating the TLS client, with each option enab led | |||
by a "feature" statement.</li> | by a "feature" statement.</li> | |||
<li>The "hello-params" node, which must be enabled by a feature, c onfigures | <li>The "hello-params" node, which must be enabled by a feature, c onfigures | |||
parameters for the TLS sessions established by this configuratio n.</li> | parameters for the TLS sessions established by this configuratio n.</li> | |||
<li>The "keepalives" node, which must be enabled by a feature, con figures | <li>The "keepalives" node, which must be enabled by a feature, con figures | |||
a flag enabling the TLS client to test the aliveness of the TLS | a flag enabling the TLS client to test the aliveness of the TLS | |||
server, | server | |||
as well as a "presence" container for testing the aliveness of t | as well as a "presence" container to test the aliveness of the T | |||
he TLS | LS | |||
client. The aliveness-tests occurs at the TLS protocol layer.</ | client. The aliveness-tests occur at the TLS protocol layer.</l | |||
li> | i> | |||
<li> | <li> | |||
<t>For the referenced grouping statement(s): | <t>For the referenced grouping statement(s): | |||
</t> | </t> | |||
<ul spacing="compact"> | <ul spacing="compact"> | |||
<li>The "inline-or-keystore-end-entity-cert-with-key-grouping" grouping is | <li>The "inline-or-keystore-end-entity-cert-with-key-grouping" grouping is | |||
discussed in <xref section="2.1.3.6" target="I-D.ietf-netcon f-keystore"/>.</li> | discussed in <xref section="2.1.3.6" target="RFC9642"/>.</li > | |||
<li>The "inline-or-keystore-asymmetric-key-grouping" grouping is | <li>The "inline-or-keystore-asymmetric-key-grouping" grouping is | |||
discussed in <xref section="2.1.3.4" target="I-D.ietf-netcon f-keystore"/>.</li> | discussed in <xref section="2.1.3.4" target="RFC9642"/>.</li > | |||
<li>The "inline-or-keystore-symmetric-key-grouping" grouping i s | <li>The "inline-or-keystore-symmetric-key-grouping" grouping i s | |||
discussed in <xref section="2.1.3.3" target="I-D.ietf-netcon f-keystore"/>.</li> | discussed in <xref section="2.1.3.3" target="RFC9642"/>.</li > | |||
<li>The "inline-or-truststore-public-keys-grouping" grouping i s | <li>The "inline-or-truststore-public-keys-grouping" grouping i s | |||
discussed in <xref section="2.1.3.4" target="I-D.ietf-netcon f-trust-anchors"/>.</li> | discussed in <xref section="2.1.3.4" target="RFC9641"/>.</li > | |||
<li>The "inline-or-truststore-certs-grouping" grouping is | <li>The "inline-or-truststore-certs-grouping" grouping is | |||
discussed in <xref section="2.1.3.3" target="I-D.ietf-netcon f-trust-anchors"/>.</li> | discussed in <xref section="2.1.3.3" target="RFC9641"/>.</li > | |||
<li>The "hello-params-grouping" grouping is discussed in | <li>The "hello-params-grouping" grouping is discussed in | |||
<xref target="hello-params-grouping"/> in this document.</li> | <xref target="hello-params-grouping"/> in this document.</li> | |||
</ul> | </ul> | |||
</li> | </li> | |||
</ul> | </ul> | |||
</section> | </section> | |||
</section> | </section> | |||
<section toc="exclude"> | <section toc="exclude"> | |||
<name>Protocol-accessible Nodes</name> | <name>Protocol-Accessible Nodes</name> | |||
<t>The "ietf-tls-server" module defines only "grouping" statements tha t are | <t>The "ietf-tls-server" module defines only "grouping" statements tha t are | |||
used by other modules to instantiate protocol-accessible nodes. Thus | used by other modules to instantiate protocol-accessible nodes. Thus, | |||
this | this | |||
module, when implemented, does not itself define any protocol-accessib | module does not itself define any protocol-accessible nodes when imple | |||
le nodes.</t> | mented.</t> | |||
</section> | </section> | |||
</section> | </section> | |||
<section anchor="server-examples"> | <section anchor="server-examples"> | |||
<name>Example Usage</name> | <name>Example Usage</name> | |||
<t>This section presents two examples showing the "tls-server-grouping" | <t>This section presents two examples showing the "tls-server-grouping" | |||
grouping populated with some data. These examples are effectively the sa me | grouping populated with some data. These examples are effectively the sa me | |||
except the first configures the server identity using a local key | except the first configures the server identity using a local key | |||
while the second uses a key configured in a keystore. Both examples | while the second uses a key configured in a keystore. Both examples | |||
are consistent with the examples presented in | are consistent with the examples presented in | |||
<xref section="2.2.1" target="I-D.ietf-netconf-trust-anchors"/> and | <xref section="2.2.1" target="RFC9641"/> and | |||
<xref section="2.2.1" target="I-D.ietf-netconf-keystore"/>.</t> | <xref section="2.2.1" target="RFC9642"/>.</t> | |||
<t>The following configuration example uses inline-definitions for the | <t>The following configuration example uses inline-definitions for the | |||
server identity and client authentication: | server identity and client authentication: | |||
</t> | </t> | |||
<artwork><![CDATA[ | <sourcecode type="xml"><![CDATA[ | |||
=============== NOTE: '\' line wrapping per RFC 8792 ================ | =============== NOTE: '\' line wrapping per RFC 8792 ================ | |||
<!-- The outermost element below doesn't exist in the data model. --> | <!-- The outermost element below doesn't exist in the data model. --> | |||
<!-- It simulates if the "grouping" were a "container" instead. --> | <!-- It simulates if the "grouping" were a "container" instead. --> | |||
<tls-server | <tls-server | |||
xmlns="urn:ietf:params:xml:ns:yang:ietf-tls-server" | xmlns="urn:ietf:params:xml:ns:yang:ietf-tls-server" | |||
xmlns:ct="urn:ietf:params:xml:ns:yang:ietf-crypto-types"> | xmlns:ct="urn:ietf:params:xml:ns:yang:ietf-crypto-types"> | |||
<!-- how this server will authenticate itself to the client --> | <!-- how this server will authenticate itself to the client --> | |||
skipping to change at line 1903 ¶ | skipping to change at line 1812 ¶ | |||
</raw-public-keys> | </raw-public-keys> | |||
<tls12-psks/> | <tls12-psks/> | |||
<tls13-epsks/> | <tls13-epsks/> | |||
</client-authentication> | </client-authentication> | |||
<keepalives> | <keepalives> | |||
<peer-allowed-to-send/> | <peer-allowed-to-send/> | |||
</keepalives> | </keepalives> | |||
</tls-server> | </tls-server> | |||
]]></artwork> | ]]></sourcecode> | |||
<t>The following configuration example uses central-keystore-references for the | <t>The following configuration example uses central-keystore-references for the | |||
server identity and central-truststore-references for client authentic ation: | server identity and central-truststore-references for client authentic ation | |||
from the keystore: | from the keystore: | |||
</t> | </t> | |||
<artwork><![CDATA[ | <sourcecode type="xml"><![CDATA[ | |||
=============== NOTE: '\' line wrapping per RFC 8792 ================ | =============== NOTE: '\' line wrapping per RFC 8792 ================ | |||
<!-- The outermost element below doesn't exist in the data model. --> | <!-- The outermost element below doesn't exist in the data model. --> | |||
<!-- It simulates if the "grouping" were a "container" instead. --> | <!-- It simulates if the "grouping" were a "container" instead. --> | |||
<tls-server xmlns="urn:ietf:params:xml:ns:yang:ietf-tls-server"> | <tls-server xmlns="urn:ietf:params:xml:ns:yang:ietf-tls-server"> | |||
<!-- how this server will authenticate itself to the client --> | <!-- how this server will authenticate itself to the client --> | |||
<server-identity> | <server-identity> | |||
<certificate> | <certificate> | |||
skipping to change at line 1949 ¶ | skipping to change at line 1858 ¶ | |||
</raw-public-keys> | </raw-public-keys> | |||
<tls12-psks/> | <tls12-psks/> | |||
<tls13-epsks/> | <tls13-epsks/> | |||
</client-authentication> | </client-authentication> | |||
<keepalives> | <keepalives> | |||
<peer-allowed-to-send/> | <peer-allowed-to-send/> | |||
</keepalives> | </keepalives> | |||
</tls-server> | </tls-server> | |||
]]></artwork> | ]]></sourcecode> | |||
</section> | </section> | |||
<section anchor="server-yang-module"> | <section anchor="server-yang-module"> | |||
<name>YANG Module</name> | <name>YANG Module</name> | |||
<t>This YANG module has normative references to <xref target="I-D.ietf-n | ||||
etconf-trust-anchors"/> | <t>This YANG module has normative references to <xref target="RFC4279"/> | |||
and <xref target="I-D.ietf-netconf-keystore"/>, and Informative refere | , <xref target="RFC5280"/>, <xref target="RFC6520"/>, <xref target="RFC7250"/>, | |||
nces to | <xref target="RFC9640"/>, <xref target="RFC9641"/>, | |||
<xref target="RFC5246"/>, <xref target="RFC8446"/>, <xref target="RFC9 | and <xref target="RFC9642"/> and informative references to <xref targe | |||
258"/> and | t="RFC5056"/>, | |||
<xref target="RFC9257"/>.</t> | <xref target="RFC5246"/>, <xref target="RFC8446"/>, <xref target="RFC9 | |||
<t keepWithNext="true"><CODE BEGINS> file "ietf-tls-server@2024-03 | 258"/>, and | |||
-16.yang"</t> | <xref target="RFC9257"/>.</t> | |||
<artwork><![CDATA[ | ||||
<sourcecode name="ietf-tls-server@2024-03-16.yang" type="yang" markers=" | ||||
true"><![CDATA[ | ||||
module ietf-tls-server { | module ietf-tls-server { | |||
yang-version 1.1; | yang-version 1.1; | |||
namespace "urn:ietf:params:xml:ns:yang:ietf-tls-server"; | namespace "urn:ietf:params:xml:ns:yang:ietf-tls-server"; | |||
prefix tlss; | prefix tlss; | |||
import ietf-netconf-acm { | import ietf-netconf-acm { | |||
prefix nacm; | prefix nacm; | |||
reference | reference | |||
"RFC 8341: Network Configuration Access Control Model"; | "RFC 8341: Network Configuration Access Control Model"; | |||
} | } | |||
skipping to change at line 1969 ¶ | skipping to change at line 1879 ¶ | |||
module ietf-tls-server { | module ietf-tls-server { | |||
yang-version 1.1; | yang-version 1.1; | |||
namespace "urn:ietf:params:xml:ns:yang:ietf-tls-server"; | namespace "urn:ietf:params:xml:ns:yang:ietf-tls-server"; | |||
prefix tlss; | prefix tlss; | |||
import ietf-netconf-acm { | import ietf-netconf-acm { | |||
prefix nacm; | prefix nacm; | |||
reference | reference | |||
"RFC 8341: Network Configuration Access Control Model"; | "RFC 8341: Network Configuration Access Control Model"; | |||
} | } | |||
import ietf-crypto-types { | import ietf-crypto-types { | |||
prefix ct; | prefix ct; | |||
reference | reference | |||
"RFC AAAA: YANG Data Types and Groupings for Cryptography"; | "RFC 9640: YANG Data Types and Groupings for Cryptography"; | |||
} | } | |||
import ietf-truststore { | import ietf-truststore { | |||
prefix ts; | prefix ts; | |||
reference | reference | |||
"RFC BBBB: A YANG Data Model for a Truststore"; | "RFC 9641: A YANG Data Model for a Truststore"; | |||
} | } | |||
import ietf-keystore { | import ietf-keystore { | |||
prefix ks; | prefix ks; | |||
reference | reference | |||
"RFC CCCC: A YANG Data Model for a Keystore"; | "RFC 9642: A YANG Data Model for a Keystore"; | |||
} | } | |||
import ietf-tls-common { | import ietf-tls-common { | |||
prefix tlscmn; | prefix tlscmn; | |||
reference | reference | |||
"RFC FFFF: YANG Groupings for TLS Clients and TLS Servers"; | "RFC 9645: YANG Groupings for TLS Clients and TLS Servers"; | |||
} | } | |||
organization | organization | |||
"IETF NETCONF (Network Configuration) Working Group"; | "IETF NETCONF (Network Configuration) Working Group"; | |||
contact | contact | |||
"WG List: NETCONF WG list <mailto:netconf@ietf.org> | "WG List: NETCONF WG list <mailto:netconf@ietf.org> | |||
WG Web: https://datatracker.ietf.org/wg/netconf | WG Web: https://datatracker.ietf.org/wg/netconf | |||
Author: Kent Watsen <mailto:kent+ietf@watsen.net> | Author: Kent Watsen <mailto:kent+ietf@watsen.net> | |||
Author: Jeff Hartley <mailto:intensifysecurity@gmail.com>"; | Author: Jeff Hartley <mailto:intensifysecurity@gmail.com>"; | |||
description | description | |||
"This module defines reusable groupings for TLS servers that | "This module defines reusable groupings for TLS servers that | |||
can be used as a basis for specific TLS server instances. | can be used as a basis for specific TLS server instances. | |||
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', | ||||
'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', | ||||
'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document | ||||
are to be interpreted as described in BCP 14 (RFC 2119) | ||||
(RFC 8174) when, and only when, they appear in all | ||||
capitals, as shown here. | ||||
Copyright (c) 2024 IETF Trust and the persons identified | Copyright (c) 2024 IETF Trust and the persons identified | |||
as authors of the code. All rights reserved. | as authors of the code. All rights reserved. | |||
Redistribution and use in source and binary forms, with | Redistribution and use in source and binary forms, with | |||
or without modification, is permitted pursuant to, and | or without modification, is permitted pursuant to, and | |||
subject to the license terms contained in, the Revised | subject to the license terms contained in, the Revised | |||
BSD License set forth in Section 4.c of the IETF Trust's | BSD License set forth in Section 4.c of the IETF Trust's | |||
Legal Provisions Relating to IETF Documents | Legal Provisions Relating to IETF Documents | |||
(https://trustee.ietf.org/license-info). | (https://trustee.ietf.org/license-info). | |||
This version of this YANG module is part of RFC FFFF | This version of this YANG module is part of RFC 9645 | |||
(https://www.rfc-editor.org/info/rfcFFFF); see the RFC | (https://www.rfc-editor.org/info/rfc9645); see the RFC | |||
itself for full legal notices. | itself for full legal notices."; | |||
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', | ||||
'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', | ||||
'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document | ||||
are to be interpreted as described in BCP 14 (RFC 2119) | ||||
(RFC 8174) when, and only when, they appear in all | ||||
capitals, as shown here."; | ||||
revision 2024-03-16 { | revision 2024-03-16 { | |||
description | description | |||
"Initial version"; | "Initial version."; | |||
reference | reference | |||
"RFC FFFF: YANG Groupings for TLS Clients and TLS Servers"; | "RFC 9645: YANG Groupings for TLS Clients and TLS Servers"; | |||
} | } | |||
// Features | // Features | |||
feature tls-server-keepalives { | feature tls-server-keepalives { | |||
description | description | |||
"Per socket TLS keepalive parameters are configurable for | "Per-socket TLS keepalive parameters are configurable for | |||
TLS servers on the server implementing this feature."; | TLS servers on the server implementing this feature."; | |||
} | } | |||
feature server-ident-x509-cert { | feature server-ident-x509-cert { | |||
description | description | |||
"Indicates that the server supports identifying itself | "Indicates that the server supports identifying itself | |||
using X.509 certificates."; | using X.509 certificates."; | |||
reference | reference | |||
"RFC 5280: | "RFC 5280: | |||
Internet X.509 Public Key Infrastructure Certificate | Internet X.509 Public Key Infrastructure Certificate | |||
skipping to change at line 2067 ¶ | skipping to change at line 1971 ¶ | |||
reference | reference | |||
"RFC 7250: | "RFC 7250: | |||
Using Raw Public Keys in Transport Layer Security (TLS) | Using Raw Public Keys in Transport Layer Security (TLS) | |||
and Datagram Transport Layer Security (DTLS)"; | and Datagram Transport Layer Security (DTLS)"; | |||
} | } | |||
feature server-ident-tls12-psk { | feature server-ident-tls12-psk { | |||
if-feature "tlscmn:tls12"; | if-feature "tlscmn:tls12"; | |||
description | description | |||
"Indicates that the server supports identifying itself | "Indicates that the server supports identifying itself | |||
using TLS-1.2 PSKs (pre-shared or pairwise-symmetric keys)."; | using TLS 1.2 PSKs (pre-shared or pairwise symmetric keys)."; | |||
reference | reference | |||
"RFC 4279: | "RFC 4279: | |||
Pre-Shared Key Ciphersuites for Transport Layer Security | Pre-Shared Key Ciphersuites for Transport Layer Security | |||
(TLS)"; | (TLS)"; | |||
} | } | |||
feature server-ident-tls13-epsk { | feature server-ident-tls13-epsk { | |||
if-feature "tlscmn:tls13"; | if-feature "tlscmn:tls13"; | |||
description | description | |||
"Indicates that the server supports identifying itself | "Indicates that the server supports identifying itself | |||
using TLS-1.3 External PSKs (pre-shared keys)."; | using TLS 1.3 External PSKs (pre-shared keys)."; | |||
reference | reference | |||
"RFC 8446: | "RFC 8446: | |||
The Transport Layer Security (TLS) Protocol Version 1.3"; | The Transport Layer Security (TLS) Protocol Version 1.3"; | |||
} | } | |||
feature client-auth-supported { | feature client-auth-supported { | |||
description | description | |||
"Indicates that the configuration for how to authenticate | "Indicates that the configuration for how to authenticate | |||
clients can be configured herein. TLS-level client | clients can be configured herein. TLS-level client | |||
authentication may not be needed when client authentication | authentication may not be needed when client authentication | |||
skipping to change at line 2115 ¶ | skipping to change at line 2019 ¶ | |||
using raw public keys."; | using raw public keys."; | |||
reference | reference | |||
"RFC 7250: | "RFC 7250: | |||
Using Raw Public Keys in Transport Layer Security (TLS) | Using Raw Public Keys in Transport Layer Security (TLS) | |||
and Datagram Transport Layer Security (DTLS)"; | and Datagram Transport Layer Security (DTLS)"; | |||
} | } | |||
feature client-auth-tls12-psk { | feature client-auth-tls12-psk { | |||
description | description | |||
"Indicates that the server supports authenticating clients | "Indicates that the server supports authenticating clients | |||
using PSKs (pre-shared or pairwise-symmetric keys)."; | using PSKs (pre-shared or pairwise symmetric keys)."; | |||
reference | reference | |||
"RFC 4279: | "RFC 4279: | |||
Pre-Shared Key Ciphersuites for Transport Layer Security | Pre-Shared Key Ciphersuites for Transport Layer Security | |||
(TLS)"; | (TLS)"; | |||
} | } | |||
feature client-auth-tls13-epsk { | feature client-auth-tls13-epsk { | |||
description | description | |||
"Indicates that the server supports authenticating clients | "Indicates that the server supports authenticating clients | |||
using TLS-1.3 External PSKs (pre-shared keys)."; | using TLS 1.3 External PSKs (pre-shared keys)."; | |||
reference | reference | |||
"RFC 8446: | "RFC 8446: | |||
The Transport Layer Security (TLS) Protocol Version 1.3"; | The Transport Layer Security (TLS) Protocol Version 1.3"; | |||
} | } | |||
// Groupings | // Groupings | |||
grouping tls-server-grouping { | grouping tls-server-grouping { | |||
description | description | |||
"A reusable grouping for configuring a TLS server without | "A reusable grouping for configuring a TLS server without | |||
skipping to change at line 2147 ¶ | skipping to change at line 2051 ¶ | |||
established. | established. | |||
Note that this grouping uses fairly typical descendant | Note that this grouping uses fairly typical descendant | |||
node names such that a stack of 'uses' statements will | node names such that a stack of 'uses' statements will | |||
have name conflicts. It is intended that the consuming | have name conflicts. It is intended that the consuming | |||
data model will resolve the issue (e.g., by wrapping | data model will resolve the issue (e.g., by wrapping | |||
the 'uses' statement in a container called | the 'uses' statement in a container called | |||
'tls-server-parameters'). This model purposely does | 'tls-server-parameters'). This model purposely does | |||
not do this itself so as to provide maximum flexibility | not do this itself so as to provide maximum flexibility | |||
to consuming models."; | to consuming models."; | |||
container server-identity { | container server-identity { | |||
nacm:default-deny-write; | nacm:default-deny-write; | |||
description | description | |||
"A locally-defined or referenced end-entity certificate, | "A locally defined or referenced End-Entity (EE) certificate, | |||
including any configured intermediate certificates, the | including any configured intermediate certificates, that | |||
TLS server will present when establishing a TLS connection | the TLS server will present when establishing a TLS | |||
in its Certificate message, as defined in Section 7.4.2 | connection in its Certificate message, as defined in | |||
in RFC 5246 and Section 4.4.2 in RFC 8446."; | Section 7.4.2 of RFC 5246 and Section 4.4.2 of RFC 8446."; | |||
reference | reference | |||
"RFC 5246: The Transport Layer Security (TLS) Protocol | "RFC 5246: The Transport Layer Security (TLS) Protocol | |||
Version 1.2 | Version 1.2 | |||
RFC 8446: The Transport Layer Security (TLS) Protocol | RFC 8446: The Transport Layer Security (TLS) Protocol | |||
Version 1.3 | Version 1.3 | |||
RFC CCCC: A YANG Data Model for a Keystore"; | RFC 9642: A YANG Data Model for a Keystore"; | |||
choice auth-type { | choice auth-type { | |||
mandatory true; | mandatory true; | |||
description | description | |||
"A choice amongst authentication types, of which one must | "A choice amongst authentication types, of which one must | |||
be enabled (via its associated 'feature') and selected."; | be enabled (via its associated 'feature') and selected."; | |||
case certificate { | case certificate { | |||
if-feature "server-ident-x509-cert"; | if-feature "server-ident-x509-cert"; | |||
container certificate { | container certificate { | |||
description | description | |||
"Specifies the server identity using a certificate."; | "Specifies the server identity using a certificate."; | |||
uses | uses "ks:inline-or-keystore-end-entity-cert-with-key-" | |||
"ks:inline-or-keystore-end-entity-cert-with-key-" | + "grouping" { | |||
+ "grouping" { | ||||
refine "inline-or-keystore/inline/inline-definition" { | refine "inline-or-keystore/inline/inline-definition" { | |||
must 'not(public-key-format) or derived-from-or-self' | must 'not(public-key-format) or derived-from-or-self' | |||
+ '(public-key-format,' + ' "ct:subject-public-' | + '(public-key-format,' | |||
+ ' "ct:subject-public-' | ||||
+ 'key-info-format")'; | + 'key-info-format")'; | |||
} | } | |||
refine "inline-or-keystore/central-keystore/" | refine "inline-or-keystore/central-keystore/" | |||
+ "central-keystore-reference/asymmetric-key" { | + "central-keystore-reference/asymmetric-key" { | |||
must 'not(deref(.)/../ks:public-key-format) or ' | must 'not(deref(.)/../ks:public-key-format) or ' | |||
+ 'derived-from-or-self(deref(.)/../ks:public-key' | + 'derived-from-or-self(deref(.)/../ks:public-key' | |||
+ '-format, "ct:subject-public-key-info-format")'; | + '-format, "ct:subject-public-key-info-format")'; | |||
} | } | |||
} | } | |||
} | } | |||
} | } | |||
case raw-private-key { | case raw-private-key { | |||
if-feature "server-ident-raw-public-key"; | if-feature "server-ident-raw-public-key"; | |||
container raw-private-key { | container raw-private-key { | |||
description | description | |||
"Specifies the server identity using a raw | "Specifies the server identity using a raw | |||
private key."; | private key."; | |||
uses ks:inline-or-keystore-asymmetric-key-grouping { | uses ks:inline-or-keystore-asymmetric-key-grouping { | |||
refine "inline-or-keystore/inline/inline-definition" { | refine "inline-or-keystore/inline/inline-definition" { | |||
must 'not(public-key-format) or derived-from-or-self' | must 'not(public-key-format) or derived-from-or-self' | |||
+ '(public-key-format,' + ' "ct:subject-public-' | + '(public-key-format,' | |||
+ ' "ct:subject-public-' | ||||
+ 'key-info-format")'; | + 'key-info-format")'; | |||
} | } | |||
refine "inline-or-keystore/central-keystore/" | refine "inline-or-keystore/central-keystore/" | |||
+ "central-keystore-reference" { | + "central-keystore-reference" { | |||
must 'not(deref(.)/../ks:public-key-format) or ' | must 'not(deref(.)/../ks:public-key-format) or ' | |||
+ 'derived-from-or-self(deref(.)/../ks:public-key' | + 'derived-from-or-self(deref(.)/../ks:public-key' | |||
+ '-format, "ct:subject-public-key-info-format")'; | + '-format, "ct:subject-public-key-info-format")'; | |||
} | } | |||
} | } | |||
} | } | |||
} | } | |||
case tls12-psk { | case tls12-psk { | |||
if-feature "server-ident-tls12-psk"; | if-feature "server-ident-tls12-psk"; | |||
container tls12-psk { | container tls12-psk { | |||
description | description | |||
"Specifies the server identity using a PSK (pre-shared | "Specifies the server identity using a PSK (pre-shared | |||
or pairwise-symmetric key)."; | or pairwise symmetric key)."; | |||
uses ks:inline-or-keystore-symmetric-key-grouping; | uses ks:inline-or-keystore-symmetric-key-grouping; | |||
leaf id-hint { | leaf id-hint { | |||
type string; | type string; | |||
description | description | |||
"The key 'psk_identity_hint' value used in the TLS | "The key 'psk_identity_hint' value used in the TLS | |||
'ServerKeyExchange' message."; | 'ServerKeyExchange' message."; | |||
reference | reference | |||
"RFC 4279: Pre-Shared Key Ciphersuites for | "RFC 4279: Pre-Shared Key Ciphersuites for | |||
Transport Layer Security (TLS)"; | Transport Layer Security (TLS)"; | |||
} | } | |||
} | } | |||
} | } | |||
case tls13-epsk { | case tls13-epsk { | |||
if-feature "server-ident-tls13-epsk"; | if-feature "server-ident-tls13-epsk"; | |||
container tls13-epsk { | container tls13-epsk { | |||
description | description | |||
"An External Pre-Shared Key (EPSK) is established | "An External Pre-Shared Key (EPSK) is established | |||
or provisioned out-of-band, i.e., not from a TLS | or provisioned out of band, i.e., not from a TLS | |||
connection. An EPSK is a tuple of (Base Key, | connection. An EPSK is a tuple of (Base Key, | |||
External Identity, Hash). External PSKs MUST | External Identity, Hash). EPSKs MUST NOT be | |||
NOT be imported for (D)TLS 1.2 or prior versions. | imported for (D)TLS 1.2 or prior versions. | |||
When PSKs are provisioned out of band, the PSK | When PSKs are provisioned out of band, the PSK | |||
identity and the KDF hash algorithm to be used | identity and the KDF hash algorithm to be used | |||
with the PSK MUST also be provisioned. | with the PSK MUST also be provisioned. | |||
The structure of this container is designed to | The structure of this container is designed to | |||
satisfy the requirements of RFC 8446 Section | satisfy the requirements in Section 4.2.11 of | |||
4.2.11, the recommendations from Section 6 in | RFC 8446, the recommendations from Section 6 of | |||
RFC 9257, and the EPSK input fields detailed in | RFC 9257, and the EPSK input fields detailed in | |||
Section 5.1 in RFC 9258. The base-key is based | Section 5.1 of RFC 9258. The base-key is based | |||
upon ks:inline-or-keystore-symmetric-key-grouping | upon 'ks:inline-or-keystore-symmetric-key-grouping' | |||
in order to provide users with flexible and | in order to provide users with flexible and | |||
secure storage options."; | secure storage options."; | |||
reference | reference | |||
"RFC 8446: The Transport Layer Security (TLS) | "RFC 8446: The Transport Layer Security (TLS) | |||
Protocol Version 1.3 | Protocol Version 1.3 | |||
RFC 9257: Guidance for External Pre-Shared Key | RFC 9257: Guidance for External Pre-Shared Key | |||
(PSK) Usage in TLS | (PSK) Usage in TLS | |||
RFC 9258: Importing External Pre-Shared Keys | RFC 9258: Importing External Pre-Shared Keys | |||
(PSKs) for TLS 1.3"; | (PSKs) for TLS 1.3"; | |||
uses ks:inline-or-keystore-symmetric-key-grouping; | uses ks:inline-or-keystore-symmetric-key-grouping; | |||
leaf external-identity { | leaf external-identity { | |||
type string; | type string; | |||
mandatory true; | mandatory true; | |||
description | description | |||
"As per Section 4.2.11 of RFC 8446, and Section 4.1 | "As per Section 4.2.11 of RFC 8446 and Section 4.1 | |||
of RFC 9257, a sequence of bytes used to identify | of RFC 9257, a sequence of bytes used to identify | |||
an EPSK. A label for a pre-shared key established | an EPSK. A label for a pre-shared key established | |||
externally."; | externally."; | |||
reference | reference | |||
"RFC 8446: The Transport Layer Security (TLS) | "RFC 8446: The Transport Layer Security (TLS) | |||
Protocol Version 1.3 | Protocol Version 1.3 | |||
RFC 9257: Guidance for External Pre-Shared Key | RFC 9257: Guidance for External Pre-Shared Key | |||
(PSK) Usage in TLS"; | (PSK) Usage in TLS"; | |||
} | } | |||
leaf hash { | leaf hash { | |||
type tlscmn:epsk-supported-hash; | type tlscmn:epsk-supported-hash; | |||
default sha-256; | default "sha-256"; | |||
description | description | |||
"As per Section 4.2.11 of RFC 8446, for externally | "As per Section 4.2.11 of RFC 8446, for EPSKs, | |||
established PSKs, the Hash algorithm MUST be set | the hash algorithm MUST be set when the PSK is | |||
when the PSK is established or default to SHA-256 | established; otherwise, default to SHA-256 if | |||
if no such algorithm is defined. The server MUST | no such algorithm is defined. The server MUST | |||
ensure that it selects a compatible PSK (if any) | ensure that it selects a compatible PSK (if any) | |||
and cipher suite. Each PSK MUST only be used | and cipher suite. Each PSK MUST only be used | |||
with a single hash function."; | with a single hash function."; | |||
reference | reference | |||
"RFC 8446: The Transport Layer Security (TLS) | "RFC 8446: The Transport Layer Security (TLS) | |||
Protocol Version 1.3"; | Protocol Version 1.3"; | |||
} | } | |||
leaf context { | leaf context { | |||
type string; | type string; | |||
description | description | |||
"Per Section 5.1 of RFC 9258, context MUST include | "As per Section 5.1 of RFC 9258, context MUST | |||
the context used to determine the EPSK, if | include the context used to determine the EPSK, | |||
any exists. For example, context may include | if any exists. For example, context may include | |||
information about peer roles or identities | information about peer roles or identities | |||
to mitigate Selfie-style reflection attacks. | to mitigate Selfie-style reflection attacks. | |||
Since the EPSK is a key derived from an external | Since the EPSK is a key derived from an external | |||
protocol or sequence of protocols, context MUST | protocol or sequence of protocols, context MUST | |||
include a channel binding for the deriving | include a channel binding for the deriving | |||
protocols [RFC5056]. The details of this | protocols (see RFC 5056). The details of this | |||
binding are protocol specfic and out of scope | binding are protocol specific and out of scope | |||
for this document."; | for this document."; | |||
reference | reference | |||
"RFC 9258: Importing External Pre-Shared Keys | "RFC 9258: Importing External Pre-Shared Keys | |||
(PSKs) for TLS 1.3"; | (PSKs) for TLS 1.3"; | |||
} | } | |||
leaf target-protocol { | leaf target-protocol { | |||
type uint16; | type uint16; | |||
description | description | |||
"As per Section 3.1 of RFC 9258, the protocol | "As per Section 3.1 of RFC 9258, the protocol | |||
for which a PSK is imported for use."; | for which a PSK is imported for use."; | |||
skipping to change at line 2326 ¶ | skipping to change at line 2230 ¶ | |||
"As per Section 3 of RFC 9258, the KDF for | "As per Section 3 of RFC 9258, the KDF for | |||
which a PSK is imported for use."; | which a PSK is imported for use."; | |||
reference | reference | |||
"RFC 9258: Importing External Pre-Shared Keys | "RFC 9258: Importing External Pre-Shared Keys | |||
(PSKs) for TLS 1.3"; | (PSKs) for TLS 1.3"; | |||
} | } | |||
} | } | |||
} | } | |||
} | } | |||
} // container server-identity | } // container server-identity | |||
container client-authentication { | container client-authentication { | |||
if-feature "client-auth-supported"; | if-feature "client-auth-supported"; | |||
nacm:default-deny-write; | nacm:default-deny-write; | |||
must 'ca-certs or ee-certs or raw-public-keys or tls12-psks | must "ca-certs or ee-certs or raw-public-keys or tls12-psks | |||
or tls13-epsks'; | or tls13-epsks"; | |||
presence | presence "Indicates that client authentication is supported | |||
"Indicates that client authentication is supported (i.e., | (i.e., that the server will request clients send | |||
that the server will request clients send certificates). | certificates). If not configured, the TLS server | |||
If not configured, the TLS server SHOULD NOT request the | SHOULD NOT request that TLS clients provide | |||
TLS clients provide authentication credentials."; | authentication credentials."; | |||
description | description | |||
"Specifies how the TLS server can authenticate TLS clients. | "Specifies how the TLS server can authenticate TLS clients. | |||
Any combination of credentials is additive and unordered. | Any combination of credentials is additive and unordered. | |||
Note that no configuration is required for PSK (pre-shared | Note that no configuration is required for authentication | |||
or pairwise-symmetric key) based authentication as the key | based on PSK (pre-shared or pairwise symmetric key) as the | |||
is necessarily the same as configured in the '../server- | the key is necessarily the same as configured in the | |||
identity' node."; | '../server-identity' node."; | |||
container ca-certs { | container ca-certs { | |||
if-feature "client-auth-x509-cert"; | if-feature "client-auth-x509-cert"; | |||
presence | presence "Indicates that Certification Authority (CA) | |||
"Indicates that CA certificates have been configured. | certificates have been configured. This | |||
This statement is present so the mandatory descendant | statement is present so the mandatory | |||
nodes do not imply that this node must be configured."; | descendant nodes do not imply that this node | |||
must be configured."; | ||||
description | description | |||
"A set of certificate authority (CA) certificates used by | "A set of CA certificates used by the TLS server to | |||
the TLS server to authenticate TLS client certificates. | authenticate TLS client certificates. A client | |||
A client certificate is authenticated if it has a valid | certificate is authenticated if it has a valid chain | |||
chain of trust to a configured CA certificate."; | of trust to a configured CA certificate."; | |||
reference | reference | |||
"RFC BBBB: A YANG Data Model for a Truststore"; | "RFC 9641: A YANG Data Model for a Truststore"; | |||
uses ts:inline-or-truststore-certs-grouping; | uses ts:inline-or-truststore-certs-grouping; | |||
} | } | |||
container ee-certs { | container ee-certs { | |||
if-feature "client-auth-x509-cert"; | if-feature "client-auth-x509-cert"; | |||
presence | presence "Indicates that EE certificates have been | |||
"Indicates that EE certificates have been configured. | configured. This statement is present so the | |||
This statement is present so the mandatory descendant | mandatory descendant nodes do not imply that | |||
nodes do not imply that this node must be configured."; | this node must be configured."; | |||
description | description | |||
"A set of client certificates (i.e., end entity | "A set of client certificates (i.e., EE certificates) | |||
certificates) used by the TLS server to authenticate | used by the TLS server to authenticate | |||
certificates presented by TLS clients. A client | certificates presented by TLS clients. A client | |||
certificate is authenticated if it is an exact | certificate is authenticated if it is an exact | |||
match to a configured client certificate."; | match to a configured client certificate."; | |||
reference | reference | |||
"RFC BBBB: A YANG Data Model for a Truststore"; | "RFC 9641: A YANG Data Model for a Truststore"; | |||
uses ts:inline-or-truststore-certs-grouping; | uses ts:inline-or-truststore-certs-grouping; | |||
} | } | |||
container raw-public-keys { | container raw-public-keys { | |||
if-feature "client-auth-raw-public-key"; | if-feature "client-auth-raw-public-key"; | |||
presence | presence "Indicates that raw public keys have been | |||
"Indicates that raw public keys have been configured. | configured. This statement is present so | |||
This statement is present so the mandatory descendant | the mandatory descendant nodes do not imply | |||
nodes do not imply that this node must be configured."; | that this node must be configured."; | |||
description | description | |||
"A set of raw public keys used by the TLS server to | "A set of raw public keys used by the TLS server to | |||
authenticate raw public keys presented by the TLS | authenticate raw public keys presented by the TLS | |||
client. A raw public key is authenticated if it | client. A raw public key is authenticated if it | |||
is an exact match to a configured raw public key."; | is an exact match to a configured raw public key."; | |||
reference | reference | |||
"RFC BBBB: A YANG Data Model for a Truststore"; | "RFC 9641: A YANG Data Model for a Truststore"; | |||
uses ts:inline-or-truststore-public-keys-grouping { | uses ts:inline-or-truststore-public-keys-grouping { | |||
refine "inline-or-truststore/inline/inline-definition/" | refine "inline-or-truststore/inline/inline-definition/" | |||
+ "public-key" { | + "public-key" { | |||
must 'derived-from-or-self(public-key-format,' | must 'derived-from-or-self(public-key-format,' | |||
+ ' "ct:subject-public-key-info-format")'; | + ' "ct:subject-public-key-info-format")'; | |||
} | } | |||
refine "inline-or-truststore/central-truststore/" | refine "inline-or-truststore/central-truststore/" | |||
+ "central-truststore-reference" { | + "central-truststore-reference" { | |||
must 'not(deref(.)/../ts:public-key/ts:public-key-' | must 'not(deref(.)/../ts:public-key/ts:public-key-' | |||
+ 'format[not(derived-from-or-self(., "ct:subject-' | + 'format[not(derived-from-or-self(., "ct:subject-' | |||
+ 'public-key-info-format"))])'; | + 'public-key-info-format"))])'; | |||
} | } | |||
} | } | |||
} | } | |||
leaf tls12-psks { | leaf tls12-psks { | |||
if-feature "client-auth-tls12-psk"; | if-feature "client-auth-tls12-psk"; | |||
type empty; | type empty; | |||
description | description | |||
"Indicates that the TLS server can authenticate TLS clients | "Indicates that the TLS server can authenticate TLS clients | |||
using configured PSKs (pre-shared or pairwise-symmetric | using configured PSKs (pre-shared or pairwise symmetric | |||
keys). | keys). | |||
No configuration is required since the PSK value is the | No configuration is required since the PSK value is the | |||
same as PSK value configured in the 'server-identity' | same as PSK value configured in the 'server-identity' | |||
node."; | node."; | |||
} | } | |||
leaf tls13-epsks { | leaf tls13-epsks { | |||
if-feature "client-auth-tls13-epsk"; | if-feature "client-auth-tls13-epsk"; | |||
type empty; | type empty; | |||
description | description | |||
"Indicates that the TLS 1.3 server can authenticate TLS | "Indicates that the TLS 1.3 server can authenticate TLS | |||
clients using configured external PSKs (pre-shared keys). | clients using configured External PSKs (pre-shared keys). | |||
No configuration is required since the PSK value is the | No configuration is required since the PSK value is the | |||
same as PSK value configured in the 'server-identity' | same as PSK value configured in the 'server-identity' | |||
node."; | node."; | |||
} | } | |||
} // container client-authentication | } // container client-authentication | |||
container hello-params { | container hello-params { | |||
nacm:default-deny-write; | nacm:default-deny-write; | |||
if-feature "tlscmn:hello-params"; | if-feature "tlscmn:hello-params"; | |||
uses tlscmn:hello-params-grouping; | uses tlscmn:hello-params-grouping; | |||
description | description | |||
"Configurable parameters for the TLS hello message."; | "Configurable parameters for the TLS hello message."; | |||
} // container hello-params | } // container hello-params | |||
container keepalives { | container keepalives { | |||
nacm:default-deny-write; | nacm:default-deny-write; | |||
if-feature "tls-server-keepalives"; | if-feature "tls-server-keepalives"; | |||
description | description | |||
"Configures the keepalive policy for the TLS server."; | "Configures the keepalive policy for the TLS server."; | |||
leaf peer-allowed-to-send { | leaf peer-allowed-to-send { | |||
type empty; | type empty; | |||
description | description | |||
"Indicates that the remote TLS client is allowed to send | "Indicates that the remote TLS client is allowed to send | |||
HeartbeatRequest messages, as defined by RFC 6520 | HeartbeatRequest messages, as defined by RFC 6520, | |||
to this TLS server."; | to this TLS server."; | |||
reference | reference | |||
"RFC 6520: Transport Layer Security (TLS) and Datagram | "RFC 6520: Transport Layer Security (TLS) and Datagram | |||
Transport Layer Security (DTLS) Heartbeat Extension"; | Transport Layer Security (DTLS) Heartbeat Extension"; | |||
} | } | |||
container test-peer-aliveness { | container test-peer-aliveness { | |||
presence | presence "Indicates that the TLS server proactively tests the | |||
"Indicates that the TLS server proactively tests the | aliveness of the remote TLS client."; | |||
aliveness of the remote TLS client."; | ||||
description | description | |||
"Configures the keep-alive policy to proactively test | "Configures the keepalive policy to proactively test | |||
the aliveness of the TLS client. An unresponsive | the aliveness of the TLS client. An unresponsive | |||
TLS client is dropped after approximately max-wait | TLS client is dropped after approximately max-wait | |||
* max-attempts seconds."; | * max-attempts seconds."; | |||
leaf max-wait { | leaf max-wait { | |||
type uint16 { | type uint16 { | |||
range "1..max"; | range "1..max"; | |||
} | } | |||
units "seconds"; | units "seconds"; | |||
default "30"; | default "30"; | |||
description | description | |||
"Sets the amount of time in seconds after which if | "Sets the amount of time in seconds, after which a | |||
no data has been received from the TLS client, a | ||||
TLS-level message will be sent to test the | TLS-level message will be sent to test the | |||
aliveness of the TLS client."; | aliveness of the TLS client if no data has been | |||
received from the TLS client."; | ||||
} | } | |||
leaf max-attempts { | leaf max-attempts { | |||
type uint8; | type uint8; | |||
default "3"; | default "3"; | |||
description | description | |||
"Sets the maximum number of sequential keep-alive | "Sets the maximum number of sequential keepalive | |||
messages that can fail to obtain a response from | messages that can fail to obtain a response from | |||
the TLS client before assuming the TLS client is | the TLS client before assuming the TLS client is | |||
no longer alive."; | no longer alive."; | |||
} | } | |||
} | } | |||
} // container keepalives | } // container keepalives | |||
} // grouping tls-server-grouping | } // grouping tls-server-grouping | |||
} | } | |||
]]></artwork> | ]]> | |||
<t keepWithPrevious="true"><CODE ENDS></t> | ||||
</sourcecode> | ||||
</section> | </section> | |||
</section> | </section> | |||
<section> | <section> | |||
<name>Security Considerations</name> | <name>Security Considerations</name> | |||
<t>The three IETF YANG modules in this document define groupings and will | <t>The three IETF YANG modules in this document define groupings and will | |||
not be deployed as standalone modules. Their security implications | not be deployed as standalone modules. Their security implications | |||
may be context dependent based on their use in other modules. The | may be context dependent based on their use in other modules. The | |||
designers of modules which import these grouping must conduct their | designers of modules that import these grouping must conduct their | |||
own analysis of the security considerations.</t> | own analysis of the security considerations.</t> | |||
<section> | <section> | |||
<name>Considerations for the "iana-tls-cipher-suite-algs" Module</name> | ||||
<t>This section follows the template defined in <xref section="3.7.1" ta | <name>Considerations for the "iana-tls-cipher-suite-algs" YANG Module</n | |||
rget="RFC8407"/>.</t> | ame> | |||
<t>The "iana-tls-cipher-suite-algs" YANG module defines a data model | <t>This section is modeled after the template defined in <xref section=" | |||
that is designed to be accessed via YANG based management | 3.7.1" target="RFC8407"/>.</t> | |||
<t>The "iana-tls-cipher-suite-algs" YANG module defines a | ||||
data model that is designed to be accessed via YANG-based management | ||||
protocols, such as NETCONF <xref target="RFC6241"/> and RESTCONF | protocols, such as NETCONF <xref target="RFC6241"/> and RESTCONF | |||
<xref target="RFC8040"/>. Both of these protocols have | <xref target="RFC8040"/>. These | |||
mandatory-to-implement secure transport layers (e.g., SSH, TLS) | protocols have mandatory-to-implement secure transport layers (e.g., Secure S | |||
with mutual authentication.</t> | hell (SSH) <xref target="RFC4252"/>, TLS <xref target="RFC8446"/>, and QUIC <xre | |||
<t>The Network Access Control Model (NACM) <xref target="RFC8341"/> | f target="RFC9000"/>) and mandatory-to-implement mutual authentication. | |||
</t> | ||||
<t>The Network Configuration Access Control Model (NACM) <xref target="RF | ||||
C8341"/> | ||||
provides the means to restrict access for particular users to a | provides the means to restrict access for particular users to a | |||
pre-configured subset of all available protocol operations and | preconfigured subset of all available protocol operations and | |||
content.</t> | content.</t> | |||
<t>This YANG module defines YANG enumerations, for a public IANA-maintai ned | <t>This YANG module defines YANG enumerations, for a public IANA-maintai ned | |||
registry.</t> | registry.</t> | |||
<t>YANG enumerations are not security-sensitive, as they are statically | <t>YANG enumerations are not security-sensitive, as they are statically | |||
defined in the publicly-accessible YANG module. IANA MAY deprecate | defined in the publicly accessible YANG module. IANA <bcp14>MAY</bcp1 4> deprecate | |||
and/or obsolete enumerations over time as needed to address security | and/or obsolete enumerations over time as needed to address security | |||
issues found in the algorithms.</t> | issues found in the algorithms.</t> | |||
<t>This module does not define any writable-nodes, RPCs, actions, | <t>This module does not define any writable nodes, RPCs, actions, | |||
or notifications, and thus the security consideration for such | or notifications, and thus the security considerations for such | |||
is not provided here.</t> | are not provided here.</t> | |||
</section> | </section> | |||
<section> | <section> | |||
<name>Considerations for the "ietf-tls-common" YANG Module</name> | <name>Considerations for the "ietf-tls-common" YANG Module</name> | |||
<t>This section follows the template defined in <xref section="3.7.1" ta | <t>This section is modeled after the template defined in <xref section=" | |||
rget="RFC8407"/>.</t> | 3.7.1" target="RFC8407"/>.</t> | |||
<t>The "ietf-tls-common" YANG module defines "grouping" statements | ||||
that are designed to be accessed via YANG based management | <t>The "ietf-tls-common" YANG module defines a data model that is design | |||
ed to be accessed via YANG-based management | ||||
protocols, such as NETCONF <xref target="RFC6241"/> and RESTCONF | protocols, such as NETCONF <xref target="RFC6241"/> and RESTCONF | |||
<xref target="RFC8040"/>. Both of these protocols have | <xref target="RFC8040"/>. These | |||
mandatory-to-implement secure transport layers (e.g., SSH, TLS) | protocols have mandatory-to-implement secure transport layers (e.g., Secure S | |||
with mutual authentication.</t> | hell (SSH) <xref target="RFC4252"/>, TLS <xref target="RFC8446"/>, and QUIC <xre | |||
<t>The Network Access Control Model (NACM) <xref target="RFC8341"/> | f target="RFC9000"/>) and mandatory-to-implement mutual authentication. | |||
</t> | ||||
<t>The Network Configuration Access Control Model (NACM) <xref ta | ||||
rget="RFC8341"/> | ||||
provides the means to restrict access for particular users to a | provides the means to restrict access for particular users to a | |||
pre-configured subset of all available protocol operations and | preconfigured subset of all available protocol operations and | |||
content.</t> | content.</t> | |||
<t>Please be aware that this YANG module uses groupings from | <t>Please be aware that this YANG module uses groupings from | |||
other YANG modules that define nodes that may be considered | other YANG modules that define nodes that may be considered | |||
sensitive or vulnerable in network environments. Please | sensitive or vulnerable in network environments. Please | |||
review the Security Considerations for dependent YANG modules | review the Security Considerations for dependent YANG modules | |||
for information as to which nodes may be considered sensitive | for information as to which nodes may be considered sensitive | |||
or vulnerable in network environments.</t> | or vulnerable in network environments.</t> | |||
<t>None of the readable data nodes defined in this YANG module are | <t>None of the readable data nodes defined in this YANG module are | |||
considered sensitive or vulnerable in network environments. | considered sensitive or vulnerable in network environments. | |||
The NACM "default-deny-all" extension has not been set for | The NACM "default-deny-all" extension has not been set for | |||
any data nodes defined in this module.</t> | any data nodes defined in this module.</t> | |||
<t>None of the writable data nodes defined in this YANG module are | <t>None of the writable data nodes defined in this YANG module are | |||
considered sensitive or vulnerable in network environments. | considered sensitive or vulnerable in network environments. | |||
The NACM "default-deny-write" extension has not been set for | The NACM "default-deny-write" extension has not been set for | |||
any data nodes defined in this module.</t> | any data nodes defined in this module.</t> | |||
<t>This module defines the RPC "generate-asymmetric-key-pair" that may, | <t>This module defines the "generate-asymmetric-key-pair" RPC that may, | |||
if | if | |||
the "ct:cleartext-private-keys" feature is enabled, and the client | the "ct:cleartext-private-keys" feature is enabled and the client | |||
requests it, return the private clear in cleartext form. It is | requests it, return the private clear in cleartext form. It is | |||
NOT RECOMMENDED for private keys to pass the server's security | <bcp14>NOT RECOMMENDED</bcp14> for private keys to pass the server's s ecurity | |||
perimeter.</t> | perimeter.</t> | |||
<t>This module does not define any actions or notifications, | <t>This module does not define any actions or notifications, | |||
and thus the security consideration for such is not provided here.</t> | and thus the security considerations for such are not provided here.</t> | |||
</section> | </section> | |||
<section> | <section> | |||
<name>Considerations for the "ietf-tls-client" YANG Module</name> | <name>Considerations for the "ietf-tls-client" YANG Module</name> | |||
<t>This section follows the template defined in <xref section="3.7.1" ta | <t>This section is modeled after the template defined in <xref section=" | |||
rget="RFC8407"/>.</t> | 3.7.1" target="RFC8407"/>.</t> | |||
<t>The "ietf-tls-client" YANG module defines "grouping" statements | ||||
that are designed to be accessed via YANG based management | <t>The "ietf-tls-client" YANG module defines a data model that is design | |||
ed to be accessed via YANG-based management | ||||
protocols, such as NETCONF <xref target="RFC6241"/> and RESTCONF | protocols, such as NETCONF <xref target="RFC6241"/> and RESTCONF | |||
<xref target="RFC8040"/>. Both of these protocols have | <xref target="RFC8040"/>. These | |||
mandatory-to-implement secure transport layers (e.g., SSH, TLS) | protocols have mandatory-to-implement secure transport layers (e.g., Secure S | |||
with mutual authentication.</t> | hell (SSH) <xref target="RFC4252"/>, TLS <xref target="RFC8446"/>, and QUIC <xre | |||
<t>The Network Access Control Model (NACM) <xref target="RFC8341"/> | f target="RFC9000"/>) and mandatory-to-implement mutual authentication. | |||
</t> | ||||
<t>The Network Configuration Access Control Model (NACM) <xref target="R | ||||
FC8341"/> | ||||
provides the means to restrict access for particular users to a | provides the means to restrict access for particular users to a | |||
pre-configured subset of all available protocol operations and | preconfigured subset of all available protocol operations and | |||
content.</t> | content.</t> | |||
<t>Please be aware that this YANG module uses groupings from | <t>Please be aware that this YANG module uses groupings from | |||
other YANG modules that define nodes that may be considered | other YANG modules that define nodes that may be considered | |||
sensitive or vulnerable in network environments. Please | sensitive or vulnerable in network environments. Please | |||
review the Security Considerations for dependent YANG modules | review the Security Considerations for dependent YANG modules | |||
for information as to which nodes may be considered sensitive | for information as to which nodes may be considered sensitive | |||
or vulnerable in network environments.</t> | or vulnerable in network environments.</t> | |||
<t>None of the readable data nodes defined in this YANG module | <t>None of the readable data nodes defined in this YANG module | |||
are considered sensitive or vulnerable in network environments. | are considered sensitive or vulnerable in network environments. | |||
The NACM "default-deny-all" extension has not been set for any | The NACM "default-deny-all" extension has not been set for any | |||
data nodes defined in this module.</t> | data nodes defined in this module.</t> | |||
<t>All the writable data nodes defined by this module may be | <t>All the writable data nodes defined by this module may be | |||
considered sensitive or vulnerable in some network environments. | considered sensitive or vulnerable in some network environments. | |||
For instance, any modification to a key or reference to a key | For instance, any modification to a key or reference to a key | |||
may dramatically alter the implemented security policy. For | may dramatically alter the implemented security policy. For | |||
this reason, the NACM extension "default-deny-write" has been | this reason, the NACM extension "default-deny-write" has been | |||
set for all data nodes defined in this module.</t> | set for all data nodes defined in this module.</t> | |||
<t>This module does not define any RPCs, actions, or notifications, | <t>This module does not define any RPCs, actions, or notifications, | |||
and thus the security consideration for such is not provided here.</t> | and thus the security considerations for such are not provided here.</t> | |||
</section> | </section> | |||
<section> | <section> | |||
<name>Considerations for the "ietf-tls-server" YANG Module</name> | <name>Considerations for the "ietf-tls-server" YANG Module</name> | |||
<t>This section follows the template defined in <xref section="3.7.1" ta | <t>This section is modeled after the template defined in <xref section=" | |||
rget="RFC8407"/>.</t> | 3.7.1" target="RFC8407"/>.</t> | |||
<t>The "ietf-tls-server" YANG module defines "grouping" statements | ||||
that are designed to be accessed via YANG based management | <t>The "ietf-tls-server" YANG module defines a data model that is design | |||
ed to be accessed via YANG-based management | ||||
protocols, such as NETCONF <xref target="RFC6241"/> and RESTCONF | protocols, such as NETCONF <xref target="RFC6241"/> and RESTCONF | |||
<xref target="RFC8040"/>. Both of these protocols have | <xref target="RFC8040"/>. These | |||
mandatory-to-implement secure transport layers (e.g., SSH, TLS) | protocols have mandatory-to-implement secure transport layers (e.g., Secure S | |||
with mutual authentication.</t> | hell (SSH) <xref target="RFC4252"/>, TLS <xref target="RFC8446"/>, and QUIC <xre | |||
<t>The Network Access Control Model (NACM) <xref target="RFC8341"/> | f target="RFC9000"/>) and mandatory-to-implement mutual authentication. | |||
</t> | ||||
<t>The Network Configuration Access Control Model (NACM) <xref target="R | ||||
FC8341"/> | ||||
provides the means to restrict access for particular users to a | provides the means to restrict access for particular users to a | |||
pre-configured subset of all available protocol operations and | preconfigured subset of all available protocol operations and | |||
content.</t> | content.</t> | |||
<t>Please be aware that this YANG module uses groupings from | <t>Please be aware that this YANG module uses groupings from | |||
other YANG modules that define nodes that may be considered | other YANG modules that define nodes that may be considered | |||
sensitive or vulnerable in network environments. Please | sensitive or vulnerable in network environments. Please | |||
review the Security Considerations for dependent YANG modules | review the Security Considerations for dependent YANG modules | |||
for information as to which nodes may be considered sensitive | for information as to which nodes may be considered sensitive | |||
or vulnerable in network environments.</t> | or vulnerable in network environments.</t> | |||
<t>None of the readable data nodes defined in this YANG module are consi dered sensitive | <t>None of the readable data nodes defined in this YANG module are consi dered sensitive | |||
or vulnerable in network environments. The NACM "default-deny-all" ext ension | or vulnerable in network environments. The NACM "default-deny-all" ext ension | |||
has not been set for any data nodes defined in this module.</t> | has not been set for any data nodes defined in this module.</t> | |||
<!--<aside>--> | ||||
<t>Please be aware that this module uses the "key" and "private-key" | <t>Please be aware that this module uses the "key" and "private-key" | |||
nodes from the "ietf-crypto-types" module <xref target="I-D.ietf-net conf-crypto-types"/>, | nodes from the "ietf-crypto-types" module <xref target="RFC9640"/>, | |||
where said nodes have the NACM extension "default-deny-all" set, thu s | where said nodes have the NACM extension "default-deny-all" set, thu s | |||
preventing unrestricted read-access to the cleartext key values.</t> | preventing unrestricted read access to the cleartext key values.</t> | |||
<!--</aside>--> | ||||
<t>All the writable data nodes defined by this module may be | <t>All the writable data nodes defined by this module may be | |||
considered sensitive or vulnerable in some network environments. | considered sensitive or vulnerable in some network environments. | |||
For instance, any modification to a key or reference to a key | For instance, any modification to a key or reference to a key | |||
may dramatically alter the implemented security policy. For | may dramatically alter the implemented security policy. For | |||
this reason, the NACM extension "default-deny-write" has been | this reason, the NACM extension "default-deny-write" has been | |||
set for all data nodes defined in this module.</t> | set for all data nodes defined in this module.</t> | |||
<t>This module does not define any RPCs, actions, or notifications, | <t>This module does not define any RPCs, actions, or notifications, | |||
and thus the security consideration for such is not provided here.</t> | and thus the security considerations for such are not provided here.</t> | |||
</section> | </section> | |||
</section> | </section> | |||
<section> | <section> | |||
<name>IANA Considerations</name> | <name>IANA Considerations</name> | |||
<section> | <section> | |||
<name>The "IETF XML" Registry</name> | <name>The IETF XML Registry</name> | |||
<t>This document registers four URIs in the "ns" subregistry of the | <t>IANA has registered the following four URIs in the "ns" registry of t | |||
IETF XML Registry <xref target="RFC3688"/>. Following the format in | he | |||
<xref target="RFC3688"/>, the following registrations are | "IETF XML Registry" <xref target="RFC3688"/>.</t> | |||
requested:</t> | <dl spacing="compact"> | |||
<artwork><![CDATA[ | <dt>URI:</dt><dd> urn:ietf:params:xml:ns:yang:iana-tls-cipher-suite-algs</dd> | |||
URI: urn:ietf:params:xml:ns:yang:iana-tls-cipher-suite-algs | <dt>Registrant Contact:</dt><dd>The IESG</dd> | |||
Registrant Contact: The IESG | <dt>XML:</dt><dd> N/A; the requested URI is an XML namespace.</dd> | |||
XML: N/A, the requested URI is an XML namespace. | </dl> | |||
<dl spacing="compact"> | ||||
URI: urn:ietf:params:xml:ns:yang:ietf-tls-common | <dt>URI:</dt><dd> urn:ietf:params:xml:ns:yang:ietf-tls-common</dd> | |||
Registrant Contact: The IESG | <dt>Registrant Contact:</dt><dd> The IESG</dd> | |||
XML: N/A, the requested URI is an XML namespace. | <dt>XML:</dt><dd> N/A; the requested URI is an XML namespace.</dd> | |||
</dl> | ||||
URI: urn:ietf:params:xml:ns:yang:ietf-tls-client | <dl spacing="compact"> | |||
Registrant Contact: The IESG | <dt>URI:</dt><dd> urn:ietf:params:xml:ns:yang:ietf-tls-client</dd> | |||
XML: N/A, the requested URI is an XML namespace. | <dt>Registrant Contact:</dt><dd> The IESG</dd> | |||
<dt>XML:</dt><dd> N/A; the requested URI is an XML namespace.</dd> | ||||
</dl> | ||||
URI: urn:ietf:params:xml:ns:yang:ietf-tls-server | <dl spacing="compact"> | |||
Registrant Contact: The IESG | <dt>URI:</dt><dd> urn:ietf:params:xml:ns:yang:ietf-tls-server</dd> | |||
XML: N/A, the requested URI is an XML namespace. | <dt>Registrant Contact:</dt><dd> The IESG</dd> | |||
]]></artwork> | <dt>XML:</dt><dd> N/A; the requested URI is an XML namespace.</dd> | |||
</dl> | ||||
</section> | </section> | |||
<section> | <section> | |||
<name>The "YANG Module Names" Registry</name> | <name>The YANG Module Names Registry</name> | |||
<t>This document registers four YANG modules in the YANG Module Names | <t>IANA has registered the following four YANG modules in the "YANG Modu | |||
registry <xref target="RFC6020"/>. Following the format in <xref target= | le Names" | |||
"RFC6020"/>, the following registrations are requested:</t> | registry <xref target="RFC6020"/>.</t> | |||
<artwork><![CDATA[ | <dl spacing="compact"> | |||
name: iana-tls-cipher-suite-algs | <dt>name:</dt><dd> iana-tls-cipher-suite-algs</dd> | |||
namespace: urn:ietf:params:xml:ns:yang:iana-tls-cipher-suite-algs | <dt>Maintained by IANA:</dt><dd>Y</dd> | |||
prefix: tlscsa | <dt>namespace:</dt><dd> urn:ietf:params:xml:ns:yang:iana-tls-cipher-suite-alg | |||
reference: RFC FFFF | s</dd> | |||
<dt>prefix:</dt><dd> tlscsa</dd> | ||||
name: ietf-tls-common | <dt>reference:</dt><dd> RFC 9645</dd> | |||
namespace: urn:ietf:params:xml:ns:yang:ietf-tls-common | </dl> | |||
prefix: tlscmn | <dl spacing="compact"> | |||
reference: RFC FFFF | <dt>name: </dt><dd> ietf-tls-common</dd> | |||
<dt>Maintained by IANA:</dt><dd>N</dd> | ||||
name: ietf-tls-client | <dt>namespace: </dt><dd> urn:ietf:params:xml:ns:yang:ietf-tls-common</dd> | |||
namespace: urn:ietf:params:xml:ns:yang:ietf-tls-client | <dt>prefix: </dt><dd> tlscmn</dd> | |||
prefix: tlsc | <dt>reference: </dt><dd> RFC 9645</dd> | |||
reference: RFC FFFF | </dl> | |||
<dl spacing="compact"> | ||||
name: ietf-tls-server | <dt>name: </dt><dd> ietf-tls-client </dd> | |||
namespace: urn:ietf:params:xml:ns:yang:ietf-tls-server | <dt>Maintained by IANA:</dt><dd>N</dd> | |||
prefix: tlss | <dt>namespace: </dt><dd> urn:ietf:params:xml:ns:yang:ietf-tls-client </dd> | |||
reference: RFC FFFF | <dt>prefix: </dt><dd> tlsc </dd> | |||
]]></artwork> | <dt>reference: </dt><dd> RFC 9645</dd> | |||
</dl> | ||||
<dl spacing="compact"> | ||||
<dt>name: </dt><dd> ietf-tls-server </dd> | ||||
<dt>Maintained by IANA:</dt><dd>N</dd> | ||||
<dt>namespace: </dt><dd> urn:ietf:params:xml:ns:yang:ietf-tls-server </dd> | ||||
<dt>prefix: </dt><dd> tlss </dd> | ||||
<dt>reference: </dt><dd> RFC 9645</dd> | ||||
</dl> | ||||
</section> | </section> | |||
<section> | <section> | |||
<name>Considerations for the "iana-tls-cipher-suite-algs" Module</name> | <name>Considerations for the "iana-tls-cipher-suite-algs" YANG Module</n ame> | |||
<t>This section follows the template defined in <xref section="4.30.3.1" target="I-D.ietf-netmod-rfc8407bis"/>.</t> | <t>This section follows the template defined in <xref section="4.30.3.1" target="I-D.ietf-netmod-rfc8407bis"/>.</t> | |||
<t>This document presents a script (see <xref target="iana-script"/>) fo | ||||
r | <t>IANA used the script in <xref target="iana-script"/> to generate the | |||
IANA to use to generate the IANA-maintained "iana-tls-cipher-suite-alg | IANA-maintained "iana-tls-cipher-suite-algs" YANG module. | |||
s" YANG module. | The YANG module is available from the "YANG Parameters" | |||
The most recent version of the YANG module is available from the "YANG | ||||
Parameters" | ||||
registry <xref target="IANA-YANG-PARAMETERS"/>.</t> | registry <xref target="IANA-YANG-PARAMETERS"/>.</t> | |||
<t>IANA is requested to add the following note to the registry:</t> | <t>IANA has added the following note to the registry:</t> | |||
<blockquote>New values must not be directly added to the "iana-tls-ciphe | <blockquote> | |||
r-suite-algs" | New values must not be directly added to the "iana-tls-cipher-suite-alg | |||
YANG module. They must instead be added to the "TLS Cipher Suites" su | s" | |||
b-registry of | YANG module. They must instead be added to the "TLS Cipher Suites" re | |||
the "Transport Layer Security (TLS) Parameters" registry <xref target= | gistry in | |||
"IANA-CIPHER-ALGS"/>.</blockquote> | the "Transport Layer Security (TLS) Parameters" registry group <xref t | |||
<t>When a value is added to the "TLS Cipher Suites" sub-registry, a new | arget="IANA-CIPHER-ALGS"/>. | |||
"enum" | </blockquote> | |||
<t>When a value is added to the "TLS Cipher Suites" registry, a new "enu | ||||
m" | ||||
statement must be added to the "iana-tls-cipher-suite-algs" YANG module . The | statement must be added to the "iana-tls-cipher-suite-algs" YANG module . The | |||
"enum" statement, and sub-statements thereof, should be defined as fol | "enum" statement, and substatements thereof, should be defined as follow | |||
lows:</t> | s:</t> | |||
<dl newline="true"> | <dl newline="true"> | |||
<dt>enum</dt> | <dt>enum</dt> | |||
<dd>Replicates a name from the registry.</dd> | <dd>Replicates a name from the registry.</dd> | |||
<dt>value</dt> | <dt>value</dt> | |||
<dd>Contains the decimal value of the IANA-assigned value.</dd> | <dd>Contains the decimal value of the IANA-assigned value.</dd> | |||
<dt>status</dt> | <dt>status</dt> | |||
<dd>Include only if a registration has been deprecated or obsoleted. | <dd>Include only if a registration has been deprecated or obsoleted. | |||
An IANA "Recommended" maps to YANG status "deprecated". Since the r | An IANA "Recommended" value "N" maps to YANG status "deprecated". S | |||
egistry | ince the registry | |||
is unable to express a logical "MUST NOT" recommendation, there is n | is unable to express a logical "<bcp14>MUST NOT</bcp14>" recommendat | |||
o | ion, there is no | |||
mapping to YANG status "obsolete", which is unfortunate given | mapping to YANG status "obsolete", which is unfortunate given the mo | |||
<eref target="https://datatracker.ietf.org/doc/status-change-tls-des | ving of single-DES and International Data | |||
-idea-ciphers-to-historic">Moving | Encryption Algorithm (IDEA) TLS cipher suites to Historic <xref target="RF | |||
single-DES and IDEA TLS ciphersuites to Historic</eref> .</dd> | C8996"/>.</dd> | |||
<dt>description</dt> | <dt>description</dt> | |||
<dd>Contains "Enumeration for the 'TLS_FOO' algorithm.", where "TLS_FO O" is | <dd>Contains "Enumeration for the 'TLS_FOO' algorithm", where "TLS_FOO " is | |||
a placeholder for the algorithm's name (e.g., "TLS_PSK_WITH_AES_256_ CBC_SHA").</dd> | a placeholder for the algorithm's name (e.g., "TLS_PSK_WITH_AES_256_ CBC_SHA").</dd> | |||
<dt>reference</dt> | <dt>reference</dt> | |||
<dd>Replicates the reference(s) from the registry with the title of th e | <dd>Replicates the reference(s) from the registry with the title of th e | |||
document(s) added.</dd> | document(s) added.</dd> | |||
</dl> | </dl> | |||
<t>Unassigned or reserved values are not present in the module.</t> | <t>Unassigned or reserved values are not present in the module.</t> | |||
<t>When the "iana-tls-cipher-suite-algs" YANG module is updated, a | <t>When the "iana-tls-cipher-suite-algs" YANG module is updated, a | |||
new "revision" statement with a unique revision date must be added | new "revision" statement with a unique revision date must be added | |||
in front of the existing revision statements. The "revision" | in front of the existing revision statements. The "revision" | |||
must have a "description" statement explaining why the the update | must have a "description" statement explaining why the the update | |||
occurred, and must have a "reference" substatement that points to the | occurred and must have a "reference" substatement that points to the | |||
document defining the registry update that resulted in this change. | document defining the registry update that resulted in this change. | |||
For instance:</t> | For instance:</t> | |||
<artwork><![CDATA[ | ||||
<sourcecode type="yang"><![CDATA[ | ||||
revision 2024-02-02 { | revision 2024-02-02 { | |||
description | description | |||
"This update reflect the update made to the underlying | "This update reflects the update made to the underlying | |||
Foo Bar registry per RFC XXXX."; | 'Foo Bar' registry per RFC XXXX."; | |||
reference | reference | |||
"RFC XXXX: Extend the Foo Bars Registry | "RFC XXXX: Extend the Foo Bar Registry | |||
to Support Something Important"; | to Support Something Important"; | |||
}]]></artwork> | }]]></sourcecode> | |||
<t>IANA is requested to add the following note to the "TLS Cipher Suites | <t>IANA has added the following note to the "TLS Cipher Suites" | |||
" | registry under the "Transport Layer Security (TLS) Parameters" | |||
sub-registry of the "Transport Layer Security (TLS) Parameters" | registry group <xref target="IANA-CIPHER-ALGS"/>.</t> | |||
registry <xref target="IANA-CIPHER-ALGS"/>.</t> | ||||
<blockquote>When this registry is modified, the YANG module "iana-tls-ci pher-suite-algs" | <blockquote>When this registry is modified, the YANG module "iana-tls-ci pher-suite-algs" | |||
<xref target="IANA-YANG-PARAMETERS"/> must be updated as defined in RF | <xref target="IANA-YANG-PARAMETERS"/> must be updated as defined in RFC | |||
C FFFF.</blockquote> | 9645.</blockquote> | |||
<t>An initial version of this module can be found in <xref target="tls-c | ||||
ipher-algs-model"/>.</t> | ||||
</section> | </section> | |||
</section> | </section> | |||
</middle> | </middle> | |||
<back> | <back> | |||
<displayreference target="I-D.ietf-netmod-system-config" to="SYSTEM-CONFIG"/ | ||||
> | ||||
<displayreference target="I-D.ietf-netmod-rfc8407bis" to="RFC8407BIS"/> | ||||
<displayreference target="I-D.ietf-netconf-http-client-server" | ||||
to="HTTP-CLIENT-SERVER"/> | ||||
<displayreference target="I-D.ietf-netconf-netconf-client-server" | ||||
to="NETCONF-CLIENT-SERVER"/> | ||||
<displayreference target="I-D.ietf-netconf-restconf-client-server" | ||||
to="RESTCONF-CLIENT-SERVER"/> | ||||
<references> | <references> | |||
<name>References</name> | <name>References</name> | |||
<references> | <references> | |||
<name>Normative References</name> | <name>Normative References</name> | |||
<reference anchor="RFC2119" target="https://www.rfc-editor.org/info/rfc2 | ||||
119" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.21 | |||
<front> | 19.xml"/> | |||
<title>Key words for use in RFCs to Indicate Requirement Levels</tit | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.42 | |||
le> | 52.xml"/> | |||
<author fullname="S. Bradner" initials="S." surname="Bradner"/> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.42 | |||
<date month="March" year="1997"/> | 79.xml"/> | |||
<abstract> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.52 | |||
<t>In many standards track documents several words are used to sig | 80.xml"/> | |||
nify the requirements in the specification. These words are often capitalized. T | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.52 | |||
his document defines these words as they should be interpreted in IETF documents | 88.xml"/> | |||
. This document specifies an Internet Best Current Practices for the Internet Co | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.52 | |||
mmunity, and requests discussion and suggestions for improvements.</t> | 89.xml"/> | |||
</abstract> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.60 | |||
</front> | 20.xml"/> | |||
<seriesInfo name="BCP" value="14"/> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.65 | |||
<seriesInfo name="RFC" value="2119"/> | 20.xml"/> | |||
<seriesInfo name="DOI" value="10.17487/RFC2119"/> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.72 | |||
</reference> | 50.xml"/> | |||
<reference anchor="RFC2712" target="https://www.rfc-editor.org/info/rfc2 | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.75 | |||
712" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2712.xml"> | 89.xml"/> | |||
<front> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.79 | |||
<title>Addition of Kerberos Cipher Suites to Transport Layer Securit | 50.xml"/> | |||
y (TLS)</title> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.81 | |||
<author fullname="A. Medvinsky" initials="A." surname="Medvinsky"/> | 74.xml"/> | |||
<author fullname="M. Hur" initials="M." surname="Hur"/> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.83 | |||
<date month="October" year="1999"/> | 41.xml"/> | |||
<abstract> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.84 | |||
<t>This document proposes the addition of new cipher suites to the | 22.xml"/> | |||
TLS protocol to support Kerberos-based authentication. [STANDARDS-TRACK]</t> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.80 | |||
</abstract> | 40.xml"/> | |||
</front> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.62 | |||
<seriesInfo name="RFC" value="2712"/> | 41.xml"/> | |||
<seriesInfo name="DOI" value="10.17487/RFC2712"/> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.84 | |||
</reference> | 46.xml"/> | |||
<reference anchor="RFC4162" target="https://www.rfc-editor.org/info/rfc4 | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.90 | |||
162" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4162.xml"> | 00.xml"/> | |||
<front> | ||||
<title>Addition of SEED Cipher Suites to Transport Layer Security (T | <!-- [I-D.ietf-netconf-crypto-types] companion document RFC 9640 --> | |||
LS)</title> | <reference anchor="RFC9640" target="https://www.rfc-editor.org/info/rfc9 | |||
<author fullname="H.J. Lee" initials="H.J." surname="Lee"/> | 640"> | |||
<author fullname="J.H. Yoon" initials="J.H." surname="Yoon"/> | <front> | |||
<author fullname="J.I. Lee" initials="J.I." surname="Lee"/> | <title>YANG Data Types and Groupings for Cryptography</title> | |||
<date month="August" year="2005"/> | <author initials="K." surname="Watsen" fullname="Kent Watsen"> | |||
<abstract> | <organization>Watsen Networks</organization> | |||
<t>This document proposes the addition of new cipher suites to the | </author> | |||
Transport Layer Security (TLS) protocol to support the SEED encryption algorith | <date month="October" year="2024"/> | |||
m as a bulk cipher algorithm. [STANDARDS-TRACK]</t> | </front> | |||
</abstract> | <seriesInfo name="RFC" value="9640"/> | |||
</front> | <seriesInfo name="DOI" value="10.17487/RFC9640"/> | |||
<seriesInfo name="RFC" value="4162"/> | </reference> | |||
<seriesInfo name="DOI" value="10.17487/RFC4162"/> | ||||
</reference> | <!-- [I-D.ietf-netconf-trust-anchors] companion document RFC 9641 --> | |||
<reference anchor="RFC4279" target="https://www.rfc-editor.org/info/rfc4 | <reference anchor="RFC9641" target="https://www.rfc-editor.org/info/rfc9 | |||
279" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4279.xml"> | 641"> | |||
<front> | <front> | |||
<title>Pre-Shared Key Ciphersuites for Transport Layer Security (TLS | <title>A YANG Data Model for a Truststore</title> | |||
)</title> | <author initials="K." surname="Watsen" fullname="Kent Watsen"> | |||
<author fullname="P. Eronen" initials="P." role="editor" surname="Er | <organization>Watsen Networks</organization> | |||
onen"/> | </author> | |||
<author fullname="H. Tschofenig" initials="H." role="editor" surname | <date month="October" year="2024"/> | |||
="Tschofenig"/> | </front> | |||
<date month="December" year="2005"/> | <seriesInfo name="RFC" value="9641"/> | |||
<abstract> | <seriesInfo name="DOI" value="10.17487/RFC9641"/> | |||
<t>This document specifies three sets of new ciphersuites for the | </reference> | |||
Transport Layer Security (TLS) protocol to support authentication based on pre-s | ||||
hared keys (PSKs). These pre-shared keys are symmetric keys, shared in advance a | <!-- [I-D.ietf-netconf-keystore] companion document RFC 9642; title has been upd | |||
mong the communicating parties. The first set of ciphersuites uses only symmetri | ated to match the edited doc --> | |||
c key operations for authentication. The second set uses a Diffie-Hellman exchan | <reference anchor="RFC9642" target="https://www.rfc-editor.org/info/rfc9 | |||
ge authenticated with a pre-shared key, and the third set combines public key au | 642"> | |||
thentication of the server with pre-shared key authentication of the client. [ST | <front> | |||
ANDARDS-TRACK]</t> | <title>A YANG Data Model for a Keystore</title> | |||
</abstract> | <author initials="K." surname="Watsen" fullname="Kent Watsen"> | |||
</front> | <organization>Watsen Networks</organization> | |||
<seriesInfo name="RFC" value="4279"/> | </author> | |||
<seriesInfo name="DOI" value="10.17487/RFC4279"/> | <date month="October" year="2024"/> | |||
</reference> | </front> | |||
<reference anchor="RFC4346" target="https://www.rfc-editor.org/info/rfc4 | <seriesInfo name="RFC" value="9642"/> | |||
346" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4346.xml"> | <seriesInfo name="DOI" value="10.17487/RFC9642"/> | |||
<front> | </reference> | |||
<title>The Transport Layer Security (TLS) Protocol Version 1.1</titl | ||||
e> | <reference anchor="FIPS180-4" target="https://nvlpubs.nist.gov/nistpubs/FIPS/NIS | |||
<author fullname="T. Dierks" initials="T." surname="Dierks"/> | T.FIPS.180-4.pdf" quoteTitle="true" derivedAnchor="FIPS180-4"> | |||
<author fullname="E. Rescorla" initials="E." surname="Rescorla"/> | ||||
<date month="April" year="2006"/> | ||||
<abstract> | ||||
<t>This document specifies Version 1.1 of the Transport Layer Secu | ||||
rity (TLS) protocol. The TLS protocol provides communications security over the | ||||
Internet. The protocol allows client/server applications to communicate in a way | ||||
that is designed to prevent eavesdropping, tampering, or message forgery.</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="RFC" value="4346"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC4346"/> | ||||
</reference> | ||||
<reference anchor="RFC4785" target="https://www.rfc-editor.org/info/rfc4 | ||||
785" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4785.xml"> | ||||
<front> | ||||
<title>Pre-Shared Key (PSK) Ciphersuites with NULL Encryption for Tr | ||||
ansport Layer Security (TLS)</title> | ||||
<author fullname="U. Blumenthal" initials="U." surname="Blumenthal"/ | ||||
> | ||||
<author fullname="P. Goel" initials="P." surname="Goel"/> | ||||
<date month="January" year="2007"/> | ||||
<abstract> | ||||
<t>This document specifies authentication-only ciphersuites (with | ||||
no encryption) for the Pre-Shared Key (PSK) based Transport Layer Security (TLS) | ||||
protocol. These ciphersuites are useful when authentication and integrity prote | ||||
ction is desired, but confidentiality is not needed or not permitted. [STANDARDS | ||||
-TRACK]</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="RFC" value="4785"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC4785"/> | ||||
</reference> | ||||
<reference anchor="RFC5054" target="https://www.rfc-editor.org/info/rfc5 | ||||
054" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5054.xml"> | ||||
<front> | ||||
<title>Using the Secure Remote Password (SRP) Protocol for TLS Authe | ||||
ntication</title> | ||||
<author fullname="D. Taylor" initials="D." surname="Taylor"/> | ||||
<author fullname="T. Wu" initials="T." surname="Wu"/> | ||||
<author fullname="N. Mavrogiannopoulos" initials="N." surname="Mavro | ||||
giannopoulos"/> | ||||
<author fullname="T. Perrin" initials="T." surname="Perrin"/> | ||||
<date month="November" year="2007"/> | ||||
<abstract> | ||||
<t>This memo presents a technique for using the Secure Remote Pass | ||||
word protocol as an authentication method for the Transport Layer Security proto | ||||
col. This memo provides information for the Internet community.</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="RFC" value="5054"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC5054"/> | ||||
</reference> | ||||
<reference anchor="RFC5288" target="https://www.rfc-editor.org/info/rfc5 | ||||
288" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5288.xml"> | ||||
<front> | ||||
<title>AES Galois Counter Mode (GCM) Cipher Suites for TLS</title> | ||||
<author fullname="J. Salowey" initials="J." surname="Salowey"/> | ||||
<author fullname="A. Choudhury" initials="A." surname="Choudhury"/> | ||||
<author fullname="D. McGrew" initials="D." surname="McGrew"/> | ||||
<date month="August" year="2008"/> | ||||
<abstract> | ||||
<t>This memo describes the use of the Advanced Encryption Standard | ||||
(AES) in Galois/Counter Mode (GCM) as a Transport Layer Security (TLS) authenti | ||||
cated encryption operation. GCM provides both confidentiality and data origin au | ||||
thentication, can be efficiently implemented in hardware for speeds of 10 gigabi | ||||
ts per second and above, and is also well-suited to software implementations. Th | ||||
is memo defines TLS cipher suites that use AES-GCM with RSA, DSA, and Diffie-Hel | ||||
lman-based key exchange mechanisms. [STANDARDS-TRACK]</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="RFC" value="5288"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC5288"/> | ||||
</reference> | ||||
<reference anchor="RFC5289" target="https://www.rfc-editor.org/info/rfc5 | ||||
289" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5289.xml"> | ||||
<front> | ||||
<title>TLS Elliptic Curve Cipher Suites with SHA-256/384 and AES Gal | ||||
ois Counter Mode (GCM)</title> | ||||
<author fullname="E. Rescorla" initials="E." surname="Rescorla"/> | ||||
<date month="August" year="2008"/> | ||||
<abstract> | ||||
<t>RFC 4492 describes elliptic curve cipher suites for Transport L | ||||
ayer Security (TLS). However, all those cipher suites use HMAC-SHA-1 as their Me | ||||
ssage Authentication Code (MAC) algorithm. This document describes sixteen new c | ||||
ipher suites for TLS that specify stronger MAC algorithms. Eight use Hashed Mess | ||||
age Authentication Code (HMAC) with SHA-256 or SHA-384, and eight use AES in Gal | ||||
ois Counter Mode (GCM). This memo provides information for the Internet communit | ||||
y.</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="RFC" value="5289"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC5289"/> | ||||
</reference> | ||||
<reference anchor="RFC5469" target="https://www.rfc-editor.org/info/rfc5 | ||||
469" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5469.xml"> | ||||
<front> | ||||
<title>DES and IDEA Cipher Suites for Transport Layer Security (TLS) | ||||
</title> | ||||
<author fullname="P. Eronen" initials="P." role="editor" surname="Er | ||||
onen"/> | ||||
<date month="February" year="2009"/> | ||||
<abstract> | ||||
<t>Transport Layer Security (TLS) versions 1.0 (RFC 2246) and 1.1 | ||||
(RFC 4346) include cipher suites based on DES (Data Encryption Standard) and IDE | ||||
A (International Data Encryption Algorithm) algorithms. DES (when used in single | ||||
-DES mode) and IDEA are no longer recommended for general use in TLS, and have b | ||||
een removed from TLS version 1.2 (RFC 5246). This document specifies these ciphe | ||||
r suites for completeness and discusses reasons why their use is no longer recom | ||||
mended. This memo provides information for the Internet community.</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="RFC" value="5469"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC5469"/> | ||||
</reference> | ||||
<reference anchor="RFC5487" target="https://www.rfc-editor.org/info/rfc5 | ||||
487" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5487.xml"> | ||||
<front> | ||||
<title>Pre-Shared Key Cipher Suites for TLS with SHA-256/384 and AES | ||||
Galois Counter Mode</title> | ||||
<author fullname="M. Badra" initials="M." surname="Badra"/> | ||||
<date month="March" year="2009"/> | ||||
<abstract> | ||||
<t>RFC 4279 and RFC 4785 describe pre-shared key cipher suites for | ||||
Transport Layer Security (TLS). However, all those cipher suites use SHA-1 in t | ||||
heir Message Authentication Code (MAC) algorithm. This document describes a set | ||||
of pre-shared key cipher suites for TLS that uses stronger digest algorithms (i. | ||||
e., SHA-256 or SHA-384) and another set that uses the Advanced Encryption Standa | ||||
rd (AES) in Galois Counter Mode (GCM). [STANDARDS-TRACK]</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="RFC" value="5487"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC5487"/> | ||||
</reference> | ||||
<reference anchor="RFC5489" target="https://www.rfc-editor.org/info/rfc5 | ||||
489" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5489.xml"> | ||||
<front> | ||||
<title>ECDHE_PSK Cipher Suites for Transport Layer Security (TLS)</t | ||||
itle> | ||||
<author fullname="M. Badra" initials="M." surname="Badra"/> | ||||
<author fullname="I. Hajjeh" initials="I." surname="Hajjeh"/> | ||||
<date month="March" year="2009"/> | ||||
<abstract> | ||||
<t>This document extends RFC 4279, RFC 4492, and RFC 4785 and spec | ||||
ifies a set of cipher suites that use a pre-shared key (PSK) to authenticate an | ||||
Elliptic Curve Diffie-Hellman exchange with Ephemeral keys (ECDHE). These cipher | ||||
suites provide Perfect Forward Secrecy (PFS). This memo provides information fo | ||||
r the Internet community.</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="RFC" value="5489"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC5489"/> | ||||
</reference> | ||||
<reference anchor="RFC5746" target="https://www.rfc-editor.org/info/rfc5 | ||||
746" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5746.xml"> | ||||
<front> | ||||
<title>Transport Layer Security (TLS) Renegotiation Indication Exten | ||||
sion</title> | ||||
<author fullname="E. Rescorla" initials="E." surname="Rescorla"/> | ||||
<author fullname="M. Ray" initials="M." surname="Ray"/> | ||||
<author fullname="S. Dispensa" initials="S." surname="Dispensa"/> | ||||
<author fullname="N. Oskov" initials="N." surname="Oskov"/> | ||||
<date month="February" year="2010"/> | ||||
<abstract> | ||||
<t>Secure Socket Layer (SSL) and Transport Layer Security (TLS) re | ||||
negotiation are vulnerable to an attack in which the attacker forms a TLS connec | ||||
tion with the target server, injects content of his choice, and then splices in | ||||
a new TLS connection from a client. The server treats the client's initial TLS h | ||||
andshake as a renegotiation and thus believes that the initial data transmitted | ||||
by the attacker is from the same entity as the subsequent client data. This spec | ||||
ification defines a TLS extension to cryptographically tie renegotiations to the | ||||
TLS connections they are being performed over, thus preventing this attack. [ST | ||||
ANDARDS-TRACK]</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="RFC" value="5746"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC5746"/> | ||||
</reference> | ||||
<reference anchor="RFC5932" target="https://www.rfc-editor.org/info/rfc5 | ||||
932" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5932.xml"> | ||||
<front> | ||||
<title>Camellia Cipher Suites for TLS</title> | ||||
<author fullname="A. Kato" initials="A." surname="Kato"/> | ||||
<author fullname="M. Kanda" initials="M." surname="Kanda"/> | ||||
<author fullname="S. Kanno" initials="S." surname="Kanno"/> | ||||
<date month="June" year="2010"/> | ||||
<abstract> | ||||
<t>This document specifies a set of cipher suites for the Transpor | ||||
t Security Layer (TLS) protocol to support the Camellia encryption algorithm as | ||||
a block cipher. It amends the cipher suites originally specified in RFC 4132 by | ||||
introducing counterparts using the newer cryptographic hash algorithms from the | ||||
SHA-2 family. This document obsoletes RFC 4132. [STANDARDS-TRACK]</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="RFC" value="5932"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC5932"/> | ||||
</reference> | ||||
<reference anchor="RFC6020" target="https://www.rfc-editor.org/info/rfc6 | ||||
020" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6020.xml"> | ||||
<front> | ||||
<title>YANG - A Data Modeling Language for the Network Configuration | ||||
Protocol (NETCONF)</title> | ||||
<author fullname="M. Bjorklund" initials="M." role="editor" surname= | ||||
"Bjorklund"/> | ||||
<date month="October" year="2010"/> | ||||
<abstract> | ||||
<t>YANG is a data modeling language used to model configuration an | ||||
d state data manipulated by the Network Configuration Protocol (NETCONF), NETCON | ||||
F remote procedure calls, and NETCONF notifications. [STANDARDS-TRACK]</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="RFC" value="6020"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC6020"/> | ||||
</reference> | ||||
<reference anchor="RFC6209" target="https://www.rfc-editor.org/info/rfc6 | ||||
209" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6209.xml"> | ||||
<front> | ||||
<title>Addition of the ARIA Cipher Suites to Transport Layer Securit | ||||
y (TLS)</title> | ||||
<author fullname="W. Kim" initials="W." surname="Kim"/> | ||||
<author fullname="J. Lee" initials="J." surname="Lee"/> | ||||
<author fullname="J. Park" initials="J." surname="Park"/> | ||||
<author fullname="D. Kwon" initials="D." surname="Kwon"/> | ||||
<date month="April" year="2011"/> | ||||
<abstract> | ||||
<t>This document specifies a set of cipher suites for the Transpor | ||||
t Layer Security (TLS) protocol to support the ARIA encryption algorithm as a bl | ||||
ock cipher. This document is not an Internet Standards Track specification; it i | ||||
s published for informational purposes.</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="RFC" value="6209"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC6209"/> | ||||
</reference> | ||||
<reference anchor="RFC6367" target="https://www.rfc-editor.org/info/rfc6 | ||||
367" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6367.xml"> | ||||
<front> | ||||
<title>Addition of the Camellia Cipher Suites to Transport Layer Sec | ||||
urity (TLS)</title> | ||||
<author fullname="S. Kanno" initials="S." surname="Kanno"/> | ||||
<author fullname="M. Kanda" initials="M." surname="Kanda"/> | ||||
<date month="September" year="2011"/> | ||||
<abstract> | ||||
<t>This document specifies forty-two cipher suites for the Transpo | ||||
rt Security Layer (TLS) protocol to support the Camellia encryption algorithm as | ||||
a block cipher. This document is not an Internet Standards Track specification; | ||||
it is published for informational purposes.</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="RFC" value="6367"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC6367"/> | ||||
</reference> | ||||
<reference anchor="RFC6655" target="https://www.rfc-editor.org/info/rfc6 | ||||
655" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6655.xml"> | ||||
<front> | ||||
<title>AES-CCM Cipher Suites for Transport Layer Security (TLS)</tit | ||||
le> | ||||
<author fullname="D. McGrew" initials="D." surname="McGrew"/> | ||||
<author fullname="D. Bailey" initials="D." surname="Bailey"/> | ||||
<date month="July" year="2012"/> | ||||
<abstract> | ||||
<t>This memo describes the use of the Advanced Encryption Standard | ||||
(AES) in the Counter with Cipher Block Chaining - Message Authentication Code ( | ||||
CBC-MAC) Mode (CCM) of operation within Transport Layer Security (TLS) and Datag | ||||
ram TLS (DTLS) to provide confidentiality and data origin authentication. The AE | ||||
S-CCM algorithm is amenable to compact implementations, making it suitable for c | ||||
onstrained environments. [STANDARDS-TRACK]</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="RFC" value="6655"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC6655"/> | ||||
</reference> | ||||
<reference anchor="RFC7251" target="https://www.rfc-editor.org/info/rfc7 | ||||
251" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7251.xml"> | ||||
<front> | ||||
<title>AES-CCM Elliptic Curve Cryptography (ECC) Cipher Suites for T | ||||
LS</title> | ||||
<author fullname="D. McGrew" initials="D." surname="McGrew"/> | ||||
<author fullname="D. Bailey" initials="D." surname="Bailey"/> | ||||
<author fullname="M. Campagna" initials="M." surname="Campagna"/> | ||||
<author fullname="R. Dugal" initials="R." surname="Dugal"/> | ||||
<date month="June" year="2014"/> | ||||
<abstract> | ||||
<t>This memo describes the use of the Advanced Encryption Standard | ||||
(AES) in the Counter and CBC-MAC Mode (CCM) of operation within Transport Layer | ||||
Security (TLS) to provide confidentiality and data-origin authentication. The A | ||||
ES-CCM algorithm is amenable to compact implementations, making it suitable for | ||||
constrained environments, while at the same time providing a high level of secur | ||||
ity. The cipher suites defined in this document use Elliptic Curve Cryptography | ||||
(ECC) and are advantageous in networks with limited bandwidth.</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="RFC" value="7251"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC7251"/> | ||||
</reference> | ||||
<reference anchor="RFC7507" target="https://www.rfc-editor.org/info/rfc7 | ||||
507" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7507.xml"> | ||||
<front> | ||||
<title>TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventi | ||||
ng Protocol Downgrade Attacks</title> | ||||
<author fullname="B. Moeller" initials="B." surname="Moeller"/> | ||||
<author fullname="A. Langley" initials="A." surname="Langley"/> | ||||
<date month="April" year="2015"/> | ||||
<abstract> | ||||
<t>This document defines a Signaling Cipher Suite Value (SCSV) tha | ||||
t prevents protocol downgrade attacks on the Transport Layer Security (TLS) and | ||||
Datagram Transport Layer Security (DTLS) protocols. It updates RFCs 2246, 4346, | ||||
4347, 5246, and 6347. Server update considerations are included.</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="RFC" value="7507"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC7507"/> | ||||
</reference> | ||||
<reference anchor="RFC7589" target="https://www.rfc-editor.org/info/rfc7 | ||||
589" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7589.xml"> | ||||
<front> | ||||
<title>Using the NETCONF Protocol over Transport Layer Security (TLS | ||||
) with Mutual X.509 Authentication</title> | ||||
<author fullname="M. Badra" initials="M." surname="Badra"/> | ||||
<author fullname="A. Luchuk" initials="A." surname="Luchuk"/> | ||||
<author fullname="J. Schoenwaelder" initials="J." surname="Schoenwae | ||||
lder"/> | ||||
<date month="June" year="2015"/> | ||||
<abstract> | ||||
<t>The Network Configuration Protocol (NETCONF) provides mechanism | ||||
s to install, manipulate, and delete the configuration of network devices. This | ||||
document describes how to use the Transport Layer Security (TLS) protocol with m | ||||
utual X.509 authentication to secure the exchange of NETCONF messages. This revi | ||||
sion of RFC 5539 documents the new message framing used by NETCONF 1.1 and it ob | ||||
soletes RFC 5539.</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="RFC" value="7589"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC7589"/> | ||||
</reference> | ||||
<reference anchor="RFC7905" target="https://www.rfc-editor.org/info/rfc7 | ||||
905" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7905.xml"> | ||||
<front> | ||||
<title>ChaCha20-Poly1305 Cipher Suites for Transport Layer Security | ||||
(TLS)</title> | ||||
<author fullname="A. Langley" initials="A." surname="Langley"/> | ||||
<author fullname="W. Chang" initials="W." surname="Chang"/> | ||||
<author fullname="N. Mavrogiannopoulos" initials="N." surname="Mavro | ||||
giannopoulos"/> | ||||
<author fullname="J. Strombergson" initials="J." surname="Strombergs | ||||
on"/> | ||||
<author fullname="S. Josefsson" initials="S." surname="Josefsson"/> | ||||
<date month="June" year="2016"/> | ||||
<abstract> | ||||
<t>This document describes the use of the ChaCha stream cipher and | ||||
Poly1305 authenticator in the Transport Layer Security (TLS) and Datagram Trans | ||||
port Layer Security (DTLS) protocols.</t> | ||||
<t>This document updates RFCs 5246 and 6347.</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="RFC" value="7905"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC7905"/> | ||||
</reference> | ||||
<reference anchor="RFC7950" target="https://www.rfc-editor.org/info/rfc7 | ||||
950" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7950.xml"> | ||||
<front> | ||||
<title>The YANG 1.1 Data Modeling Language</title> | ||||
<author fullname="M. Bjorklund" initials="M." role="editor" surname= | ||||
"Bjorklund"/> | ||||
<date month="August" year="2016"/> | ||||
<abstract> | ||||
<t>YANG is a data modeling language used to model configuration da | ||||
ta, state data, Remote Procedure Calls, and notifications for network management | ||||
protocols. This document describes the syntax and semantics of version 1.1 of t | ||||
he YANG language. YANG version 1.1 is a maintenance release of the YANG language | ||||
, addressing ambiguities and defects in the original specification. There are a | ||||
small number of backward incompatibilities from YANG version 1. This document al | ||||
so specifies the YANG mappings to the Network Configuration Protocol (NETCONF).< | ||||
/t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="RFC" value="7950"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC7950"/> | ||||
</reference> | ||||
<reference anchor="RFC8174" target="https://www.rfc-editor.org/info/rfc8 | ||||
174" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"> | ||||
<front> | ||||
<title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</ti | ||||
tle> | ||||
<author fullname="B. Leiba" initials="B." surname="Leiba"/> | ||||
<date month="May" year="2017"/> | ||||
<abstract> | ||||
<t>RFC 2119 specifies common key words that may be used in protoco | ||||
l specifications. This document aims to reduce the ambiguity by clarifying that | ||||
only UPPERCASE usage of the key words have the defined special meanings.</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="BCP" value="14"/> | ||||
<seriesInfo name="RFC" value="8174"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC8174"/> | ||||
</reference> | ||||
<reference anchor="RFC8341" target="https://www.rfc-editor.org/info/rfc8 | ||||
341" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8341.xml"> | ||||
<front> | ||||
<title>Network Configuration Access Control Model</title> | ||||
<author fullname="A. Bierman" initials="A." surname="Bierman"/> | ||||
<author fullname="M. Bjorklund" initials="M." surname="Bjorklund"/> | ||||
<date month="March" year="2018"/> | ||||
<abstract> | ||||
<t>The standardization of network configuration interfaces for use | ||||
with the Network Configuration Protocol (NETCONF) or the RESTCONF protocol requ | ||||
ires a structured and secure operating environment that promotes human usability | ||||
and multi-vendor interoperability. There is a need for standard mechanisms to r | ||||
estrict NETCONF or RESTCONF protocol access for particular users to a preconfigu | ||||
red subset of all available NETCONF or RESTCONF protocol operations and content. | ||||
This document defines such an access control model.</t> | ||||
<t>This document obsoletes RFC 6536.</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="STD" value="91"/> | ||||
<seriesInfo name="RFC" value="8341"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC8341"/> | ||||
</reference> | ||||
<reference anchor="RFC8422" target="https://www.rfc-editor.org/info/rfc8 | ||||
422" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8422.xml"> | ||||
<front> | ||||
<title>Elliptic Curve Cryptography (ECC) Cipher Suites for Transport | ||||
Layer Security (TLS) Versions 1.2 and Earlier</title> | ||||
<author fullname="Y. Nir" initials="Y." surname="Nir"/> | ||||
<author fullname="S. Josefsson" initials="S." surname="Josefsson"/> | ||||
<author fullname="M. Pegourie-Gonnard" initials="M." surname="Pegour | ||||
ie-Gonnard"/> | ||||
<date month="August" year="2018"/> | ||||
<abstract> | ||||
<t>This document describes key exchange algorithms based on Ellipt | ||||
ic Curve Cryptography (ECC) for the Transport Layer Security (TLS) protocol. In | ||||
particular, it specifies the use of Ephemeral Elliptic Curve Diffie-Hellman (ECD | ||||
HE) key agreement in a TLS handshake and the use of the Elliptic Curve Digital S | ||||
ignature Algorithm (ECDSA) and Edwards-curve Digital Signature Algorithm (EdDSA) | ||||
as authentication mechanisms.</t> | ||||
<t>This document obsoletes RFC 4492.</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="RFC" value="8422"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC8422"/> | ||||
</reference> | ||||
<reference anchor="RFC8442" target="https://www.rfc-editor.org/info/rfc8 | ||||
442" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8442.xml"> | ||||
<front> | ||||
<title>ECDHE_PSK with AES-GCM and AES-CCM Cipher Suites for TLS 1.2 | ||||
and DTLS 1.2</title> | ||||
<author fullname="J. Mattsson" initials="J." surname="Mattsson"/> | ||||
<author fullname="D. Migault" initials="D." surname="Migault"/> | ||||
<date month="September" year="2018"/> | ||||
<abstract> | ||||
<t>This document defines several new cipher suites for version 1.2 | ||||
of the Transport Layer Security (TLS) protocol and version 1.2 of the Datagram | ||||
Transport Layer Security (DTLS) protocol. These cipher suites are based on the E | ||||
phemeral Elliptic Curve Diffie-Hellman with Pre-Shared Key (ECDHE_PSK) key excha | ||||
nge together with the Authenticated Encryption with Associated Data (AEAD) algor | ||||
ithms AES-GCM and AES-CCM. PSK provides light and efficient authentication, ECDH | ||||
E provides forward secrecy, and AES-GCM and AES-CCM provide encryption and integ | ||||
rity protection.</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="RFC" value="8442"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC8442"/> | ||||
</reference> | ||||
<reference anchor="RFC8446" target="https://www.rfc-editor.org/info/rfc8 | ||||
446" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8446.xml"> | ||||
<front> | ||||
<title>The Transport Layer Security (TLS) Protocol Version 1.3</titl | ||||
e> | ||||
<author fullname="E. Rescorla" initials="E." surname="Rescorla"/> | ||||
<date month="August" year="2018"/> | ||||
<abstract> | ||||
<t>This document specifies version 1.3 of the Transport Layer Secu | ||||
rity (TLS) protocol. TLS allows client/server applications to communicate over t | ||||
he Internet in a way that is designed to prevent eavesdropping, tampering, and m | ||||
essage forgery.</t> | ||||
<t>This document updates RFCs 5705 and 6066, and obsoletes RFCs 50 | ||||
77, 5246, and 6961. This document also specifies new requirements for TLS 1.2 im | ||||
plementations.</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="RFC" value="8446"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC8446"/> | ||||
</reference> | ||||
<reference anchor="RFC8492" target="https://www.rfc-editor.org/info/rfc8 | ||||
492" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8492.xml"> | ||||
<front> | ||||
<title>Secure Password Ciphersuites for Transport Layer Security (TL | ||||
S)</title> | ||||
<author fullname="D. Harkins" initials="D." role="editor" surname="H | ||||
arkins"/> | ||||
<date month="February" year="2019"/> | ||||
<abstract> | ||||
<t>This memo defines several new ciphersuites for the Transport La | ||||
yer Security (TLS) protocol to support certificateless, secure authentication us | ||||
ing only a simple, low-entropy password. The exchange is called "TLS-PWD". The c | ||||
iphersuites are all based on an authentication and key exchange protocol, named | ||||
"dragonfly", that is resistant to offline dictionary attacks.</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="RFC" value="8492"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC8492"/> | ||||
</reference> | ||||
<reference anchor="RFC8998" target="https://www.rfc-editor.org/info/rfc8 | ||||
998" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8998.xml"> | ||||
<front> | ||||
<title>ShangMi (SM) Cipher Suites for TLS 1.3</title> | ||||
<author fullname="P. Yang" initials="P." surname="Yang"/> | ||||
<date month="March" year="2021"/> | ||||
<abstract> | ||||
<t>This document specifies how to use the ShangMi (SM) cryptograph | ||||
ic algorithms with Transport Layer Security (TLS) protocol version 1.3.</t> | ||||
<t>The use of these algorithms with TLS 1.3 is not endorsed by the | ||||
IETF. The SM algorithms are becoming mandatory in China, so this document provi | ||||
des a description of how to use the SM algorithms with TLS 1.3 and specifies a p | ||||
rofile of TLS 1.3 so that implementers can produce interworking implementations. | ||||
</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="RFC" value="8998"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC8998"/> | ||||
</reference> | ||||
<reference anchor="RFC9150" target="https://www.rfc-editor.org/info/rfc9 | ||||
150" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9150.xml"> | ||||
<front> | <front> | |||
<title>TLS 1.3 Authentication and Integrity-Only Cipher Suites</titl | <title>Secure Hash Standard (SHS)</title> | |||
e> | <author> | |||
<author fullname="N. Cam-Winget" initials="N." surname="Cam-Winget"/ | <organization>National Institute of Standards and Technology (NIST | |||
> | )</organization> | |||
<author fullname="J. Visoky" initials="J." surname="Visoky"/> | </author> | |||
<date month="April" year="2022"/> | <date year="2015" month="August"/> | |||
<abstract> | ||||
<t>This document defines the use of cipher suites for TLS 1.3 base | ||||
d on Hashed Message Authentication Code (HMAC). Using these cipher suites provid | ||||
es server and, optionally, mutual authentication and data authenticity, but not | ||||
data confidentiality. Cipher suites with these properties are not of general app | ||||
licability, but there are use cases, specifically in Internet of Things (IoT) an | ||||
d constrained environments, that do not require confidentiality of exchanged mes | ||||
sages while still requiring integrity protection, server authentication, and opt | ||||
ional client authentication. This document gives examples of such use cases, wit | ||||
h the caveat that prior to using these integrity-only cipher suites, a threat mo | ||||
del for the situation at hand is needed, and a threat analysis must be performed | ||||
within that model to determine whether the use of integrity-only cipher suites | ||||
is appropriate. The approach described in this document is not endorsed by the I | ||||
ETF and does not have IETF consensus, but it is presented here to enable interop | ||||
erable implementation of a reduced-security mechanism that provides authenticati | ||||
on and message integrity without supporting confidentiality.</t> | ||||
</abstract> | ||||
</front> | </front> | |||
<seriesInfo name="RFC" value="9150"/> | <seriesInfo name="FIPS PUB" value="180-4"/> | |||
<seriesInfo name="DOI" value="10.17487/RFC9150"/> | <seriesInfo name="DOI" value="10.6028/NIST.FIPS.180-4"/> | |||
</reference> | </reference> | |||
<reference anchor="RFC9189" target="https://www.rfc-editor.org/info/rfc9 | ||||
189" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9189.xml"> | <reference anchor="FIPS186-5" target="https://nvlpubs.nist.gov/nistpubs/FIPS/NIS | |||
T.FIPS.186-5.pdf" quoteTitle="true" derivedAnchor="FIPS186-5"> | ||||
<front> | <front> | |||
<title>GOST Cipher Suites for Transport Layer Security (TLS) Protoco | <title>Digital Signature Standard (DSS)</title> | |||
l Version 1.2</title> | <author> | |||
<author fullname="S. Smyshlyaev" initials="S." role="editor" surname | <organization>National Institute of Standards and Technology (NIST | |||
="Smyshlyaev"/> | )</organization> | |||
<author fullname="D. Belyavsky" initials="D." surname="Belyavsky"/> | </author> | |||
<author fullname="E. Alekseev" initials="E." surname="Alekseev"/> | <date year="2023" month="February"/> | |||
<date month="March" year="2022"/> | ||||
<abstract> | ||||
<t>This document specifies three new cipher suites, two new signat | ||||
ure algorithms, seven new supported groups, and two new certificate types for th | ||||
e Transport Layer Security (TLS) protocol version 1.2 to support the Russian cry | ||||
ptographic standard algorithms (called "GOST" algorithms). This document specifi | ||||
es a profile of TLS 1.2 with GOST algorithms so that implementers can produce in | ||||
teroperable implementations.</t> | ||||
<t>This specification facilitates implementations that aim to supp | ||||
ort the GOST algorithms. This document does not imply IETF endorsement of the ci | ||||
pher suites, signature algorithms, supported groups, and certificate types.</t> | ||||
</abstract> | ||||
</front> | </front> | |||
<seriesInfo name="RFC" value="9189"/> | <seriesInfo name="FIPS" value="186-5"/> | |||
<seriesInfo name="DOI" value="10.17487/RFC9189"/> | <seriesInfo name="DOI" value="10.6028/NIST.FIPS.186-5"/> | |||
</reference> | </reference> | |||
<xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D | ||||
.ietf-netconf-crypto-types.xml"/> | ||||
<xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D | ||||
.ietf-netconf-trust-anchors.xml"/> | ||||
<xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D | ||||
.ietf-netconf-keystore.xml"/> | ||||
</references> | </references> | |||
<references> | <references> | |||
<name>Informative References</name> | <name>Informative References</name> | |||
<reference anchor="RFC2818" target="https://www.rfc-editor.org/info/rfc2 | ||||
818" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2818.xml"> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.50 | |||
<front> | 56.xml"/> | |||
<title>HTTP Over TLS</title> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.52 | |||
<author fullname="E. Rescorla" initials="E." surname="Rescorla"/> | 46.xml"/> | |||
<date month="May" year="2000"/> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.80 | |||
<abstract> | 71.xml"/> | |||
<t>This memo describes how to use Transport Layer Security (TLS) t | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.82 | |||
o secure Hypertext Transfer Protocol (HTTP) connections over the Internet. This | 59.xml"/> | |||
memo provides information for the Internet community.</t> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.83 | |||
</abstract> | 40.xml"/> | |||
</front> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.83 | |||
<seriesInfo name="RFC" value="2818"/> | 42.xml"/> | |||
<seriesInfo name="DOI" value="10.17487/RFC2818"/> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.84 | |||
</reference> | 07.xml"/> | |||
<reference anchor="RFC3688" target="https://www.rfc-editor.org/info/rfc3 | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.91 | |||
688" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.3688.xml"> | 10.xml"/> | |||
<front> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.36 | |||
<title>The IETF XML Registry</title> | 88.xml"/> | |||
<author fullname="M. Mealling" initials="M." surname="Mealling"/> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.89 | |||
<date month="January" year="2004"/> | 96.xml"/> | |||
<abstract> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.92 | |||
<t>This document describes an IANA maintained registry for IETF st | 57.xml"/> | |||
andards which use Extensible Markup Language (XML) related items such as Namespa | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.92 | |||
ces, Document Type Declarations (DTDs), Schemas, and Resource Description Framew | 58.xml"/> | |||
ork (RDF) Schemas.</t> | ||||
</abstract> | <!--[I-D.ietf-netconf-tcp-client-server] companion document RFC 9643--> | |||
</front> | <reference anchor="RFC9643" target="https://www.rfc-editor.org/info/rfc9 | |||
<seriesInfo name="BCP" value="81"/> | 643"> | |||
<seriesInfo name="RFC" value="3688"/> | <front> | |||
<seriesInfo name="DOI" value="10.17487/RFC3688"/> | <title>YANG Groupings for TCP Clients and TCP Servers</title> | |||
</reference> | <author initials="K." surname="Watsen" fullname="Kent Watsen"> | |||
<reference anchor="RFC5246" target="https://www.rfc-editor.org/info/rfc5 | <organization>Watsen Networks</organization> | |||
246" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5246.xml"> | </author> | |||
<front> | <author initials="M." surname="Scharf" fullname="Michael Scharf"> | |||
<title>The Transport Layer Security (TLS) Protocol Version 1.2</titl | <organization>Hochschule Esslingen - University of Applied Sciences | |||
e> | </organization> | |||
<author fullname="T. Dierks" initials="T." surname="Dierks"/> | </author> | |||
<author fullname="E. Rescorla" initials="E." surname="Rescorla"/> | <date month="October" year="2024"/> | |||
<date month="August" year="2008"/> | </front> | |||
<abstract> | <seriesInfo name="RFC" value="9643"/> | |||
<t>This document specifies Version 1.2 of the Transport Layer Secu | <seriesInfo name="DOI" value="10.17487/RFC9643"/> | |||
rity (TLS) protocol. The TLS protocol provides communications security over the | </reference> | |||
Internet. The protocol allows client/server applications to communicate in a way | ||||
that is designed to prevent eavesdropping, tampering, or message forgery. [STAN | <!-- [I-D.ietf-netconf-ssh-client-server] companion document RFC 9644--> | |||
DARDS-TRACK]</t> | <reference anchor="RFC9644" target="https://www.rfc-editor.org/info/rfc9 | |||
</abstract> | 644"> | |||
</front> | <front> | |||
<seriesInfo name="RFC" value="5246"/> | <title>YANG Groupings for SSH Clients and SSH Servers</title> | |||
<seriesInfo name="DOI" value="10.17487/RFC5246"/> | <author initials="K." surname="Watsen" fullname="Kent Watsen"> | |||
</reference> | <organization>Watsen Networks</organization> | |||
<reference anchor="RFC6241" target="https://www.rfc-editor.org/info/rfc6 | </author> | |||
241" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6241.xml"> | <date month="October" year="2024"/> | |||
<front> | </front> | |||
<title>Network Configuration Protocol (NETCONF)</title> | <seriesInfo name="RFC" value="9644"/> | |||
<author fullname="R. Enns" initials="R." role="editor" surname="Enns | <seriesInfo name="DOI" value="10.17487/RFC9644"/> | |||
"/> | </reference> | |||
<author fullname="M. Bjorklund" initials="M." role="editor" surname= | ||||
"Bjorklund"/> | <!-- [I-D.ietf-netconf-http-client-server] IESG state: IESG Evaluation::Revised | |||
<author fullname="J. Schoenwaelder" initials="J." role="editor" surn | I-D Needed as of 10/08/24) --> | |||
ame="Schoenwaelder"/> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-net | |||
<author fullname="A. Bierman" initials="A." role="editor" surname="B | conf-http-client-server"/> | |||
ierman"/> | ||||
<date month="June" year="2011"/> | <!-- [I-D.ietf-netconf-netconf-client-server] IESG state: Waiting for AD Go-Ahea | |||
<abstract> | d::Revised I-D Needed as of 10/08/24--> | |||
<t>The Network Configuration Protocol (NETCONF) defined in this do | <xi:include | |||
cument provides mechanisms to install, manipulate, and delete the configuration | href="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-netconf-netconf | |||
of network devices. It uses an Extensible Markup Language (XML)-based data encod | -client-server"/> | |||
ing for the configuration data as well as the protocol messages. The NETCONF pro | ||||
tocol operations are realized as remote procedure calls (RPCs). This document ob | <!-- [I-D.ietf-netconf-restconf-client-server] IESG state: Waiting for AD Go-Ahe | |||
soletes RFC 4741. [STANDARDS-TRACK]</t> | ad::Revised I-D Needed as of 10/08/24 --> | |||
</abstract> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-net | |||
</front> | conf-restconf-client-server"/> | |||
<seriesInfo name="RFC" value="6241"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC6241"/> | <!-- [I-D.ietf-netmod-system-config] IESG state: I-D Exists as of 10/08/24--> | |||
</reference> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D. | |||
<reference anchor="RFC8040" target="https://www.rfc-editor.org/info/rfc8 | ietf-netmod-system-config.xml"/> | |||
040" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8040.xml"> | ||||
<front> | <!-- [I-D.ietf-netmod-rfc8407bis] IESG state: I-D Exists as of 10/08/24--> | |||
<title>RESTCONF Protocol</title> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D. | |||
<author fullname="A. Bierman" initials="A." surname="Bierman"/> | ietf-netmod-rfc8407bis.xml"/> | |||
<author fullname="M. Bjorklund" initials="M." surname="Bjorklund"/> | ||||
<author fullname="K. Watsen" initials="K." surname="Watsen"/> | <reference anchor="IANA-CIPHER-ALGS" target="https://www.iana.org/assign | |||
<date month="January" year="2017"/> | ments/tls-parameters/"> | |||
<abstract> | ||||
<t>This document describes an HTTP-based protocol that provides a | ||||
programmatic interface for accessing data defined in YANG, using the datastore c | ||||
oncepts defined in the Network Configuration Protocol (NETCONF).</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="RFC" value="8040"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC8040"/> | ||||
</reference> | ||||
<reference anchor="RFC8071" target="https://www.rfc-editor.org/info/rfc8 | ||||
071" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8071.xml"> | ||||
<front> | ||||
<title>NETCONF Call Home and RESTCONF Call Home</title> | ||||
<author fullname="K. Watsen" initials="K." surname="Watsen"/> | ||||
<date month="February" year="2017"/> | ||||
<abstract> | ||||
<t>This RFC presents NETCONF Call Home and RESTCONF Call Home, whi | ||||
ch enable a NETCONF or RESTCONF server to initiate a secure connection to a NETC | ||||
ONF or RESTCONF client, respectively.</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="RFC" value="8071"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC8071"/> | ||||
</reference> | ||||
<reference anchor="RFC8340" target="https://www.rfc-editor.org/info/rfc8 | ||||
340" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8340.xml"> | ||||
<front> | ||||
<title>YANG Tree Diagrams</title> | ||||
<author fullname="M. Bjorklund" initials="M." surname="Bjorklund"/> | ||||
<author fullname="L. Berger" initials="L." role="editor" surname="Be | ||||
rger"/> | ||||
<date month="March" year="2018"/> | ||||
<abstract> | ||||
<t>This document captures the current syntax used in YANG module t | ||||
ree diagrams. The purpose of this document is to provide a single location for t | ||||
his definition. This syntax may be updated from time to time based on the evolut | ||||
ion of the YANG language.</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="BCP" value="215"/> | ||||
<seriesInfo name="RFC" value="8340"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC8340"/> | ||||
</reference> | ||||
<reference anchor="RFC8342" target="https://www.rfc-editor.org/info/rfc8 | ||||
342" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8342.xml"> | ||||
<front> | ||||
<title>Network Management Datastore Architecture (NMDA)</title> | ||||
<author fullname="M. Bjorklund" initials="M." surname="Bjorklund"/> | ||||
<author fullname="J. Schoenwaelder" initials="J." surname="Schoenwae | ||||
lder"/> | ||||
<author fullname="P. Shafer" initials="P." surname="Shafer"/> | ||||
<author fullname="K. Watsen" initials="K." surname="Watsen"/> | ||||
<author fullname="R. Wilton" initials="R." surname="Wilton"/> | ||||
<date month="March" year="2018"/> | ||||
<abstract> | ||||
<t>Datastores are a fundamental concept binding the data models wr | ||||
itten in the YANG data modeling language to network management protocols such as | ||||
the Network Configuration Protocol (NETCONF) and RESTCONF. This document define | ||||
s an architectural framework for datastores based on the experience gained with | ||||
the initial simpler model, addressing requirements that were not well supported | ||||
in the initial model. This document updates RFC 7950.</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="RFC" value="8342"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC8342"/> | ||||
</reference> | ||||
<reference anchor="RFC8407" target="https://www.rfc-editor.org/info/rfc8 | ||||
407" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8407.xml"> | ||||
<front> | ||||
<title>Guidelines for Authors and Reviewers of Documents Containing | ||||
YANG Data Models</title> | ||||
<author fullname="A. Bierman" initials="A." surname="Bierman"/> | ||||
<date month="October" year="2018"/> | ||||
<abstract> | ||||
<t>This memo provides guidelines for authors and reviewers of spec | ||||
ifications containing YANG modules. Recommendations and procedures are defined, | ||||
which are intended to increase interoperability and usability of Network Configu | ||||
ration Protocol (NETCONF) and RESTCONF protocol implementations that utilize YAN | ||||
G modules. This document obsoletes RFC 6087.</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="BCP" value="216"/> | ||||
<seriesInfo name="RFC" value="8407"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC8407"/> | ||||
</reference> | ||||
<reference anchor="RFC9257" target="https://www.rfc-editor.org/info/rfc9 | ||||
257" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9257.xml"> | ||||
<front> | ||||
<title>Guidance for External Pre-Shared Key (PSK) Usage in TLS</titl | ||||
e> | ||||
<author fullname="R. Housley" initials="R." surname="Housley"/> | ||||
<author fullname="J. Hoyland" initials="J." surname="Hoyland"/> | ||||
<author fullname="M. Sethi" initials="M." surname="Sethi"/> | ||||
<author fullname="C. A. Wood" initials="C. A." surname="Wood"/> | ||||
<date month="July" year="2022"/> | ||||
<abstract> | ||||
<t>This document provides usage guidance for external Pre-Shared K | ||||
eys (PSKs) in Transport Layer Security (TLS) 1.3 as defined in RFC 8446. It list | ||||
s TLS security properties provided by PSKs under certain assumptions, then it de | ||||
monstrates how violations of these assumptions lead to attacks. Advice for appli | ||||
cations to help meet these assumptions is provided. This document also discusses | ||||
PSK use cases and provisioning processes. Finally, it lists the privacy and sec | ||||
urity properties that are not provided by TLS 1.3 when external PSKs are used.</ | ||||
t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="RFC" value="9257"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC9257"/> | ||||
</reference> | ||||
<reference anchor="RFC9258" target="https://www.rfc-editor.org/info/rfc9 | ||||
258" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9258.xml"> | ||||
<front> | ||||
<title>Importing External Pre-Shared Keys (PSKs) for TLS 1.3</title> | ||||
<author fullname="D. Benjamin" initials="D." surname="Benjamin"/> | ||||
<author fullname="C. A. Wood" initials="C. A." surname="Wood"/> | ||||
<date month="July" year="2022"/> | ||||
<abstract> | ||||
<t>This document describes an interface for importing external Pre | ||||
-Shared Keys (PSKs) into TLS 1.3.</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="RFC" value="9258"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC9258"/> | ||||
</reference> | ||||
<xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D | ||||
.ietf-netconf-tcp-client-server.xml"/> | ||||
<xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D | ||||
.ietf-netconf-ssh-client-server.xml"/> | ||||
<xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D | ||||
.ietf-netconf-tls-client-server.xml"/> | ||||
<xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D | ||||
.ietf-netconf-http-client-server.xml"/> | ||||
<xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D | ||||
.ietf-netconf-netconf-client-server.xml"/> | ||||
<xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D | ||||
.ietf-netconf-restconf-client-server.xml"/> | ||||
<xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D | ||||
.ietf-netmod-system-config.xml"/> | ||||
<xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D | ||||
.ietf-netmod-rfc8407bis.xml"/> | ||||
<reference anchor="IANA-CIPHER-ALGS" target="https://www.iana.org/assign | ||||
ments/tls-parameters/tls-parameters.xhtml#tls-parameters-4"> | ||||
<front> | <front> | |||
<title>IANA "TLS Cipher Suites" Sub-registry of the "Transport Layer | <title>TLS Cipher Suites</title> | |||
Security (TLS) Parameters" Registry</title> | <author> | |||
<author fullname="Internet Assigned Numbers Authority (IANA)"/> | <organization>IANA</organization> | |||
</author> | ||||
</front> | </front> | |||
</reference> | </reference> | |||
<reference anchor="IANA-YANG-PARAMETERS" target="https://www.iana.org/as signments/yang-parameters"> | <reference anchor="IANA-YANG-PARAMETERS" target="https://www.iana.org/as signments/yang-parameters"> | |||
<front> | <front> | |||
<title>YANG Parameters</title> | <title>YANG Parameters</title> | |||
<author> | <author> | |||
<organization/> | <organization>IANA</organization> | |||
</author> | </author> | |||
<date>n.d.</date> | ||||
</front> | </front> | |||
</reference> | </reference> | |||
</references> | ||||
<reference anchor="W3C.REC-xml-20081126" target="https://www.w | ||||
3.org/TR/xml/" quoteTitle="true" derivedAnchor="W3C.REC-xml-20081126"> | ||||
<front> | ||||
<title>Extensible Markup Language (XML) 1.0 (Fifth Edition)</title> | ||||
<author initials="T." surname="Bray"/> | ||||
<author initials="J." surname="Paoli"/> | ||||
<author initials="C. M." surname="Sperberg-McQueen"/> | ||||
<author initials="E." surname="Maler"/> | ||||
<author initials="F." surname="Yergeau"/> | ||||
<date month="November" year="2008"/> | ||||
</front> | ||||
<refcontent>W3C Recommendation REC-xml-20081126</refcontent> | ||||
</reference> | ||||
</references> | ||||
</references> | </references> | |||
<section anchor="iana-script"> | <section anchor="iana-script"> | |||
<name>Script to Generate IANA-Maintained YANG Modules</name> | <name>Script to Generate IANA-Maintained YANG Modules</name> | |||
<t>This section is not Normative.</t> | <t>This section is not normative.</t> | |||
<t>The Python <eref target="https://www.python.org"/> script contained in | ||||
this | <t>The Python <eref target="https://www.python.org" brackets="angle"/> scr | |||
section will create the IANA-maintained module described in this docume | ipt contained in this | |||
nt.</t> | section was used to create the initial IANA-maintained "iana-tls-cipher- | |||
<t>Run the script using the command `python gen-yang-modules.py`, to produ | suite-algs" YANG module maintained at <xref target="IANA-YANG-PARAMETERS"/>.</ | |||
ce the | t> | |||
<t>Run the script using the command 'python gen-yang-modules.py' to produc | ||||
e the | ||||
YANG module file in the current directory.</t> | YANG module file in the current directory.</t> | |||
<t>Be aware that the script does not attempt to copy the "revision" statem ents | <t>Be aware that the script does not attempt to copy the "revision" statem ents | |||
from the previous/current YANG module. Copying the revision statements must | from the previous/current YANG module. Copying the revision statements must | |||
be done manually.</t> | be done manually.</t> | |||
<sourcecode type="python" markers="true"><![CDATA[ | <sourcecode type="python" markers="true"><![CDATA[ | |||
=============== NOTE: '\\' line wrapping per RFC 8792 =============== | =============== NOTE: '\\' line wrapping per RFC 8792 =============== | |||
import re | import re | |||
import csv | import csv | |||
import requests | import requests | |||
import textwrap | import textwrap | |||
import requests_cache | import requests_cache | |||
from io import StringIO | from io import StringIO | |||
from datetime import datetime | from datetime import datetime | |||
skipping to change at line 3405 ¶ | skipping to change at line 2898 ¶ | |||
organization | organization | |||
"Internet Assigned Numbers Authority (IANA)"; | "Internet Assigned Numbers Authority (IANA)"; | |||
contact | contact | |||
"Postal: ICANN | "Postal: ICANN | |||
12025 Waterfront Drive, Suite 300 | 12025 Waterfront Drive, Suite 300 | |||
Los Angeles, CA 90094-2536 | Los Angeles, CA 90094-2536 | |||
United States of America | United States of America | |||
Tel: +1 310 301 5800 | Tel: +1 310 301 5800 | |||
Email: iana@iana.org"; | Email: <iana@iana.org>"; | |||
description | description | |||
"This module defines enumerations for the Cipher Suite | "This module defines enumerations for the cipher suite | |||
algorithms defined in the 'TLS Cipher Suites' sub-registry | algorithms defined in the 'TLS Cipher Suites' registry | |||
of the 'Transport Layer Security (TLS) Parameters' registry | under the 'Transport Layer Security (TLS) Parameters' | |||
maintained by IANA. | registry group maintained by IANA. | |||
Copyright (c) YEAR IETF Trust and the persons identified as | Copyright (c) 2024 IETF Trust and the persons identified as | |||
authors of the code. All rights reserved. | authors of the code. All rights reserved. | |||
Redistribution and use in source and binary forms, with | Redistribution and use in source and binary forms, with | |||
or without modification, is permitted pursuant to, and | or without modification, is permitted pursuant to, and | |||
subject to the license terms contained in, the Revised | subject to the license terms contained in, the Revised | |||
BSD License set forth in Section 4.c of the IETF Trust's | BSD License set forth in Section 4.c of the IETF Trust's | |||
Legal Provisions Relating to IETF Documents | Legal Provisions Relating to IETF Documents | |||
(https://trustee.ietf.org/license-info). | (https://trustee.ietf.org/license-info). | |||
The initial version of this YANG module is part of RFC FFFF | The initial version of this YANG module is part of RFC 9645 | |||
(https://www.rfc-editor.org/info/rfcFFFF); see the RFC | (https://www.rfc-editor.org/info/rfc9645); see the RFC | |||
itself for full legal notices. | itself for full legal notices. | |||
All versions of this module are published by IANA at | All versions of this module are published by IANA | |||
https://www.iana.org/assignments/yang-parameters."; | (https://www.iana.org/assignments/yang-parameters)."; | |||
revision DATE { | revision DATE { | |||
description | description | |||
"This initial version of the module was created using | "This initial version of the module was created using | |||
the script defined in RFC FFFF to reflect the contents | the script defined in RFC 9645 to reflect the contents | |||
of the SNAME algorithms registry maintained by IANA."; | of the SNAME algorithms registry maintained by IANA."; | |||
reference | reference | |||
"RFC FFFF: YANG Groupings for TLS Clients and TLS Servers"; | "RFC 9645: YANG Groupings for TLS Clients and TLS Servers"; | |||
} | } | |||
typedef tls-HNAME-algorithm { | typedef tls-HNAME-algorithm { | |||
type enumeration { | type enumeration { | |||
""" | """ | |||
# Replacements | # Replacements | |||
rep = { | rep = { | |||
"DATE": datetime.today().strftime('%Y-%m-%d'), | "DATE": datetime.today().strftime('%Y-%m-%d'), | |||
"YEAR": datetime.today().strftime('%Y'), | "YEAR": datetime.today().strftime('%Y'), | |||
"SNAME": module["spaced_name"], | "SNAME": module["spaced_name"], | |||
skipping to change at line 3521 ¶ | skipping to change at line 3014 ¶ | |||
\1>', item) | \1>', item) | |||
if title.startswith("ECDHE\_PSK"): | if title.startswith("ECDHE\_PSK"): | |||
title = re.sub("ECDHE\\\\_PSK", \ | title = re.sub("ECDHE\\\\_PSK", \ | |||
\"ECDHE_PSK", title) | \"ECDHE_PSK", title) | |||
titles.append(re.sub('.*{{(.*)}}.*',\ | titles.append(re.sub('.*{{(.*)}}.*',\ | |||
\ r'\g<1>', title)) | \ r'\g<1>', title)) | |||
break | break | |||
else: | else: | |||
raise Exception("RFC title not found") | raise Exception("RFC title not found") | |||
# Insert a space: "RFCXXXX" --> "RFC XXXX" | # Insert a space: "RFC9645" --> "RFC 9645" | |||
index = refs.index(ref) | index = refs.index(ref) | |||
refs[index] = "RFC " + ref[3:] | refs[index] = "RFC " + ref[3:] | |||
elif ref == "IESG Action 2018-08-16": | elif ref == "IESG Action 2018-08-16": | |||
# Rewrite the ref value | # Rewrite the ref value | |||
index = refs.index(ref) | index = refs.index(ref) | |||
refs[index] = "IESG Action" | refs[index] = "IESG Action" | |||
# Let title be something descriptive | # Let title be something descriptive | |||
titles.append("IESG Action 2018-08-16") | titles.append("IESG Action 2018-08-16") | |||
elif ref == "draft-irtf-cfrg-aegis-aead-08": | elif ref == "draft-irtf-cfrg-aegis-aead-08": | |||
# Manually set the draft's title | # Manually set the document's title | |||
titles.append("The AEGIS Family of Authentic\ | titles.append("The AEGIS Family of Authentic\ | |||
\ated Encryption Algorithms") | \ated Encryption Algorithms") | |||
elif ref: | elif ref: | |||
raise Exception(f'ref "{ref}" not found') | raise Exception(f'ref "{ref}" not found') | |||
else: | else: | |||
raise Exception(f'ref missing: {row}') | raise Exception(f'ref missing: {row}') | |||
# Write out the enum | # Write out the enum | |||
skipping to change at line 3592 ¶ | skipping to change at line 3085 ¶ | |||
\algorithms.";\n') | \algorithms.";\n') | |||
f.write(" }\n") | f.write(" }\n") | |||
f.write('\n') | f.write('\n') | |||
f.write('}\n') | f.write('}\n') | |||
def create_module(module): | def create_module(module): | |||
# Install cache for 8x speedup | # Install cache for 8x speedup | |||
requests_cache.install_cache() | requests_cache.install_cache() | |||
# Ascertain yang module's name | # Ascertain the yang module's name | |||
yang_module_name = "iana-tls-" + module["hypenated_name"] + "-al\ | yang_module_name = "iana-tls-" + module["hypenated_name"] + "-al\ | |||
\gs.yang" | \gs.yang" | |||
# Create yang module file | # Create yang module file | |||
with open(yang_module_name, "w") as f: | with open(yang_module_name, "w") as f: | |||
create_module_begin(module, f) | create_module_begin(module, f) | |||
create_module_body(module, f) | create_module_body(module, f) | |||
create_module_end(module, f) | create_module_end(module, f) | |||
def main(): | def main(): | |||
for module in MODULES: | for module in MODULES: | |||
create_module(module) | create_module(module) | |||
if __name__ == "__main__": | if __name__ == "__main__": | |||
main() | main() | |||
]]></sourcecode> | ]]></sourcecode> | |||
<section anchor="tls-cipher-algs-model"> | </section> | |||
<name>Initial Module for the "TLS Cipher Suites" Registry</name> | ||||
<t>Following are the complete contents to the initial IANA-maintained YA | ||||
NG module. | ||||
Please note that the date "2024-03-16" reflects the day on which the | ||||
extraction | ||||
occurred. Applications SHOULD use the IANA-maintained module, not t | ||||
he module | ||||
defined in this draft.</t> | ||||
<t>This YANG module has normative references to <xref target="RFC2712"/> | ||||
, | ||||
<xref target="RFC4162"/>, <xref target="RFC4279"/>, <xref target="RFC4 | ||||
346"/>, | ||||
<xref target="RFC4785"/>, <xref target="RFC5054"/>, <xref target="RFC5 | ||||
246"/>, | ||||
<xref target="RFC5288"/>, <xref target="RFC5289"/>, <xref target="RFC5 | ||||
469"/>, | ||||
<xref target="RFC5487"/>, <xref target="RFC5489"/>, <xref target="RFC5 | ||||
746"/>, | ||||
<xref target="RFC5932"/>, <xref target="RFC6209"/>, <xref target="RFC6 | ||||
367"/>, | ||||
<xref target="RFC6655"/>, <xref target="RFC7251"/>, <xref target="RFC7 | ||||
507"/>, | ||||
<xref target="RFC7905"/>, <xref target="RFC8422"/>, <xref target="RFC8 | ||||
442"/>, | ||||
<xref target="RFC8446"/>, <xref target="RFC8492"/>, <xref target="RFC8 | ||||
998"/>, | ||||
<xref target="RFC9150"/>, <xref target="RFC9189"/>, and <xref target=" | ||||
RFC8340"/>.</t> | ||||
<t keepWithNext="true"><CODE BEGINS> file "iana-tls-cipher-suite-a | ||||
lgs@2024-03-16.yang"</t> | ||||
<artwork><![CDATA[ | ||||
module iana-tls-cipher-suite-algs { | ||||
yang-version 1.1; | ||||
namespace "urn:ietf:params:xml:ns:yang:iana-tls-cipher-suite-algs"; | ||||
prefix tlscsa; | ||||
organization | ||||
"Internet Assigned Numbers Authority (IANA)"; | ||||
contact | ||||
"Postal: ICANN | ||||
12025 Waterfront Drive, Suite 300 | ||||
Los Angeles, CA 90094-2536 | ||||
United States of America | ||||
Tel: +1 310 301 5800 | ||||
Email: iana@iana.org"; | ||||
description | ||||
"This module defines enumerations for the Cipher Suite | ||||
algorithms defined in the 'TLS Cipher Suites' sub-registry | ||||
of the 'Transport Layer Security (TLS) Parameters' registry | ||||
maintained by IANA. | ||||
Copyright (c) 2024 IETF Trust and the persons identified as | ||||
authors of the code. All rights reserved. | ||||
Redistribution and use in source and binary forms, with | ||||
or without modification, is permitted pursuant to, and | ||||
subject to the license terms contained in, the Revised | ||||
BSD License set forth in Section 4.c of the IETF Trust's | ||||
Legal Provisions Relating to IETF Documents | ||||
(https://trustee.ietf.org/license-info). | ||||
The initial version of this YANG module is part of RFC FFFF | ||||
(https://www.rfc-editor.org/info/rfcFFFF); see the RFC | ||||
itself for full legal notices. | ||||
All versions of this module are published by IANA at | ||||
https://www.iana.org/assignments/yang-parameters."; | ||||
revision 2024-03-16 { | ||||
description | ||||
"This initial version of the module was created using | ||||
the script defined in RFC FFFF to reflect the contents | ||||
of the cipher-suite algorithms registry maintained by IANA."; | ||||
reference | ||||
"RFC FFFF: YANG Groupings for TLS Clients and TLS Servers"; | ||||
} | ||||
typedef tls-cipher-suite-algorithm { | ||||
type enumeration { | ||||
enum TLS_NULL_WITH_NULL_NULL { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_NULL_WITH_NULL_NULL' algorithm."; | ||||
reference | ||||
"RFC 5246: | ||||
The Transport Layer Security (TLS) Protocol Version | ||||
1.2"; | ||||
} | ||||
enum TLS_RSA_WITH_NULL_MD5 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_RSA_WITH_NULL_MD5' algorithm."; | ||||
reference | ||||
"RFC 5246: | ||||
The Transport Layer Security (TLS) Protocol Version | ||||
1.2"; | ||||
} | ||||
enum TLS_RSA_WITH_NULL_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_RSA_WITH_NULL_SHA' algorithm."; | ||||
reference | ||||
"RFC 5246: | ||||
The Transport Layer Security (TLS) Protocol Version | ||||
1.2"; | ||||
} | ||||
enum TLS_RSA_EXPORT_WITH_RC4_40_MD5 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_RSA_EXPORT_WITH_RC4_40_MD5' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4346: | ||||
The Transport Layer Security (TLS) Protocol Version 1.1 | ||||
RFC 6347: | ||||
Datagram Transport Layer Security Version 1.2"; | ||||
} | ||||
enum TLS_RSA_WITH_RC4_128_MD5 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_RSA_WITH_RC4_128_MD5' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5246: | ||||
The Transport Layer Security (TLS) Protocol Version 1.2 | ||||
RFC 6347: | ||||
Datagram Transport Layer Security Version 1.2"; | ||||
} | ||||
enum TLS_RSA_WITH_RC4_128_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_RSA_WITH_RC4_128_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5246: | ||||
The Transport Layer Security (TLS) Protocol Version 1.2 | ||||
RFC 6347: | ||||
Datagram Transport Layer Security Version 1.2"; | ||||
} | ||||
enum TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4346: | ||||
The Transport Layer Security (TLS) Protocol Version | ||||
1.1"; | ||||
} | ||||
enum TLS_RSA_WITH_IDEA_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_RSA_WITH_IDEA_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8996: | ||||
Deprecating TLS 1.0 and TLS 1.1"; | ||||
} | ||||
enum TLS_RSA_EXPORT_WITH_DES40_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_RSA_EXPORT_WITH_DES40_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4346: | ||||
The Transport Layer Security (TLS) Protocol Version | ||||
1.1"; | ||||
} | ||||
enum TLS_RSA_WITH_DES_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_RSA_WITH_DES_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8996: | ||||
Deprecating TLS 1.0 and TLS 1.1"; | ||||
} | ||||
enum TLS_RSA_WITH_3DES_EDE_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_RSA_WITH_3DES_EDE_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5246: | ||||
The Transport Layer Security (TLS) Protocol Version | ||||
1.2"; | ||||
} | ||||
enum TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4346: | ||||
The Transport Layer Security (TLS) Protocol Version | ||||
1.1"; | ||||
} | ||||
enum TLS_DH_DSS_WITH_DES_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DH_DSS_WITH_DES_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8996: | ||||
Deprecating TLS 1.0 and TLS 1.1"; | ||||
} | ||||
enum TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5246: | ||||
The Transport Layer Security (TLS) Protocol Version | ||||
1.2"; | ||||
} | ||||
enum TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4346: | ||||
The Transport Layer Security (TLS) Protocol Version | ||||
1.1"; | ||||
} | ||||
enum TLS_DH_RSA_WITH_DES_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DH_RSA_WITH_DES_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8996: | ||||
Deprecating TLS 1.0 and TLS 1.1"; | ||||
} | ||||
enum TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5246: | ||||
The Transport Layer Security (TLS) Protocol Version | ||||
1.2"; | ||||
} | ||||
enum TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA' algorithm."; | ||||
reference | ||||
"RFC 4346: | ||||
The Transport Layer Security (TLS) Protocol Version | ||||
1.1"; | ||||
} | ||||
enum TLS_DHE_DSS_WITH_DES_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DHE_DSS_WITH_DES_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8996: | ||||
Deprecating TLS 1.0 and TLS 1.1"; | ||||
} | ||||
enum TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5246: | ||||
The Transport Layer Security (TLS) Protocol Version | ||||
1.2"; | ||||
} | ||||
enum TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA' algorithm."; | ||||
reference | ||||
"RFC 4346: | ||||
The Transport Layer Security (TLS) Protocol Version | ||||
1.1"; | ||||
} | ||||
enum TLS_DHE_RSA_WITH_DES_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DHE_RSA_WITH_DES_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8996: | ||||
Deprecating TLS 1.0 and TLS 1.1"; | ||||
} | ||||
enum TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5246: | ||||
The Transport Layer Security (TLS) Protocol Version | ||||
1.2"; | ||||
} | ||||
enum TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DH_anon_EXPORT_WITH_RC4_40_MD5' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4346: | ||||
The Transport Layer Security (TLS) Protocol Version 1.1 | ||||
RFC 6347: | ||||
Datagram Transport Layer Security Version 1.2"; | ||||
} | ||||
enum TLS_DH_anon_WITH_RC4_128_MD5 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DH_anon_WITH_RC4_128_MD5' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5246: | ||||
The Transport Layer Security (TLS) Protocol Version 1.2 | ||||
RFC 6347: | ||||
Datagram Transport Layer Security Version 1.2"; | ||||
} | ||||
enum TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA' algorithm."; | ||||
reference | ||||
"RFC 4346: | ||||
The Transport Layer Security (TLS) Protocol Version | ||||
1.1"; | ||||
} | ||||
enum TLS_DH_anon_WITH_DES_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DH_anon_WITH_DES_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8996: | ||||
Deprecating TLS 1.0 and TLS 1.1"; | ||||
} | ||||
enum TLS_DH_anon_WITH_3DES_EDE_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DH_anon_WITH_3DES_EDE_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5246: | ||||
The Transport Layer Security (TLS) Protocol Version | ||||
1.2"; | ||||
} | ||||
enum TLS_KRB5_WITH_DES_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_KRB5_WITH_DES_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 2712: | ||||
Addition of Kerberos Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_KRB5_WITH_3DES_EDE_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_KRB5_WITH_3DES_EDE_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 2712: | ||||
Addition of Kerberos Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_KRB5_WITH_RC4_128_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_KRB5_WITH_RC4_128_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 2712: | ||||
Addition of Kerberos Cipher Suites to Transport Layer | ||||
Security (TLS) | ||||
RFC 6347: | ||||
Datagram Transport Layer Security Version 1.2"; | ||||
} | ||||
enum TLS_KRB5_WITH_IDEA_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_KRB5_WITH_IDEA_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 2712: | ||||
Addition of Kerberos Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_KRB5_WITH_DES_CBC_MD5 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_KRB5_WITH_DES_CBC_MD5' | ||||
algorithm."; | ||||
reference | ||||
"RFC 2712: | ||||
Addition of Kerberos Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_KRB5_WITH_3DES_EDE_CBC_MD5 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_KRB5_WITH_3DES_EDE_CBC_MD5' | ||||
algorithm."; | ||||
reference | ||||
"RFC 2712: | ||||
Addition of Kerberos Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_KRB5_WITH_RC4_128_MD5 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_KRB5_WITH_RC4_128_MD5' | ||||
algorithm."; | ||||
reference | ||||
"RFC 2712: | ||||
Addition of Kerberos Cipher Suites to Transport Layer | ||||
Security (TLS) | ||||
RFC 6347: | ||||
Datagram Transport Layer Security Version 1.2"; | ||||
} | ||||
enum TLS_KRB5_WITH_IDEA_CBC_MD5 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_KRB5_WITH_IDEA_CBC_MD5' | ||||
algorithm."; | ||||
reference | ||||
"RFC 2712: | ||||
Addition of Kerberos Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 2712: | ||||
Addition of Kerberos Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 2712: | ||||
Addition of Kerberos Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_KRB5_EXPORT_WITH_RC4_40_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_KRB5_EXPORT_WITH_RC4_40_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 2712: | ||||
Addition of Kerberos Cipher Suites to Transport Layer | ||||
Security (TLS) | ||||
RFC 6347: | ||||
Datagram Transport Layer Security Version 1.2"; | ||||
} | ||||
enum TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5' | ||||
algorithm."; | ||||
reference | ||||
"RFC 2712: | ||||
Addition of Kerberos Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5' | ||||
algorithm."; | ||||
reference | ||||
"RFC 2712: | ||||
Addition of Kerberos Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_KRB5_EXPORT_WITH_RC4_40_MD5 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_KRB5_EXPORT_WITH_RC4_40_MD5' | ||||
algorithm."; | ||||
reference | ||||
"RFC 2712: | ||||
Addition of Kerberos Cipher Suites to Transport Layer | ||||
Security (TLS) | ||||
RFC 6347: | ||||
Datagram Transport Layer Security Version 1.2"; | ||||
} | ||||
enum TLS_PSK_WITH_NULL_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_PSK_WITH_NULL_SHA' algorithm."; | ||||
reference | ||||
"RFC 4785: | ||||
Pre-Shared Key (PSK) Ciphersuites with NULL Encryption | ||||
for Transport Layer Security (TLS)"; | ||||
} | ||||
enum TLS_DHE_PSK_WITH_NULL_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DHE_PSK_WITH_NULL_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4785: | ||||
Pre-Shared Key (PSK) Ciphersuites with NULL Encryption | ||||
for Transport Layer Security (TLS)"; | ||||
} | ||||
enum TLS_RSA_PSK_WITH_NULL_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_RSA_PSK_WITH_NULL_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4785: | ||||
Pre-Shared Key (PSK) Ciphersuites with NULL Encryption | ||||
for Transport Layer Security (TLS)"; | ||||
} | ||||
enum TLS_RSA_WITH_AES_128_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_RSA_WITH_AES_128_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5246: | ||||
The Transport Layer Security (TLS) Protocol Version | ||||
1.2"; | ||||
} | ||||
enum TLS_DH_DSS_WITH_AES_128_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DH_DSS_WITH_AES_128_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5246: | ||||
The Transport Layer Security (TLS) Protocol Version | ||||
1.2"; | ||||
} | ||||
enum TLS_DH_RSA_WITH_AES_128_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DH_RSA_WITH_AES_128_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5246: | ||||
The Transport Layer Security (TLS) Protocol Version | ||||
1.2"; | ||||
} | ||||
enum TLS_DHE_DSS_WITH_AES_128_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DHE_DSS_WITH_AES_128_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5246: | ||||
The Transport Layer Security (TLS) Protocol Version | ||||
1.2"; | ||||
} | ||||
enum TLS_DHE_RSA_WITH_AES_128_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DHE_RSA_WITH_AES_128_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5246: | ||||
The Transport Layer Security (TLS) Protocol Version | ||||
1.2"; | ||||
} | ||||
enum TLS_DH_anon_WITH_AES_128_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DH_anon_WITH_AES_128_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5246: | ||||
The Transport Layer Security (TLS) Protocol Version | ||||
1.2"; | ||||
} | ||||
enum TLS_RSA_WITH_AES_256_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_RSA_WITH_AES_256_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5246: | ||||
The Transport Layer Security (TLS) Protocol Version | ||||
1.2"; | ||||
} | ||||
enum TLS_DH_DSS_WITH_AES_256_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DH_DSS_WITH_AES_256_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5246: | ||||
The Transport Layer Security (TLS) Protocol Version | ||||
1.2"; | ||||
} | ||||
enum TLS_DH_RSA_WITH_AES_256_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DH_RSA_WITH_AES_256_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5246: | ||||
The Transport Layer Security (TLS) Protocol Version | ||||
1.2"; | ||||
} | ||||
enum TLS_DHE_DSS_WITH_AES_256_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DHE_DSS_WITH_AES_256_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5246: | ||||
The Transport Layer Security (TLS) Protocol Version | ||||
1.2"; | ||||
} | ||||
enum TLS_DHE_RSA_WITH_AES_256_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DHE_RSA_WITH_AES_256_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5246: | ||||
The Transport Layer Security (TLS) Protocol Version | ||||
1.2"; | ||||
} | ||||
enum TLS_DH_anon_WITH_AES_256_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DH_anon_WITH_AES_256_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5246: | ||||
The Transport Layer Security (TLS) Protocol Version | ||||
1.2"; | ||||
} | ||||
enum TLS_RSA_WITH_NULL_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_RSA_WITH_NULL_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5246: | ||||
The Transport Layer Security (TLS) Protocol Version | ||||
1.2"; | ||||
} | ||||
enum TLS_RSA_WITH_AES_128_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_RSA_WITH_AES_128_CBC_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5246: | ||||
The Transport Layer Security (TLS) Protocol Version | ||||
1.2"; | ||||
} | ||||
enum TLS_RSA_WITH_AES_256_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_RSA_WITH_AES_256_CBC_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5246: | ||||
The Transport Layer Security (TLS) Protocol Version | ||||
1.2"; | ||||
} | ||||
enum TLS_DH_DSS_WITH_AES_128_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DH_DSS_WITH_AES_128_CBC_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5246: | ||||
The Transport Layer Security (TLS) Protocol Version | ||||
1.2"; | ||||
} | ||||
enum TLS_DH_RSA_WITH_AES_128_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DH_RSA_WITH_AES_128_CBC_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5246: | ||||
The Transport Layer Security (TLS) Protocol Version | ||||
1.2"; | ||||
} | ||||
enum TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DHE_DSS_WITH_AES_128_CBC_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5246: | ||||
The Transport Layer Security (TLS) Protocol Version | ||||
1.2"; | ||||
} | ||||
enum TLS_RSA_WITH_CAMELLIA_128_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_RSA_WITH_CAMELLIA_128_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5932: | ||||
Camellia Cipher Suites for TLS"; | ||||
} | ||||
enum TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5932: | ||||
Camellia Cipher Suites for TLS"; | ||||
} | ||||
enum TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5932: | ||||
Camellia Cipher Suites for TLS"; | ||||
} | ||||
enum TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA' algorithm."; | ||||
reference | ||||
"RFC 5932: | ||||
Camellia Cipher Suites for TLS"; | ||||
} | ||||
enum TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA' algorithm."; | ||||
reference | ||||
"RFC 5932: | ||||
Camellia Cipher Suites for TLS"; | ||||
} | ||||
enum TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA' algorithm."; | ||||
reference | ||||
"RFC 5932: | ||||
Camellia Cipher Suites for TLS"; | ||||
} | ||||
enum TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DHE_RSA_WITH_AES_128_CBC_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5246: | ||||
The Transport Layer Security (TLS) Protocol Version | ||||
1.2"; | ||||
} | ||||
enum TLS_DH_DSS_WITH_AES_256_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DH_DSS_WITH_AES_256_CBC_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5246: | ||||
The Transport Layer Security (TLS) Protocol Version | ||||
1.2"; | ||||
} | ||||
enum TLS_DH_RSA_WITH_AES_256_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DH_RSA_WITH_AES_256_CBC_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5246: | ||||
The Transport Layer Security (TLS) Protocol Version | ||||
1.2"; | ||||
} | ||||
enum TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DHE_DSS_WITH_AES_256_CBC_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5246: | ||||
The Transport Layer Security (TLS) Protocol Version | ||||
1.2"; | ||||
} | ||||
enum TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DHE_RSA_WITH_AES_256_CBC_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5246: | ||||
The Transport Layer Security (TLS) Protocol Version | ||||
1.2"; | ||||
} | ||||
enum TLS_DH_anon_WITH_AES_128_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DH_anon_WITH_AES_128_CBC_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5246: | ||||
The Transport Layer Security (TLS) Protocol Version | ||||
1.2"; | ||||
} | ||||
enum TLS_DH_anon_WITH_AES_256_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DH_anon_WITH_AES_256_CBC_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5246: | ||||
The Transport Layer Security (TLS) Protocol Version | ||||
1.2"; | ||||
} | ||||
enum TLS_RSA_WITH_CAMELLIA_256_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_RSA_WITH_CAMELLIA_256_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5932: | ||||
Camellia Cipher Suites for TLS"; | ||||
} | ||||
enum TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5932: | ||||
Camellia Cipher Suites for TLS"; | ||||
} | ||||
enum TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5932: | ||||
Camellia Cipher Suites for TLS"; | ||||
} | ||||
enum TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA' algorithm."; | ||||
reference | ||||
"RFC 5932: | ||||
Camellia Cipher Suites for TLS"; | ||||
} | ||||
enum TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA' algorithm."; | ||||
reference | ||||
"RFC 5932: | ||||
Camellia Cipher Suites for TLS"; | ||||
} | ||||
enum TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA' algorithm."; | ||||
reference | ||||
"RFC 5932: | ||||
Camellia Cipher Suites for TLS"; | ||||
} | ||||
enum TLS_PSK_WITH_RC4_128_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_PSK_WITH_RC4_128_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4279: | ||||
Pre-Shared Key Ciphersuites for Transport Layer Security | ||||
(TLS) | ||||
RFC 6347: | ||||
Datagram Transport Layer Security Version 1.2"; | ||||
} | ||||
enum TLS_PSK_WITH_3DES_EDE_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_PSK_WITH_3DES_EDE_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4279: | ||||
Pre-Shared Key Ciphersuites for Transport Layer Security | ||||
(TLS)"; | ||||
} | ||||
enum TLS_PSK_WITH_AES_128_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_PSK_WITH_AES_128_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4279: | ||||
Pre-Shared Key Ciphersuites for Transport Layer Security | ||||
(TLS)"; | ||||
} | ||||
enum TLS_PSK_WITH_AES_256_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_PSK_WITH_AES_256_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4279: | ||||
Pre-Shared Key Ciphersuites for Transport Layer Security | ||||
(TLS)"; | ||||
} | ||||
enum TLS_DHE_PSK_WITH_RC4_128_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DHE_PSK_WITH_RC4_128_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4279: | ||||
Pre-Shared Key Ciphersuites for Transport Layer Security | ||||
(TLS) | ||||
RFC 6347: | ||||
Datagram Transport Layer Security Version 1.2"; | ||||
} | ||||
enum TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4279: | ||||
Pre-Shared Key Ciphersuites for Transport Layer Security | ||||
(TLS)"; | ||||
} | ||||
enum TLS_DHE_PSK_WITH_AES_128_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DHE_PSK_WITH_AES_128_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4279: | ||||
Pre-Shared Key Ciphersuites for Transport Layer Security | ||||
(TLS)"; | ||||
} | ||||
enum TLS_DHE_PSK_WITH_AES_256_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DHE_PSK_WITH_AES_256_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4279: | ||||
Pre-Shared Key Ciphersuites for Transport Layer Security | ||||
(TLS)"; | ||||
} | ||||
enum TLS_RSA_PSK_WITH_RC4_128_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_RSA_PSK_WITH_RC4_128_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4279: | ||||
Pre-Shared Key Ciphersuites for Transport Layer Security | ||||
(TLS) | ||||
RFC 6347: | ||||
Datagram Transport Layer Security Version 1.2"; | ||||
} | ||||
enum TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4279: | ||||
Pre-Shared Key Ciphersuites for Transport Layer Security | ||||
(TLS)"; | ||||
} | ||||
enum TLS_RSA_PSK_WITH_AES_128_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_RSA_PSK_WITH_AES_128_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4279: | ||||
Pre-Shared Key Ciphersuites for Transport Layer Security | ||||
(TLS)"; | ||||
} | ||||
enum TLS_RSA_PSK_WITH_AES_256_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_RSA_PSK_WITH_AES_256_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4279: | ||||
Pre-Shared Key Ciphersuites for Transport Layer Security | ||||
(TLS)"; | ||||
} | ||||
enum TLS_RSA_WITH_SEED_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_RSA_WITH_SEED_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4162: | ||||
Addition of SEED Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_DH_DSS_WITH_SEED_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DH_DSS_WITH_SEED_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4162: | ||||
Addition of SEED Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_DH_RSA_WITH_SEED_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DH_RSA_WITH_SEED_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4162: | ||||
Addition of SEED Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_DHE_DSS_WITH_SEED_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DHE_DSS_WITH_SEED_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4162: | ||||
Addition of SEED Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_DHE_RSA_WITH_SEED_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DHE_RSA_WITH_SEED_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4162: | ||||
Addition of SEED Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_DH_anon_WITH_SEED_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DH_anon_WITH_SEED_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4162: | ||||
Addition of SEED Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_RSA_WITH_AES_128_GCM_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_RSA_WITH_AES_128_GCM_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5288: | ||||
AES Galois Counter Mode (GCM) Cipher Suites for TLS"; | ||||
} | ||||
enum TLS_RSA_WITH_AES_256_GCM_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_RSA_WITH_AES_256_GCM_SHA384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5288: | ||||
AES Galois Counter Mode (GCM) Cipher Suites for TLS"; | ||||
} | ||||
enum TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 { | ||||
description | ||||
"Enumeration for the 'TLS_DHE_RSA_WITH_AES_128_GCM_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5288: | ||||
AES Galois Counter Mode (GCM) Cipher Suites for TLS"; | ||||
} | ||||
enum TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 { | ||||
description | ||||
"Enumeration for the 'TLS_DHE_RSA_WITH_AES_256_GCM_SHA384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5288: | ||||
AES Galois Counter Mode (GCM) Cipher Suites for TLS"; | ||||
} | ||||
enum TLS_DH_RSA_WITH_AES_128_GCM_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DH_RSA_WITH_AES_128_GCM_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5288: | ||||
AES Galois Counter Mode (GCM) Cipher Suites for TLS"; | ||||
} | ||||
enum TLS_DH_RSA_WITH_AES_256_GCM_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DH_RSA_WITH_AES_256_GCM_SHA384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5288: | ||||
AES Galois Counter Mode (GCM) Cipher Suites for TLS"; | ||||
} | ||||
enum TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DHE_DSS_WITH_AES_128_GCM_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5288: | ||||
AES Galois Counter Mode (GCM) Cipher Suites for TLS"; | ||||
} | ||||
enum TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DHE_DSS_WITH_AES_256_GCM_SHA384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5288: | ||||
AES Galois Counter Mode (GCM) Cipher Suites for TLS"; | ||||
} | ||||
enum TLS_DH_DSS_WITH_AES_128_GCM_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DH_DSS_WITH_AES_128_GCM_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5288: | ||||
AES Galois Counter Mode (GCM) Cipher Suites for TLS"; | ||||
} | ||||
enum TLS_DH_DSS_WITH_AES_256_GCM_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DH_DSS_WITH_AES_256_GCM_SHA384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5288: | ||||
AES Galois Counter Mode (GCM) Cipher Suites for TLS"; | ||||
} | ||||
enum TLS_DH_anon_WITH_AES_128_GCM_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DH_anon_WITH_AES_128_GCM_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5288: | ||||
AES Galois Counter Mode (GCM) Cipher Suites for TLS"; | ||||
} | ||||
enum TLS_DH_anon_WITH_AES_256_GCM_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DH_anon_WITH_AES_256_GCM_SHA384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5288: | ||||
AES Galois Counter Mode (GCM) Cipher Suites for TLS"; | ||||
} | ||||
enum TLS_PSK_WITH_AES_128_GCM_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_PSK_WITH_AES_128_GCM_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5487: | ||||
Pre-Shared Key Cipher Suites for TLS with SHA-256/384 | ||||
and AES Galois Counter Mode"; | ||||
} | ||||
enum TLS_PSK_WITH_AES_256_GCM_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_PSK_WITH_AES_256_GCM_SHA384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5487: | ||||
Pre-Shared Key Cipher Suites for TLS with SHA-256/384 | ||||
and AES Galois Counter Mode"; | ||||
} | ||||
enum TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 { | ||||
description | ||||
"Enumeration for the 'TLS_DHE_PSK_WITH_AES_128_GCM_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5487: | ||||
Pre-Shared Key Cipher Suites for TLS with SHA-256/384 | ||||
and AES Galois Counter Mode"; | ||||
} | ||||
enum TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 { | ||||
description | ||||
"Enumeration for the 'TLS_DHE_PSK_WITH_AES_256_GCM_SHA384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5487: | ||||
Pre-Shared Key Cipher Suites for TLS with SHA-256/384 | ||||
and AES Galois Counter Mode"; | ||||
} | ||||
enum TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_RSA_PSK_WITH_AES_128_GCM_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5487: | ||||
Pre-Shared Key Cipher Suites for TLS with SHA-256/384 | ||||
and AES Galois Counter Mode"; | ||||
} | ||||
enum TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_RSA_PSK_WITH_AES_256_GCM_SHA384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5487: | ||||
Pre-Shared Key Cipher Suites for TLS with SHA-256/384 | ||||
and AES Galois Counter Mode"; | ||||
} | ||||
enum TLS_PSK_WITH_AES_128_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_PSK_WITH_AES_128_CBC_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5487: | ||||
Pre-Shared Key Cipher Suites for TLS with SHA-256/384 | ||||
and AES Galois Counter Mode"; | ||||
} | ||||
enum TLS_PSK_WITH_AES_256_CBC_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_PSK_WITH_AES_256_CBC_SHA384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5487: | ||||
Pre-Shared Key Cipher Suites for TLS with SHA-256/384 | ||||
and AES Galois Counter Mode"; | ||||
} | ||||
enum TLS_PSK_WITH_NULL_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_PSK_WITH_NULL_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5487: | ||||
Pre-Shared Key Cipher Suites for TLS with SHA-256/384 | ||||
and AES Galois Counter Mode"; | ||||
} | ||||
enum TLS_PSK_WITH_NULL_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_PSK_WITH_NULL_SHA384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5487: | ||||
Pre-Shared Key Cipher Suites for TLS with SHA-256/384 | ||||
and AES Galois Counter Mode"; | ||||
} | ||||
enum TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DHE_PSK_WITH_AES_128_CBC_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5487: | ||||
Pre-Shared Key Cipher Suites for TLS with SHA-256/384 | ||||
and AES Galois Counter Mode"; | ||||
} | ||||
enum TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DHE_PSK_WITH_AES_256_CBC_SHA384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5487: | ||||
Pre-Shared Key Cipher Suites for TLS with SHA-256/384 | ||||
and AES Galois Counter Mode"; | ||||
} | ||||
enum TLS_DHE_PSK_WITH_NULL_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DHE_PSK_WITH_NULL_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5487: | ||||
Pre-Shared Key Cipher Suites for TLS with SHA-256/384 | ||||
and AES Galois Counter Mode"; | ||||
} | ||||
enum TLS_DHE_PSK_WITH_NULL_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DHE_PSK_WITH_NULL_SHA384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5487: | ||||
Pre-Shared Key Cipher Suites for TLS with SHA-256/384 | ||||
and AES Galois Counter Mode"; | ||||
} | ||||
enum TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_RSA_PSK_WITH_AES_128_CBC_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5487: | ||||
Pre-Shared Key Cipher Suites for TLS with SHA-256/384 | ||||
and AES Galois Counter Mode"; | ||||
} | ||||
enum TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_RSA_PSK_WITH_AES_256_CBC_SHA384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5487: | ||||
Pre-Shared Key Cipher Suites for TLS with SHA-256/384 | ||||
and AES Galois Counter Mode"; | ||||
} | ||||
enum TLS_RSA_PSK_WITH_NULL_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_RSA_PSK_WITH_NULL_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5487: | ||||
Pre-Shared Key Cipher Suites for TLS with SHA-256/384 | ||||
and AES Galois Counter Mode"; | ||||
} | ||||
enum TLS_RSA_PSK_WITH_NULL_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_RSA_PSK_WITH_NULL_SHA384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5487: | ||||
Pre-Shared Key Cipher Suites for TLS with SHA-256/384 | ||||
and AES Galois Counter Mode"; | ||||
} | ||||
enum TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5932: | ||||
Camellia Cipher Suites for TLS"; | ||||
} | ||||
enum TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256' algorithm."; | ||||
reference | ||||
"RFC 5932: | ||||
Camellia Cipher Suites for TLS"; | ||||
} | ||||
enum TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256' algorithm."; | ||||
reference | ||||
"RFC 5932: | ||||
Camellia Cipher Suites for TLS"; | ||||
} | ||||
enum TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256' algorithm."; | ||||
reference | ||||
"RFC 5932: | ||||
Camellia Cipher Suites for TLS"; | ||||
} | ||||
enum TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256' algorithm."; | ||||
reference | ||||
"RFC 5932: | ||||
Camellia Cipher Suites for TLS"; | ||||
} | ||||
enum TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256' algorithm."; | ||||
reference | ||||
"RFC 5932: | ||||
Camellia Cipher Suites for TLS"; | ||||
} | ||||
enum TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5932: | ||||
Camellia Cipher Suites for TLS"; | ||||
} | ||||
enum TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256' algorithm."; | ||||
reference | ||||
"RFC 5932: | ||||
Camellia Cipher Suites for TLS"; | ||||
} | ||||
enum TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256' algorithm."; | ||||
reference | ||||
"RFC 5932: | ||||
Camellia Cipher Suites for TLS"; | ||||
} | ||||
enum TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256' algorithm."; | ||||
reference | ||||
"RFC 5932: | ||||
Camellia Cipher Suites for TLS"; | ||||
} | ||||
enum TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256' algorithm."; | ||||
reference | ||||
"RFC 5932: | ||||
Camellia Cipher Suites for TLS"; | ||||
} | ||||
enum TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256' algorithm."; | ||||
reference | ||||
"RFC 5932: | ||||
Camellia Cipher Suites for TLS"; | ||||
} | ||||
enum TLS_SM4_GCM_SM3 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_SM4_GCM_SM3' algorithm."; | ||||
reference | ||||
"RFC 8998: | ||||
ShangMi (SM) Cipher Suites for TLS 1.3"; | ||||
} | ||||
enum TLS_SM4_CCM_SM3 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_SM4_CCM_SM3' algorithm."; | ||||
reference | ||||
"RFC 8998: | ||||
ShangMi (SM) Cipher Suites for TLS 1.3"; | ||||
} | ||||
enum TLS_EMPTY_RENEGOTIATION_INFO_SCSV { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_EMPTY_RENEGOTIATION_INFO_SCSV' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5746: | ||||
Transport Layer Security (TLS) Renegotiation Indication | ||||
Extension"; | ||||
} | ||||
enum TLS_AES_128_GCM_SHA256 { | ||||
description | ||||
"Enumeration for the 'TLS_AES_128_GCM_SHA256' algorithm."; | ||||
reference | ||||
"RFC 8446: | ||||
The Transport Layer Security (TLS) Protocol Version | ||||
1.3"; | ||||
} | ||||
enum TLS_AES_256_GCM_SHA384 { | ||||
description | ||||
"Enumeration for the 'TLS_AES_256_GCM_SHA384' algorithm."; | ||||
reference | ||||
"RFC 8446: | ||||
The Transport Layer Security (TLS) Protocol Version | ||||
1.3"; | ||||
} | ||||
enum TLS_CHACHA20_POLY1305_SHA256 { | ||||
description | ||||
"Enumeration for the 'TLS_CHACHA20_POLY1305_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8446: | ||||
The Transport Layer Security (TLS) Protocol Version | ||||
1.3"; | ||||
} | ||||
enum TLS_AES_128_CCM_SHA256 { | ||||
description | ||||
"Enumeration for the 'TLS_AES_128_CCM_SHA256' algorithm."; | ||||
reference | ||||
"RFC 8446: | ||||
The Transport Layer Security (TLS) Protocol Version | ||||
1.3"; | ||||
} | ||||
enum TLS_AES_128_CCM_8_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_AES_128_CCM_8_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8446: | ||||
The Transport Layer Security (TLS) Protocol Version 1.3 | ||||
IESG Action: | ||||
IESG Action 2018-08-16"; | ||||
} | ||||
enum TLS_AEGIS_256_SHA512 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_AEGIS_256_SHA512' algorithm."; | ||||
reference | ||||
"draft-irtf-cfrg-aegis-aead-08: | ||||
The AEGIS Family of Authenticated Encryption | ||||
Algorithms"; | ||||
} | ||||
enum TLS_AEGIS_128L_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_AEGIS_128L_SHA256' algorithm."; | ||||
reference | ||||
"draft-irtf-cfrg-aegis-aead-08: | ||||
The AEGIS Family of Authenticated Encryption | ||||
Algorithms"; | ||||
} | ||||
enum TLS_FALLBACK_SCSV { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_FALLBACK_SCSV' algorithm."; | ||||
reference | ||||
"RFC 7507: | ||||
TLS Fallback Signaling Cipher Suite Value (SCSV) for | ||||
Preventing Protocol Downgrade Attacks"; | ||||
} | ||||
enum TLS_ECDH_ECDSA_WITH_NULL_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_ECDH_ECDSA_WITH_NULL_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8422: | ||||
Elliptic Curve Cryptography (ECC) Cipher Suites for | ||||
Transport Layer Security (TLS) Versions 1.2 and | ||||
Earlier"; | ||||
} | ||||
enum TLS_ECDH_ECDSA_WITH_RC4_128_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_ECDH_ECDSA_WITH_RC4_128_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8422: | ||||
Elliptic Curve Cryptography (ECC) Cipher Suites for | ||||
Transport Layer Security (TLS) Versions 1.2 and Earlier | ||||
RFC 6347: | ||||
Datagram Transport Layer Security Version 1.2"; | ||||
} | ||||
enum TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8422: | ||||
Elliptic Curve Cryptography (ECC) Cipher Suites for | ||||
Transport Layer Security (TLS) Versions 1.2 and | ||||
Earlier"; | ||||
} | ||||
enum TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8422: | ||||
Elliptic Curve Cryptography (ECC) Cipher Suites for | ||||
Transport Layer Security (TLS) Versions 1.2 and | ||||
Earlier"; | ||||
} | ||||
enum TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8422: | ||||
Elliptic Curve Cryptography (ECC) Cipher Suites for | ||||
Transport Layer Security (TLS) Versions 1.2 and | ||||
Earlier"; | ||||
} | ||||
enum TLS_ECDHE_ECDSA_WITH_NULL_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_ECDHE_ECDSA_WITH_NULL_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8422: | ||||
Elliptic Curve Cryptography (ECC) Cipher Suites for | ||||
Transport Layer Security (TLS) Versions 1.2 and | ||||
Earlier"; | ||||
} | ||||
enum TLS_ECDHE_ECDSA_WITH_RC4_128_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_ECDHE_ECDSA_WITH_RC4_128_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8422: | ||||
Elliptic Curve Cryptography (ECC) Cipher Suites for | ||||
Transport Layer Security (TLS) Versions 1.2 and Earlier | ||||
RFC 6347: | ||||
Datagram Transport Layer Security Version 1.2"; | ||||
} | ||||
enum TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA' algorithm."; | ||||
reference | ||||
"RFC 8422: | ||||
Elliptic Curve Cryptography (ECC) Cipher Suites for | ||||
Transport Layer Security (TLS) Versions 1.2 and | ||||
Earlier"; | ||||
} | ||||
enum TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8422: | ||||
Elliptic Curve Cryptography (ECC) Cipher Suites for | ||||
Transport Layer Security (TLS) Versions 1.2 and | ||||
Earlier"; | ||||
} | ||||
enum TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8422: | ||||
Elliptic Curve Cryptography (ECC) Cipher Suites for | ||||
Transport Layer Security (TLS) Versions 1.2 and | ||||
Earlier"; | ||||
} | ||||
enum TLS_ECDH_RSA_WITH_NULL_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_ECDH_RSA_WITH_NULL_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8422: | ||||
Elliptic Curve Cryptography (ECC) Cipher Suites for | ||||
Transport Layer Security (TLS) Versions 1.2 and | ||||
Earlier"; | ||||
} | ||||
enum TLS_ECDH_RSA_WITH_RC4_128_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_ECDH_RSA_WITH_RC4_128_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8422: | ||||
Elliptic Curve Cryptography (ECC) Cipher Suites for | ||||
Transport Layer Security (TLS) Versions 1.2 and Earlier | ||||
RFC 6347: | ||||
Datagram Transport Layer Security Version 1.2"; | ||||
} | ||||
enum TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8422: | ||||
Elliptic Curve Cryptography (ECC) Cipher Suites for | ||||
Transport Layer Security (TLS) Versions 1.2 and | ||||
Earlier"; | ||||
} | ||||
enum TLS_ECDH_RSA_WITH_AES_128_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_ECDH_RSA_WITH_AES_128_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8422: | ||||
Elliptic Curve Cryptography (ECC) Cipher Suites for | ||||
Transport Layer Security (TLS) Versions 1.2 and | ||||
Earlier"; | ||||
} | ||||
enum TLS_ECDH_RSA_WITH_AES_256_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_ECDH_RSA_WITH_AES_256_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8422: | ||||
Elliptic Curve Cryptography (ECC) Cipher Suites for | ||||
Transport Layer Security (TLS) Versions 1.2 and | ||||
Earlier"; | ||||
} | ||||
enum TLS_ECDHE_RSA_WITH_NULL_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_ECDHE_RSA_WITH_NULL_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8422: | ||||
Elliptic Curve Cryptography (ECC) Cipher Suites for | ||||
Transport Layer Security (TLS) Versions 1.2 and | ||||
Earlier"; | ||||
} | ||||
enum TLS_ECDHE_RSA_WITH_RC4_128_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_ECDHE_RSA_WITH_RC4_128_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8422: | ||||
Elliptic Curve Cryptography (ECC) Cipher Suites for | ||||
Transport Layer Security (TLS) Versions 1.2 and Earlier | ||||
RFC 6347: | ||||
Datagram Transport Layer Security Version 1.2"; | ||||
} | ||||
enum TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8422: | ||||
Elliptic Curve Cryptography (ECC) Cipher Suites for | ||||
Transport Layer Security (TLS) Versions 1.2 and | ||||
Earlier"; | ||||
} | ||||
enum TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8422: | ||||
Elliptic Curve Cryptography (ECC) Cipher Suites for | ||||
Transport Layer Security (TLS) Versions 1.2 and | ||||
Earlier"; | ||||
} | ||||
enum TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8422: | ||||
Elliptic Curve Cryptography (ECC) Cipher Suites for | ||||
Transport Layer Security (TLS) Versions 1.2 and | ||||
Earlier"; | ||||
} | ||||
enum TLS_ECDH_anon_WITH_NULL_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_ECDH_anon_WITH_NULL_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8422: | ||||
Elliptic Curve Cryptography (ECC) Cipher Suites for | ||||
Transport Layer Security (TLS) Versions 1.2 and | ||||
Earlier"; | ||||
} | ||||
enum TLS_ECDH_anon_WITH_RC4_128_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_ECDH_anon_WITH_RC4_128_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8422: | ||||
Elliptic Curve Cryptography (ECC) Cipher Suites for | ||||
Transport Layer Security (TLS) Versions 1.2 and Earlier | ||||
RFC 6347: | ||||
Datagram Transport Layer Security Version 1.2"; | ||||
} | ||||
enum TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8422: | ||||
Elliptic Curve Cryptography (ECC) Cipher Suites for | ||||
Transport Layer Security (TLS) Versions 1.2 and | ||||
Earlier"; | ||||
} | ||||
enum TLS_ECDH_anon_WITH_AES_128_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_ECDH_anon_WITH_AES_128_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8422: | ||||
Elliptic Curve Cryptography (ECC) Cipher Suites for | ||||
Transport Layer Security (TLS) Versions 1.2 and | ||||
Earlier"; | ||||
} | ||||
enum TLS_ECDH_anon_WITH_AES_256_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_ECDH_anon_WITH_AES_256_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8422: | ||||
Elliptic Curve Cryptography (ECC) Cipher Suites for | ||||
Transport Layer Security (TLS) Versions 1.2 and | ||||
Earlier"; | ||||
} | ||||
enum TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5054: | ||||
Using the Secure Remote Password (SRP) Protocol for TLS | ||||
Authentication"; | ||||
} | ||||
enum TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA' algorithm."; | ||||
reference | ||||
"RFC 5054: | ||||
Using the Secure Remote Password (SRP) Protocol for TLS | ||||
Authentication"; | ||||
} | ||||
enum TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA' algorithm."; | ||||
reference | ||||
"RFC 5054: | ||||
Using the Secure Remote Password (SRP) Protocol for TLS | ||||
Authentication"; | ||||
} | ||||
enum TLS_SRP_SHA_WITH_AES_128_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_SRP_SHA_WITH_AES_128_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5054: | ||||
Using the Secure Remote Password (SRP) Protocol for TLS | ||||
Authentication"; | ||||
} | ||||
enum TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5054: | ||||
Using the Secure Remote Password (SRP) Protocol for TLS | ||||
Authentication"; | ||||
} | ||||
enum TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5054: | ||||
Using the Secure Remote Password (SRP) Protocol for TLS | ||||
Authentication"; | ||||
} | ||||
enum TLS_SRP_SHA_WITH_AES_256_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_SRP_SHA_WITH_AES_256_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5054: | ||||
Using the Secure Remote Password (SRP) Protocol for TLS | ||||
Authentication"; | ||||
} | ||||
enum TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5054: | ||||
Using the Secure Remote Password (SRP) Protocol for TLS | ||||
Authentication"; | ||||
} | ||||
enum TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5054: | ||||
Using the Secure Remote Password (SRP) Protocol for TLS | ||||
Authentication"; | ||||
} | ||||
enum TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256' algorithm."; | ||||
reference | ||||
"RFC 5289: | ||||
TLS Elliptic Curve Cipher Suites with SHA-256/384 and | ||||
AES Galois Counter Mode (GCM)"; | ||||
} | ||||
enum TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384' algorithm."; | ||||
reference | ||||
"RFC 5289: | ||||
TLS Elliptic Curve Cipher Suites with SHA-256/384 and | ||||
AES Galois Counter Mode (GCM)"; | ||||
} | ||||
enum TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256' algorithm."; | ||||
reference | ||||
"RFC 5289: | ||||
TLS Elliptic Curve Cipher Suites with SHA-256/384 and | ||||
AES Galois Counter Mode (GCM)"; | ||||
} | ||||
enum TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384' algorithm."; | ||||
reference | ||||
"RFC 5289: | ||||
TLS Elliptic Curve Cipher Suites with SHA-256/384 and | ||||
AES Galois Counter Mode (GCM)"; | ||||
} | ||||
enum TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256' algorithm."; | ||||
reference | ||||
"RFC 5289: | ||||
TLS Elliptic Curve Cipher Suites with SHA-256/384 and | ||||
AES Galois Counter Mode (GCM)"; | ||||
} | ||||
enum TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384' algorithm."; | ||||
reference | ||||
"RFC 5289: | ||||
TLS Elliptic Curve Cipher Suites with SHA-256/384 and | ||||
AES Galois Counter Mode (GCM)"; | ||||
} | ||||
enum TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5289: | ||||
TLS Elliptic Curve Cipher Suites with SHA-256/384 and | ||||
AES Galois Counter Mode (GCM)"; | ||||
} | ||||
enum TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5289: | ||||
TLS Elliptic Curve Cipher Suites with SHA-256/384 and | ||||
AES Galois Counter Mode (GCM)"; | ||||
} | ||||
enum TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 { | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256' algorithm."; | ||||
reference | ||||
"RFC 5289: | ||||
TLS Elliptic Curve Cipher Suites with SHA-256/384 and | ||||
AES Galois Counter Mode (GCM)"; | ||||
} | ||||
enum TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 { | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384' algorithm."; | ||||
reference | ||||
"RFC 5289: | ||||
TLS Elliptic Curve Cipher Suites with SHA-256/384 and | ||||
AES Galois Counter Mode (GCM)"; | ||||
} | ||||
enum TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256' algorithm."; | ||||
reference | ||||
"RFC 5289: | ||||
TLS Elliptic Curve Cipher Suites with SHA-256/384 and | ||||
AES Galois Counter Mode (GCM)"; | ||||
} | ||||
enum TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384' algorithm."; | ||||
reference | ||||
"RFC 5289: | ||||
TLS Elliptic Curve Cipher Suites with SHA-256/384 and | ||||
AES Galois Counter Mode (GCM)"; | ||||
} | ||||
enum TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 { | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256' algorithm."; | ||||
reference | ||||
"RFC 5289: | ||||
TLS Elliptic Curve Cipher Suites with SHA-256/384 and | ||||
AES Galois Counter Mode (GCM)"; | ||||
} | ||||
enum TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 { | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384' algorithm."; | ||||
reference | ||||
"RFC 5289: | ||||
TLS Elliptic Curve Cipher Suites with SHA-256/384 and | ||||
AES Galois Counter Mode (GCM)"; | ||||
} | ||||
enum TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5289: | ||||
TLS Elliptic Curve Cipher Suites with SHA-256/384 and | ||||
AES Galois Counter Mode (GCM)"; | ||||
} | ||||
enum TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5289: | ||||
TLS Elliptic Curve Cipher Suites with SHA-256/384 and | ||||
AES Galois Counter Mode (GCM)"; | ||||
} | ||||
enum TLS_ECDHE_PSK_WITH_RC4_128_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_ECDHE_PSK_WITH_RC4_128_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5489: | ||||
ECDHE_PSK Cipher Suites for Transport Layer Security | ||||
(TLS) | ||||
RFC 6347: | ||||
Datagram Transport Layer Security Version 1.2"; | ||||
} | ||||
enum TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5489: | ||||
ECDHE_PSK Cipher Suites for Transport Layer Security | ||||
(TLS)"; | ||||
} | ||||
enum TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5489: | ||||
ECDHE_PSK Cipher Suites for Transport Layer Security | ||||
(TLS)"; | ||||
} | ||||
enum TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5489: | ||||
ECDHE_PSK Cipher Suites for Transport Layer Security | ||||
(TLS)"; | ||||
} | ||||
enum TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256' algorithm."; | ||||
reference | ||||
"RFC 5489: | ||||
ECDHE_PSK Cipher Suites for Transport Layer Security | ||||
(TLS)"; | ||||
} | ||||
enum TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384' algorithm."; | ||||
reference | ||||
"RFC 5489: | ||||
ECDHE_PSK Cipher Suites for Transport Layer Security | ||||
(TLS)"; | ||||
} | ||||
enum TLS_ECDHE_PSK_WITH_NULL_SHA { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_ECDHE_PSK_WITH_NULL_SHA' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5489: | ||||
ECDHE_PSK Cipher Suites for Transport Layer Security | ||||
(TLS)"; | ||||
} | ||||
enum TLS_ECDHE_PSK_WITH_NULL_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_ECDHE_PSK_WITH_NULL_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5489: | ||||
ECDHE_PSK Cipher Suites for Transport Layer Security | ||||
(TLS)"; | ||||
} | ||||
enum TLS_ECDHE_PSK_WITH_NULL_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_ECDHE_PSK_WITH_NULL_SHA384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5489: | ||||
ECDHE_PSK Cipher Suites for Transport Layer Security | ||||
(TLS)"; | ||||
} | ||||
enum TLS_RSA_WITH_ARIA_128_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_RSA_WITH_ARIA_128_CBC_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_RSA_WITH_ARIA_256_CBC_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_RSA_WITH_ARIA_256_CBC_SHA384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_DH_anon_WITH_ARIA_128_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DH_anon_WITH_ARIA_128_CBC_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_DH_anon_WITH_ARIA_256_CBC_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DH_anon_WITH_ARIA_256_CBC_SHA384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256' algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384' algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256' algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384' algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256' algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384' algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256' algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384' algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_RSA_WITH_ARIA_128_GCM_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_RSA_WITH_ARIA_128_GCM_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_RSA_WITH_ARIA_256_GCM_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_RSA_WITH_ARIA_256_GCM_SHA384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_DH_anon_WITH_ARIA_128_GCM_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DH_anon_WITH_ARIA_128_GCM_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_DH_anon_WITH_ARIA_256_GCM_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DH_anon_WITH_ARIA_256_GCM_SHA384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256' algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384' algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256' algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384' algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256' algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384' algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256' algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384' algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_PSK_WITH_ARIA_128_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_PSK_WITH_ARIA_128_CBC_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_PSK_WITH_ARIA_256_CBC_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_PSK_WITH_ARIA_256_CBC_SHA384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_PSK_WITH_ARIA_128_GCM_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_PSK_WITH_ARIA_128_GCM_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_PSK_WITH_ARIA_256_GCM_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_PSK_WITH_ARIA_256_GCM_SHA384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256' algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384' algorithm."; | ||||
reference | ||||
"RFC 6209: | ||||
Addition of the ARIA Cipher Suites to Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6367: | ||||
Addition of the Camellia Cipher Suites to Transport | ||||
Layer Security (TLS)"; | ||||
} | ||||
enum TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6367: | ||||
Addition of the Camellia Cipher Suites to Transport | ||||
Layer Security (TLS)"; | ||||
} | ||||
enum TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256' algorithm."; | ||||
reference | ||||
"RFC 6367: | ||||
Addition of the Camellia Cipher Suites to Transport | ||||
Layer Security (TLS)"; | ||||
} | ||||
enum TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384' algorithm."; | ||||
reference | ||||
"RFC 6367: | ||||
Addition of the Camellia Cipher Suites to Transport | ||||
Layer Security (TLS)"; | ||||
} | ||||
enum TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256' algorithm."; | ||||
reference | ||||
"RFC 6367: | ||||
Addition of the Camellia Cipher Suites to Transport | ||||
Layer Security (TLS)"; | ||||
} | ||||
enum TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384' algorithm."; | ||||
reference | ||||
"RFC 6367: | ||||
Addition of the Camellia Cipher Suites to Transport | ||||
Layer Security (TLS)"; | ||||
} | ||||
enum TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256' algorithm."; | ||||
reference | ||||
"RFC 6367: | ||||
Addition of the Camellia Cipher Suites to Transport | ||||
Layer Security (TLS)"; | ||||
} | ||||
enum TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384' algorithm."; | ||||
reference | ||||
"RFC 6367: | ||||
Addition of the Camellia Cipher Suites to Transport | ||||
Layer Security (TLS)"; | ||||
} | ||||
enum TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6367: | ||||
Addition of the Camellia Cipher Suites to Transport | ||||
Layer Security (TLS)"; | ||||
} | ||||
enum TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6367: | ||||
Addition of the Camellia Cipher Suites to Transport | ||||
Layer Security (TLS)"; | ||||
} | ||||
enum TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256' algorithm."; | ||||
reference | ||||
"RFC 6367: | ||||
Addition of the Camellia Cipher Suites to Transport | ||||
Layer Security (TLS)"; | ||||
} | ||||
enum TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384' algorithm."; | ||||
reference | ||||
"RFC 6367: | ||||
Addition of the Camellia Cipher Suites to Transport | ||||
Layer Security (TLS)"; | ||||
} | ||||
enum TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256' algorithm."; | ||||
reference | ||||
"RFC 6367: | ||||
Addition of the Camellia Cipher Suites to Transport | ||||
Layer Security (TLS)"; | ||||
} | ||||
enum TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384' algorithm."; | ||||
reference | ||||
"RFC 6367: | ||||
Addition of the Camellia Cipher Suites to Transport | ||||
Layer Security (TLS)"; | ||||
} | ||||
enum TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256' algorithm."; | ||||
reference | ||||
"RFC 6367: | ||||
Addition of the Camellia Cipher Suites to Transport | ||||
Layer Security (TLS)"; | ||||
} | ||||
enum TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384' algorithm."; | ||||
reference | ||||
"RFC 6367: | ||||
Addition of the Camellia Cipher Suites to Transport | ||||
Layer Security (TLS)"; | ||||
} | ||||
enum TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256' algorithm."; | ||||
reference | ||||
"RFC 6367: | ||||
Addition of the Camellia Cipher Suites to Transport | ||||
Layer Security (TLS)"; | ||||
} | ||||
enum TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384' algorithm."; | ||||
reference | ||||
"RFC 6367: | ||||
Addition of the Camellia Cipher Suites to Transport | ||||
Layer Security (TLS)"; | ||||
} | ||||
enum TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256' algorithm."; | ||||
reference | ||||
"RFC 6367: | ||||
Addition of the Camellia Cipher Suites to Transport | ||||
Layer Security (TLS)"; | ||||
} | ||||
enum TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384' algorithm."; | ||||
reference | ||||
"RFC 6367: | ||||
Addition of the Camellia Cipher Suites to Transport | ||||
Layer Security (TLS)"; | ||||
} | ||||
enum TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6367: | ||||
Addition of the Camellia Cipher Suites to Transport | ||||
Layer Security (TLS)"; | ||||
} | ||||
enum TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6367: | ||||
Addition of the Camellia Cipher Suites to Transport | ||||
Layer Security (TLS)"; | ||||
} | ||||
enum TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256' algorithm."; | ||||
reference | ||||
"RFC 6367: | ||||
Addition of the Camellia Cipher Suites to Transport | ||||
Layer Security (TLS)"; | ||||
} | ||||
enum TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384' algorithm."; | ||||
reference | ||||
"RFC 6367: | ||||
Addition of the Camellia Cipher Suites to Transport | ||||
Layer Security (TLS)"; | ||||
} | ||||
enum TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256' algorithm."; | ||||
reference | ||||
"RFC 6367: | ||||
Addition of the Camellia Cipher Suites to Transport | ||||
Layer Security (TLS)"; | ||||
} | ||||
enum TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384' algorithm."; | ||||
reference | ||||
"RFC 6367: | ||||
Addition of the Camellia Cipher Suites to Transport | ||||
Layer Security (TLS)"; | ||||
} | ||||
enum TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256' algorithm."; | ||||
reference | ||||
"RFC 6367: | ||||
Addition of the Camellia Cipher Suites to Transport | ||||
Layer Security (TLS)"; | ||||
} | ||||
enum TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384' algorithm."; | ||||
reference | ||||
"RFC 6367: | ||||
Addition of the Camellia Cipher Suites to Transport | ||||
Layer Security (TLS)"; | ||||
} | ||||
enum TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6367: | ||||
Addition of the Camellia Cipher Suites to Transport | ||||
Layer Security (TLS)"; | ||||
} | ||||
enum TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6367: | ||||
Addition of the Camellia Cipher Suites to Transport | ||||
Layer Security (TLS)"; | ||||
} | ||||
enum TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256' algorithm."; | ||||
reference | ||||
"RFC 6367: | ||||
Addition of the Camellia Cipher Suites to Transport | ||||
Layer Security (TLS)"; | ||||
} | ||||
enum TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384' algorithm."; | ||||
reference | ||||
"RFC 6367: | ||||
Addition of the Camellia Cipher Suites to Transport | ||||
Layer Security (TLS)"; | ||||
} | ||||
enum TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256' algorithm."; | ||||
reference | ||||
"RFC 6367: | ||||
Addition of the Camellia Cipher Suites to Transport | ||||
Layer Security (TLS)"; | ||||
} | ||||
enum TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384' algorithm."; | ||||
reference | ||||
"RFC 6367: | ||||
Addition of the Camellia Cipher Suites to Transport | ||||
Layer Security (TLS)"; | ||||
} | ||||
enum TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6367: | ||||
Addition of the Camellia Cipher Suites to Transport | ||||
Layer Security (TLS)"; | ||||
} | ||||
enum TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6367: | ||||
Addition of the Camellia Cipher Suites to Transport | ||||
Layer Security (TLS)"; | ||||
} | ||||
enum TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256' algorithm."; | ||||
reference | ||||
"RFC 6367: | ||||
Addition of the Camellia Cipher Suites to Transport | ||||
Layer Security (TLS)"; | ||||
} | ||||
enum TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384' algorithm."; | ||||
reference | ||||
"RFC 6367: | ||||
Addition of the Camellia Cipher Suites to Transport | ||||
Layer Security (TLS)"; | ||||
} | ||||
enum TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256' algorithm."; | ||||
reference | ||||
"RFC 6367: | ||||
Addition of the Camellia Cipher Suites to Transport | ||||
Layer Security (TLS)"; | ||||
} | ||||
enum TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384' algorithm."; | ||||
reference | ||||
"RFC 6367: | ||||
Addition of the Camellia Cipher Suites to Transport | ||||
Layer Security (TLS)"; | ||||
} | ||||
enum TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256' algorithm."; | ||||
reference | ||||
"RFC 6367: | ||||
Addition of the Camellia Cipher Suites to Transport | ||||
Layer Security (TLS)"; | ||||
} | ||||
enum TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384' algorithm."; | ||||
reference | ||||
"RFC 6367: | ||||
Addition of the Camellia Cipher Suites to Transport | ||||
Layer Security (TLS)"; | ||||
} | ||||
enum TLS_RSA_WITH_AES_128_CCM { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_RSA_WITH_AES_128_CCM' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6655: | ||||
AES-CCM Cipher Suites for Transport Layer Security | ||||
(TLS)"; | ||||
} | ||||
enum TLS_RSA_WITH_AES_256_CCM { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_RSA_WITH_AES_256_CCM' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6655: | ||||
AES-CCM Cipher Suites for Transport Layer Security | ||||
(TLS)"; | ||||
} | ||||
enum TLS_DHE_RSA_WITH_AES_128_CCM { | ||||
description | ||||
"Enumeration for the 'TLS_DHE_RSA_WITH_AES_128_CCM' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6655: | ||||
AES-CCM Cipher Suites for Transport Layer Security | ||||
(TLS)"; | ||||
} | ||||
enum TLS_DHE_RSA_WITH_AES_256_CCM { | ||||
description | ||||
"Enumeration for the 'TLS_DHE_RSA_WITH_AES_256_CCM' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6655: | ||||
AES-CCM Cipher Suites for Transport Layer Security | ||||
(TLS)"; | ||||
} | ||||
enum TLS_RSA_WITH_AES_128_CCM_8 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_RSA_WITH_AES_128_CCM_8' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6655: | ||||
AES-CCM Cipher Suites for Transport Layer Security | ||||
(TLS)"; | ||||
} | ||||
enum TLS_RSA_WITH_AES_256_CCM_8 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_RSA_WITH_AES_256_CCM_8' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6655: | ||||
AES-CCM Cipher Suites for Transport Layer Security | ||||
(TLS)"; | ||||
} | ||||
enum TLS_DHE_RSA_WITH_AES_128_CCM_8 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DHE_RSA_WITH_AES_128_CCM_8' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6655: | ||||
AES-CCM Cipher Suites for Transport Layer Security | ||||
(TLS)"; | ||||
} | ||||
enum TLS_DHE_RSA_WITH_AES_256_CCM_8 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_DHE_RSA_WITH_AES_256_CCM_8' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6655: | ||||
AES-CCM Cipher Suites for Transport Layer Security | ||||
(TLS)"; | ||||
} | ||||
enum TLS_PSK_WITH_AES_128_CCM { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_PSK_WITH_AES_128_CCM' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6655: | ||||
AES-CCM Cipher Suites for Transport Layer Security | ||||
(TLS)"; | ||||
} | ||||
enum TLS_PSK_WITH_AES_256_CCM { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_PSK_WITH_AES_256_CCM' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6655: | ||||
AES-CCM Cipher Suites for Transport Layer Security | ||||
(TLS)"; | ||||
} | ||||
enum TLS_DHE_PSK_WITH_AES_128_CCM { | ||||
description | ||||
"Enumeration for the 'TLS_DHE_PSK_WITH_AES_128_CCM' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6655: | ||||
AES-CCM Cipher Suites for Transport Layer Security | ||||
(TLS)"; | ||||
} | ||||
enum TLS_DHE_PSK_WITH_AES_256_CCM { | ||||
description | ||||
"Enumeration for the 'TLS_DHE_PSK_WITH_AES_256_CCM' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6655: | ||||
AES-CCM Cipher Suites for Transport Layer Security | ||||
(TLS)"; | ||||
} | ||||
enum TLS_PSK_WITH_AES_128_CCM_8 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_PSK_WITH_AES_128_CCM_8' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6655: | ||||
AES-CCM Cipher Suites for Transport Layer Security | ||||
(TLS)"; | ||||
} | ||||
enum TLS_PSK_WITH_AES_256_CCM_8 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_PSK_WITH_AES_256_CCM_8' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6655: | ||||
AES-CCM Cipher Suites for Transport Layer Security | ||||
(TLS)"; | ||||
} | ||||
enum TLS_PSK_DHE_WITH_AES_128_CCM_8 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_PSK_DHE_WITH_AES_128_CCM_8' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6655: | ||||
AES-CCM Cipher Suites for Transport Layer Security | ||||
(TLS)"; | ||||
} | ||||
enum TLS_PSK_DHE_WITH_AES_256_CCM_8 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_PSK_DHE_WITH_AES_256_CCM_8' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6655: | ||||
AES-CCM Cipher Suites for Transport Layer Security | ||||
(TLS)"; | ||||
} | ||||
enum TLS_ECDHE_ECDSA_WITH_AES_128_CCM { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_ECDHE_ECDSA_WITH_AES_128_CCM' | ||||
algorithm."; | ||||
reference | ||||
"RFC 7251: | ||||
AES-CCM Elliptic Curve Cryptography (ECC) Cipher Suites | ||||
for TLS"; | ||||
} | ||||
enum TLS_ECDHE_ECDSA_WITH_AES_256_CCM { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_ECDHE_ECDSA_WITH_AES_256_CCM' | ||||
algorithm."; | ||||
reference | ||||
"RFC 7251: | ||||
AES-CCM Elliptic Curve Cryptography (ECC) Cipher Suites | ||||
for TLS"; | ||||
} | ||||
enum TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8' | ||||
algorithm."; | ||||
reference | ||||
"RFC 7251: | ||||
AES-CCM Elliptic Curve Cryptography (ECC) Cipher Suites | ||||
for TLS"; | ||||
} | ||||
enum TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8' | ||||
algorithm."; | ||||
reference | ||||
"RFC 7251: | ||||
AES-CCM Elliptic Curve Cryptography (ECC) Cipher Suites | ||||
for TLS"; | ||||
} | ||||
enum TLS_ECCPWD_WITH_AES_128_GCM_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_ECCPWD_WITH_AES_128_GCM_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8492: | ||||
Secure Password Ciphersuites for Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_ECCPWD_WITH_AES_256_GCM_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_ECCPWD_WITH_AES_256_GCM_SHA384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8492: | ||||
Secure Password Ciphersuites for Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_ECCPWD_WITH_AES_128_CCM_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_ECCPWD_WITH_AES_128_CCM_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8492: | ||||
Secure Password Ciphersuites for Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_ECCPWD_WITH_AES_256_CCM_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_ECCPWD_WITH_AES_256_CCM_SHA384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8492: | ||||
Secure Password Ciphersuites for Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_SHA256_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_SHA256_SHA256' algorithm."; | ||||
reference | ||||
"RFC 9150: | ||||
TLS 1.3 Authentication and Integrity-Only Cipher | ||||
Suites"; | ||||
} | ||||
enum TLS_SHA384_SHA384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_SHA384_SHA384' algorithm."; | ||||
reference | ||||
"RFC 9150: | ||||
TLS 1.3 Authentication and Integrity-Only Cipher | ||||
Suites"; | ||||
} | ||||
enum TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC' | ||||
algorithm."; | ||||
reference | ||||
"RFC 9189: | ||||
GOST Cipher Suites for Transport Layer Security (TLS) | ||||
Protocol Version 1.2"; | ||||
} | ||||
enum TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC' algorithm."; | ||||
reference | ||||
"RFC 9189: | ||||
GOST Cipher Suites for Transport Layer Security (TLS) | ||||
Protocol Version 1.2"; | ||||
} | ||||
enum TLS_GOSTR341112_256_WITH_28147_CNT_IMIT { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_GOSTR341112_256_WITH_28147_CNT_IMIT' algorithm."; | ||||
reference | ||||
"RFC 9189: | ||||
GOST Cipher Suites for Transport Layer Security (TLS) | ||||
Protocol Version 1.2"; | ||||
} | ||||
enum TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_L { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_L' algorithm."; | ||||
reference | ||||
"RFC 9367: | ||||
GOST Cipher Suites for Transport Layer Security (TLS) | ||||
Protocol Version 1.3"; | ||||
} | ||||
enum TLS_GOSTR341112_256_WITH_MAGMA_MGM_L { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_GOSTR341112_256_WITH_MAGMA_MGM_L' | ||||
algorithm."; | ||||
reference | ||||
"RFC 9367: | ||||
GOST Cipher Suites for Transport Layer Security (TLS) | ||||
Protocol Version 1.3"; | ||||
} | ||||
enum TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_S { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_S' algorithm."; | ||||
reference | ||||
"RFC 9367: | ||||
GOST Cipher Suites for Transport Layer Security (TLS) | ||||
Protocol Version 1.3"; | ||||
} | ||||
enum TLS_GOSTR341112_256_WITH_MAGMA_MGM_S { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'TLS_GOSTR341112_256_WITH_MAGMA_MGM_S' | ||||
algorithm."; | ||||
reference | ||||
"RFC 9367: | ||||
GOST Cipher Suites for Transport Layer Security (TLS) | ||||
Protocol Version 1.3"; | ||||
} | ||||
enum TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 { | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256' algorithm."; | ||||
reference | ||||
"RFC 7905: | ||||
ChaCha20-Poly1305 Cipher Suites for Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 { | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 7905: | ||||
ChaCha20-Poly1305 Cipher Suites for Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 { | ||||
description | ||||
"Enumeration for the | ||||
'TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256' algorithm."; | ||||
reference | ||||
"RFC 7905: | ||||
ChaCha20-Poly1305 Cipher Suites for Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_PSK_WITH_CHACHA20_POLY1305_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_PSK_WITH_CHACHA20_POLY1305_SHA256' algorithm."; | ||||
reference | ||||
"RFC 7905: | ||||
ChaCha20-Poly1305 Cipher Suites for Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 { | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256' algorithm."; | ||||
reference | ||||
"RFC 7905: | ||||
ChaCha20-Poly1305 Cipher Suites for Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 { | ||||
description | ||||
"Enumeration for the | ||||
'TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256' algorithm."; | ||||
reference | ||||
"RFC 7905: | ||||
ChaCha20-Poly1305 Cipher Suites for Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256' algorithm."; | ||||
reference | ||||
"RFC 7905: | ||||
ChaCha20-Poly1305 Cipher Suites for Transport Layer | ||||
Security (TLS)"; | ||||
} | ||||
enum TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256 { | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256' algorithm."; | ||||
reference | ||||
"RFC 8442: | ||||
ECDHE_PSK with AES-GCM and AES-CCM Cipher Suites for TLS | ||||
1.2 and DTLS 1.2"; | ||||
} | ||||
enum TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384 { | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384' algorithm."; | ||||
reference | ||||
"RFC 8442: | ||||
ECDHE_PSK with AES-GCM and AES-CCM Cipher Suites for TLS | ||||
1.2 and DTLS 1.2"; | ||||
} | ||||
enum TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256' algorithm."; | ||||
reference | ||||
"RFC 8442: | ||||
ECDHE_PSK with AES-GCM and AES-CCM Cipher Suites for TLS | ||||
1.2 and DTLS 1.2"; | ||||
} | ||||
enum TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256 { | ||||
description | ||||
"Enumeration for the | ||||
'TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256' algorithm."; | ||||
reference | ||||
"RFC 8442: | ||||
ECDHE_PSK with AES-GCM and AES-CCM Cipher Suites for TLS | ||||
1.2 and DTLS 1.2"; | ||||
} | ||||
} | ||||
description | ||||
"An enumeration for TLS cipher-suite algorithms."; | ||||
} | ||||
} | ||||
]]></artwork> | ||||
<t keepWithPrevious="true"><CODE ENDS></t> | ||||
</section> | ||||
</section> | ||||
<section anchor="change-log"> | ||||
<name>Change Log</name> | ||||
<section> | ||||
<name>00 to 01</name> | ||||
<ul spacing="normal"> | ||||
<li>Noted that '0.0.0.0' and '::' might have special meanings.</li> | ||||
<li>Renamed "keychain" to "keystore".</li> | ||||
</ul> | ||||
</section> | ||||
<section> | ||||
<name>01 to 02</name> | ||||
<ul spacing="normal"> | ||||
<li>Removed the groupings containing transport-level configuration. | ||||
Now modules contain only the transport-independent groupings.</li> | ||||
<li>Filled in previously incomplete 'ietf-tls-client' module.</li> | ||||
<li>Added cipher suites for various algorithms into new | ||||
'ietf-tls-common' module.</li> | ||||
</ul> | ||||
</section> | ||||
<section> | ||||
<name>02 to 03</name> | ||||
<ul spacing="normal"> | ||||
<li>Added a 'must' statement to container 'server-auth' asserting | ||||
that at least one of the various auth mechanisms must be | ||||
specified.</li> | ||||
<li>Fixed description statement for leaf 'trusted-ca-certs'.</li> | ||||
</ul> | ||||
</section> | ||||
<section> | ||||
<name>03 to 04</name> | ||||
<ul spacing="normal"> | ||||
<li>Updated title to "YANG Groupings for TLS Clients and TLS | ||||
Servers"</li> | ||||
<li>Updated leafref paths to point to new keystore path</li> | ||||
<li>Changed the YANG prefix for ietf-tls-common from 'tlscom' to | ||||
'tlscmn'.</li> | ||||
<li>Added TLS protocol verions 1.0 and 1.1.</li> | ||||
<li>Made author lists consistent</li> | ||||
<li>Now tree diagrams reference ietf-netmod-yang-tree-diagrams</li> | ||||
<li>Updated YANG to use typedefs around leafrefs to common keystore | ||||
paths</li> | ||||
<li>Now inlines key and certificates (no longer a leafref to | ||||
keystore)</li> | ||||
</ul> | ||||
</section> | ||||
<section> | ||||
<name>04 to 05</name> | ||||
<ul spacing="normal"> | ||||
<li>Merged changes from co-author.</li> | ||||
</ul> | ||||
</section> | ||||
<section> | ||||
<name>05 to 06</name> | ||||
<ul spacing="normal"> | ||||
<li>Updated to use trust anchors from trust-anchors draft (was | ||||
keystore draft)</li> | ||||
<li>Now Uses new keystore grouping enabling asymmetric key to be | ||||
either locally defined or a reference to the keystore.</li> | ||||
</ul> | ||||
</section> | ||||
<section> | ||||
<name>06 to 07</name> | ||||
<ul spacing="normal"> | ||||
<li>factored the tls-[client|server]-groupings into more reusable | ||||
groupings.</li> | ||||
<li>added if-feature statements for the new "x509-certificates" | ||||
feature defined in draft-ietf-netconf-trust-anchors.</li> | ||||
</ul> | ||||
</section> | ||||
<section> | ||||
<name>07 to 08</name> | ||||
<ul spacing="normal"> | ||||
<li>Added a number of compatibility matrices to Section 5 (thanks Fran | ||||
k!)</li> | ||||
<li>Clarified that any configured "cipher-suite" values need to be | ||||
compatible with the configured private key.</li> | ||||
</ul> | ||||
</section> | ||||
<section> | ||||
<name>08 to 09</name> | ||||
<ul spacing="normal"> | ||||
<li>Updated examples to reflect update to groupings defined in the key | ||||
store draft.</li> | ||||
<li>Add TLS keepalives features and groupings.</li> | ||||
<li>Prefixed top-level TLS grouping nodes with 'tls-' and support mash | ||||
ups.</li> | ||||
<li>Updated copyright date, boilerplate template, affiliation, and fol | ||||
ding algorithm.</li> | ||||
</ul> | ||||
</section> | ||||
<section> | ||||
<name>09 to 10</name> | ||||
<ul spacing="normal"> | ||||
<li>Reformatted the YANG modules.</li> | ||||
</ul> | ||||
</section> | ||||
<section> | ||||
<name>10 to 11</name> | ||||
<ul spacing="normal"> | ||||
<li>Collapsed all the inner groupings into the top-level grouping.</li | ||||
> | ||||
<li>Added a top-level "demux container" inside the top-level grouping. | ||||
</li> | ||||
<li>Added NACM statements and updated the Security Considerations sect | ||||
ion.</li> | ||||
<li>Added "presence" statements on the "keepalive" containers, as was | ||||
needed to address a validation error that appeared after adding th | ||||
e | ||||
"must" statements into the NETCONF/RESTCONF client/server modules. | ||||
</li> | ||||
<li>Updated the boilerplate text in module-level "description" stateme | ||||
nt | ||||
to match copyeditor convention.</li> | ||||
</ul> | ||||
</section> | ||||
<section> | ||||
<name>11 to 12</name> | ||||
<ul spacing="normal"> | ||||
<li>In server model, made 'client-authentication' a 'presence' node | ||||
indicating that the server supports client authentication.</li> | ||||
<li>In the server model, added a 'required-or-optional' choice to | ||||
'client-authentication' to better support protocols such as | ||||
RESTCONF.</li> | ||||
<li>In the server model, added a 'inline-or-external' choice to | ||||
'client-authentication' to better support consuming data models | ||||
that prefer to keep client auth with client definitions than in | ||||
a model principally concerned with the "transport".</li> | ||||
<li>In both models, removed the "demux containers", floating the | ||||
nacm:default-deny-write to each descendant node, and | ||||
adding a note to model designers regarding the potential | ||||
need to add their own demux containers.</li> | ||||
<li>Fixed a couple references (section 2 --> section 3)</li> | ||||
</ul> | ||||
</section> | ||||
<section> | ||||
<name>12 to 13</name> | ||||
<ul spacing="normal"> | ||||
<li>Updated to reflect changes in trust-anchors drafts | ||||
(e.g., s/trust-anchors/truststore/g + s/pinned.//)</li> | ||||
</ul> | ||||
</section> | ||||
<section> | ||||
<name>12 to 13</name> | ||||
<ul spacing="normal"> | ||||
<li>Removed 'container' under 'client-identity' to match server model. | ||||
</li> | ||||
<li>Updated examples to reflect change grouping in keystore module.</l | ||||
i> | ||||
</ul> | ||||
</section> | ||||
<section> | ||||
<name>13 to 14</name> | ||||
<ul spacing="normal"> | ||||
<li>Removed the "certificate" container from "client-identity" in the | ||||
ietf-tls-client module.</li> | ||||
<li>Updated examples to reflect ietf-crypto-types change | ||||
(e.g., identities --> enumerations)</li> | ||||
</ul> | ||||
</section> | ||||
<section> | ||||
<name>14 to 15</name> | ||||
<ul spacing="normal"> | ||||
<li>Updated "server-authentication" and "client-authentication" nodes | ||||
from | ||||
being a leaf of type "ts:certificates-ref" to a container that use | ||||
s | ||||
"ts:inline-or-truststore-certs-grouping".</li> | ||||
</ul> | ||||
</section> | ||||
<section> | ||||
<name>15 to 16</name> | ||||
<ul spacing="normal"> | ||||
<li>Removed unnecessary if-feature statements in the -client and -serv | ||||
er modules.</li> | ||||
<li>Cleaned up some description statements in the -client and -server | ||||
modules.</li> | ||||
<li>Fixed a canonical ordering issue in ietf-tls-common detected by ne | ||||
w pyang.</li> | ||||
</ul> | ||||
</section> | ||||
<section> | ||||
<name>16 to 17</name> | ||||
<ul spacing="normal"> | ||||
<li>Removed choice inline-or-external by removing the 'external' case | ||||
and flattening | ||||
the 'local' case and adding a "client-auth-supported" feature.</li | ||||
> | ||||
<li>Removed choice required-or-optional.</li> | ||||
<li>Updated examples to include the "*-key-format" nodes.</li> | ||||
<li>Augmented-in "must" expressions ensuring that locally-defined publ | ||||
ic-key-format | ||||
are "ct:tls-public-key-format" (must expr for ref'ed keys are TBD) | ||||
.</li> | ||||
</ul> | ||||
</section> | ||||
<section> | ||||
<name>17 to 18</name> | ||||
<ul spacing="normal"> | ||||
<li>Removed the unused "external-client-auth-supported" feature.</li> | ||||
<li>Made client-indentity optional, as there may be over-the-top auth | ||||
instead.</li> | ||||
<li>Added augment to uses of inline-or-keystore-symmetric-key-grouping | ||||
for a psk "id" node.</li> | ||||
<li>Added missing presence container "psks" to ietf-tls-server's "clie | ||||
nt-authentication" container.</li> | ||||
<li>Updated examples to reflect new "bag" addition to truststore.</li> | ||||
<li>Removed feature-limited caseless 'case' statements to improve tree | ||||
diagram rendering.</li> | ||||
<li>Refined truststore/keystore groupings to ensure the key formats "m | ||||
ust" be particular values.</li> | ||||
<li>Switched to using truststore's new "public-key" bag (instead of se | ||||
parate "ssh-public-key" | ||||
and "raw-public-key" bags).</li> | ||||
<li>Updated client/server examples to cover ALL cases (local/ref x cer | ||||
t/raw-key/psk).</li> | ||||
</ul> | ||||
</section> | ||||
<section> | ||||
<name>18 to 19</name> | ||||
<ul spacing="normal"> | ||||
<li>Updated the "keepalives" containers in part to address Michal Vask | ||||
o's request to | ||||
align with RFC 8071, and in part to better align to RFC 6520.</li> | ||||
<li>Removed algorithm-mapping tables from the "TLS Common Model" secti | ||||
on</li> | ||||
<li>Removed the 'algorithm' node from the examples.</li> | ||||
<li>Renamed both "client-certs" and "server-certs" to "ee-certs"</li> | ||||
<li>Added a "Note to Reviewers" note to first page.</li> | ||||
</ul> | ||||
</section> | ||||
<section> | ||||
<name>19 to 20</name> | ||||
<ul spacing="normal"> | ||||
<li>Modified the 'must' expression in the "ietf-tls-client:server-auth | ||||
ention" node to | ||||
cover the "raw-public-keys" and "psks" nodes also.</li> | ||||
<li>Added a "must 'ca-certs or ee-certs or raw-public-keys or psks'" s | ||||
tatement to the | ||||
ietf-tls-server:client-authentication" node.</li> | ||||
<li>Added "mandatory true" to "choice auth-type" and a "presence" stat | ||||
ement to its ancestor.</li> | ||||
<li>Expanded "Data Model Overview section(s) [remove "wall" of tree di | ||||
agrams].</li> | ||||
<li>Moved the "ietf-tls-common" module section to proceed the other tw | ||||
o module sections.</li> | ||||
<li>Updated the Security Considerations section.</li> | ||||
</ul> | ||||
</section> | ||||
<section> | ||||
<name>20 to 21</name> | ||||
<ul spacing="normal"> | ||||
<li>Updated examples to reflect new "cleartext-" prefix in the crypto- | ||||
types draft.</li> | ||||
</ul> | ||||
</section> | ||||
<section> | ||||
<name>21 to 22</name> | ||||
<ul spacing="normal"> | ||||
<li>In both the "client-authentication" and "server-authentication" su | ||||
btrees, | ||||
replaced the "psks" node from being a P-container to a leaf of typ | ||||
e "empty".</li> | ||||
<li>Cleaned up examples (e.g., removed FIXMEs)</li> | ||||
<li>Fixed issues found by the SecDir review of the "keystore" draft.</ | ||||
li> | ||||
<li>Updated the "psk" sections in the "ietf-tls-client" and "ietf-tls- | ||||
server" | ||||
modules to more correctly reflect RFC 4279.</li> | ||||
</ul> | ||||
</section> | ||||
<section> | ||||
<name>22 to 23</name> | ||||
<ul spacing="normal"> | ||||
<li>Addressed comments raised by YANG Doctor in the ct/ts/ks drafts.</ | ||||
li> | ||||
</ul> | ||||
</section> | ||||
<section> | ||||
<name>23 to 24</name> | ||||
<ul spacing="normal"> | ||||
<li>Added missing reference to "FIPS PUB 180-4".</li> | ||||
<li>Added identity "tls-1.3" and updated description statement in othe | ||||
r identities indicating that the protocol version is obsolete and enabling the f | ||||
eature is NOT RECOMMENDED.</li> | ||||
<li>Added XML-comment above examples explaining the reason for the une | ||||
xpected top-most element's presence.</li> | ||||
<li>Added missing "client-ident-raw-public-key" and "client-ident-psk" | ||||
featutes.</li> | ||||
<li>Aligned modules with `pyang -f` formatting.</li> | ||||
<li>Fixed nits found by YANG Doctor reviews.</li> | ||||
<li>Added a 'Contributors' section.</li> | ||||
</ul> | ||||
</section> | ||||
<section> | ||||
<name>24 to 25</name> | ||||
<ul spacing="normal"> | ||||
<li>Added TLS 1.3 references.</li> | ||||
<li>Clarified support for various TLS protocol versions.</li> | ||||
<li>Moved algorithms in ietf-tls-common (plus more) to IANA-maintained | ||||
modules</li> | ||||
<li>Added "config false" lists for algorithms supported by the server. | ||||
</li> | ||||
<li>Fixed issues found during YANG Doctor review.</li> | ||||
</ul> | ||||
</section> | ||||
<section> | ||||
<name>25 to 26</name> | ||||
<ul spacing="normal"> | ||||
<li>Replaced "base64encodedvalue==" with "BASE64VALUE=" in examples.</ | ||||
li> | ||||
<li>Minor editorial nits</li> | ||||
</ul> | ||||
</section> | ||||
<section> | ||||
<name>26 to 27</name> | ||||
<ul spacing="normal"> | ||||
<li>Fixed up the 'WG Web' and 'WG List' lines in YANG module(s)</li> | ||||
<li>Fixed up copyright (i.e., s/Simplified/Revised/) in YANG module(s) | ||||
.</li> | ||||
<li>Created identityref-based typedef for the IANA alg identity base.< | ||||
/li> | ||||
<li>Major update to support TLS 1.3.</li> | ||||
</ul> | ||||
</section> | ||||
<section> | ||||
<name>27 to 28</name> | ||||
<ul spacing="normal"> | ||||
<li>Fixed draft text to refer to new "identity" values (e.g., s/tls-1. | ||||
3/tls13).</li> | ||||
<li>Added ietf-tls-common:generate-public-key() RPC.</li> | ||||
</ul> | ||||
</section> | ||||
<section> | ||||
<name>28 to 29</name> | ||||
<ul spacing="normal"> | ||||
<li>Updated modules to IANA-maintained module in Appendix A to 2022-06 | ||||
-16.</li> | ||||
</ul> | ||||
</section> | ||||
<section> | ||||
<name>29 to 30</name> | ||||
<ul spacing="normal"> | ||||
<li>Fixed 'must' expressions.</li> | ||||
<li>Added missing 'revision' statement.</li> | ||||
</ul> | ||||
</section> | ||||
<section> | ||||
<name>30 to 31</name> | ||||
<ul spacing="normal"> | ||||
<li>Updated per Shepherd reviews impacting the suite of drafts.</li> | ||||
</ul> | ||||
</section> | ||||
<section> | ||||
<name>31 to 32</name> | ||||
<ul spacing="normal"> | ||||
<li>Updated per Shepherd reviews impacting the suite of drafts.</li> | ||||
</ul> | ||||
</section> | ||||
<section> | ||||
<name>32 to 33</name> | ||||
<ul spacing="normal"> | ||||
<li>Updated per Tom Petch review.</li> | ||||
<li>Added RPC-reply to 'generate-public-key" RPC example.</li> | ||||
</ul> | ||||
</section> | ||||
<section> | ||||
<name>33 to 34</name> | ||||
<ul spacing="normal"> | ||||
<li>Addresses AD review comments.</li> | ||||
<li>Added note to Editor to fix line foldings.</li> | ||||
<li>Introduction now more clearly identifies the "ietf-" and "iana-" m | ||||
odules defined.</li> | ||||
<li>Clarified that the modules, when implemented, do not define any pr | ||||
otocol-accessible nodes.</li> | ||||
<li>Clarified that IANA may deprecate and/or obsolete identities over | ||||
time.</li> | ||||
<li>Added Security Consideration for the "generate-public-key" RPC.</l | ||||
i> | ||||
<li>Added Security Considerations text to also look a SC-section from | ||||
imported modules.</li> | ||||
<li>Added missing if-feature statements.</li> | ||||
<li>Fixed private-key "must" expressions to not require public-key nod | ||||
es to be present.</li> | ||||
<li>Fixed ident-tls12-psk and ident-tls13-psk YANG and references.</li | ||||
> | ||||
<li>Renamed leaf from "bits" to "num-bits".</li> | ||||
<li>Added missing "ordered-by user" statement.</li> | ||||
<li>Added container "private-key-encoding" to wrap existing choice.</l | ||||
i> | ||||
<li>Renamed container "encrypt-with" to "encrypted".</li> | ||||
<li>Renamed leaf from "hide" to "hidden".</li> | ||||
<li>Removed "public-key-format" and "public-key" nodes from examples.< | ||||
/li> | ||||
</ul> | ||||
</section> | ||||
<section> | ||||
<name>34 to 35</name> | ||||
<ul spacing="normal"> | ||||
<li>Addresses AD review by Rob Wilton.</li> | ||||
</ul> | ||||
</section> | ||||
<section> | ||||
<name>35 to 36</name> | ||||
<ul spacing="normal"> | ||||
<li>Complete tls10/tls11 removal and update Jeff's email.</li> | ||||
</ul> | ||||
</section> | ||||
<section> | ||||
<name>36 to 37</name> | ||||
<ul spacing="normal"> | ||||
<li>Addresses 1st-round of IESG reviews.</li> | ||||
</ul> | ||||
</section> | ||||
<section> | ||||
<name>37 to 39</name> | ||||
<ul spacing="normal"> | ||||
<li>Addresses issues found in OpsDir review of the ssh-client-server d | ||||
raft.</li> | ||||
<li>Replaced identities with enums in the IANA module.</li> | ||||
<li>Add refs to where the 'operational' and 'system' datastores are de | ||||
fined.</li> | ||||
<li>Updated Introduction to read more like the Abstract</li> | ||||
<li>Updated Editor-notes to NOT remove the script (just remove the ini | ||||
tial IANA module)</li> | ||||
<li>Renamed Security Considerations section s/Template for/Considerati | ||||
ons for/</li> | ||||
<li>s/defines/presents/ in a few places.</li> | ||||
<li>Renamed script from 'gen-identities.py' to 'gen-yang-module.py'</l | ||||
i> | ||||
<li>Removed the removeInRFC="true" attribute in Appendix sections</li> | ||||
</ul> | ||||
</section> | ||||
<section> | ||||
<name>39 to 40</name> | ||||
<ul spacing="normal"> | ||||
<li>Address IESG review comments.</li> | ||||
</ul> | ||||
</section> | ||||
<section> | ||||
<name>40 to 41</name> | ||||
<ul spacing="normal"> | ||||
<li>Updated to reflect comments from Paul Wouters.</li> | ||||
<li>Fixed the "generate-asymmetric-key-pair" RPC to return the | ||||
location to where hidden keys are created.</li> | ||||
</ul> | ||||
</section> | ||||
</section> | ||||
<section numbered="false"> | <section numbered="false"> | |||
<name>Acknowledgements</name> | <name>Acknowledgements</name> | |||
<t>The authors would like to thank the following for lively discussions | <t>The authors would like to thank the following for lively discussions | |||
on list and in the halls (ordered by first name): | on list and in the halls (ordered by first name): | |||
Alan Luchuk, | <contact fullname="Alan Luchuk"/>, | |||
Andy Bierman, | <contact fullname="Andy Bierman"/>, | |||
Balázs Kovács, | <contact fullname="Balázs Kovács"/>, | |||
Benoit Claise, | <contact fullname="Benoit Claise"/>, | |||
Bert Wijnen, | <contact fullname="Bert Wijnen"/>, | |||
David Lamparter, | <contact fullname="David Lamparter"/>, | |||
Dhruv Dhody, | <contact fullname="Dhruv Dhody"/>, | |||
Éric Vyncke, | <contact fullname="Éric Vyncke"/>, | |||
Gary Wu, | <contact fullname="Gary Wu"/>, | |||
Henk Birkholz, | <contact fullname="Henk Birkholz"/>, | |||
Jeff Hartley, | <contact fullname="Jeff Hartley"/>, | |||
Jürgen Schönwälder, | <contact fullname="Jürgen Schönwälder"/>, | |||
Ladislav Lhotka, | <contact fullname="Ladislav Lhotka"/>, | |||
Liang Xia, | <contact fullname="Liang Xia"/>, | |||
Martin Björklund, | <contact fullname="Martin Björklund"/>, | |||
Martin Thomson, | <contact fullname="Martin Thomson"/>, | |||
Mehmet Ersue, | <contact fullname="Mehmet Ersue"/>, | |||
Michal Vaško, | <contact fullname="Michal Vaško"/>, | |||
Murray Kucherawy, | <contact fullname="Murray Kucherawy"/>, | |||
Paul Wouters, | <contact fullname="Paul Wouters"/>, | |||
Phil Shafer, | <contact fullname="Phil Shafer"/>, | |||
Qin Wu, | <contact fullname="Qin Wu"/>, | |||
Radek Krejci, | <contact fullname="Radek Krejci"/>, | |||
Rob Wilton, | <contact fullname="Rob Wilton"/>, | |||
Roman Danyliw, | <contact fullname="Roman Danyliw"/>, | |||
Russ Housley, | <contact fullname="Russ Housley"/>, | |||
Sean Turner, | <contact fullname="Sean Turner"/>, | |||
Tom Petch, | <contact fullname="Thomas Martin"/>, and | |||
and Thomas Martin.</t> | <contact fullname="Tom Petch"/>.</t> | |||
</section> | </section> | |||
<section numbered="false"> | <section numbered="false"> | |||
<name>Contributors</name> | <name>Contributors</name> | |||
<t>Special acknowledgement goes to Gary Wu who contributed the | <t>Special acknowledgement goes to <contact fullname="Gary Wu"/> who contr | |||
"ietf-tls-common" module, and Tom Petch who carefully ensured | ibuted the | |||
"ietf-tls-common" module and <contact fullname="Tom Petch"/> who careful | ||||
ly ensured | ||||
that references were set correctly throughout.</t> | that references were set correctly throughout.</t> | |||
</section> | </section> | |||
</back> | </back> | |||
</rfc> | </rfc> | |||
End of changes. 312 change blocks. | ||||
5726 lines changed or deleted | 950 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. |