idnits 2.17.1 draft-ietf-netconf-tls-client-server-28.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 439 has weird spacing: '...-format ide...' -- The document date (24 May 2022) is 703 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-34) exists of draft-ietf-netconf-crypto-types-22 == Outdated reference: A later version (-35) exists of draft-ietf-netconf-keystore-24 == Outdated reference: A later version (-28) exists of draft-ietf-netconf-trust-anchors-17 == Outdated reference: A later version (-20) exists of draft-ietf-netconf-http-client-server-09 == Outdated reference: A later version (-36) exists of draft-ietf-netconf-netconf-client-server-25 == Outdated reference: A later version (-36) exists of draft-ietf-netconf-restconf-client-server-25 == Outdated reference: A later version (-40) exists of draft-ietf-netconf-ssh-client-server-27 == Outdated reference: A later version (-26) exists of draft-ietf-netconf-tcp-client-server-12 == Outdated reference: A later version (-41) exists of draft-ietf-netconf-tls-client-server-27 -- Obsolete informational reference (is this intentional?): RFC 2246 (Obsoleted by RFC 4346) -- Obsolete informational reference (is this intentional?): RFC 2818 (Obsoleted by RFC 9110) -- Obsolete informational reference (is this intentional?): RFC 4346 (Obsoleted by RFC 5246) -- Obsolete informational reference (is this intentional?): RFC 5246 (Obsoleted by RFC 8446) Summary: 0 errors (**), 0 flaws (~~), 11 warnings (==), 5 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 NETCONF Working Group K. Watsen 3 Internet-Draft Watsen Networks 4 Intended status: Standards Track 24 May 2022 5 Expires: 25 November 2022 7 YANG Groupings for TLS Clients and TLS Servers 8 draft-ietf-netconf-tls-client-server-28 10 Abstract 12 This document defines three YANG 1.1 modules: the first defines 13 features and groupings common to both TLS clients and TLS servers, 14 the second defines a grouping for a generic TLS client, and the third 15 defines a grouping for a generic TLS server. 17 Editorial Note (To be removed by RFC Editor) 19 This draft contains placeholder values that need to be replaced with 20 finalized values at the time of publication. This note summarizes 21 all of the substitutions that are needed. No other RFC Editor 22 instructions are specified elsewhere in this document. 24 Artwork in this document contains shorthand references to drafts in 25 progress. Please apply the following replacements: 27 * AAAA --> the assigned RFC value for draft-ietf-netconf-crypto- 28 types 30 * BBBB --> the assigned RFC value for draft-ietf-netconf-trust- 31 anchors 33 * CCCC --> the assigned RFC value for draft-ietf-netconf-keystore 35 * DDDD --> the assigned RFC value for draft-ietf-netconf-tcp-client- 36 server 38 * FFFF --> the assigned RFC value for this draft 40 Artwork in this document contains placeholder values for the date of 41 publication of this draft. Please apply the following replacement: 43 * 2022-05-24 --> the publication date of this draft 45 The following Appendix section is to be removed prior to publication: 47 * Appendix B. Change Log 49 Status of This Memo 51 This Internet-Draft is submitted in full conformance with the 52 provisions of BCP 78 and BCP 79. 54 Internet-Drafts are working documents of the Internet Engineering 55 Task Force (IETF). Note that other groups may also distribute 56 working documents as Internet-Drafts. The list of current Internet- 57 Drafts is at https://datatracker.ietf.org/drafts/current/. 59 Internet-Drafts are draft documents valid for a maximum of six months 60 and may be updated, replaced, or obsoleted by other documents at any 61 time. It is inappropriate to use Internet-Drafts as reference 62 material or to cite them other than as "work in progress." 64 This Internet-Draft will expire on 25 November 2022. 66 Copyright Notice 68 Copyright (c) 2022 IETF Trust and the persons identified as the 69 document authors. All rights reserved. 71 This document is subject to BCP 78 and the IETF Trust's Legal 72 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 73 license-info) in effect on the date of publication of this document. 74 Please review these documents carefully, as they describe your rights 75 and restrictions with respect to this document. Code Components 76 extracted from this document must include Revised BSD License text as 77 described in Section 4.e of the Trust Legal Provisions and are 78 provided without warranty as described in the Revised BSD License. 80 Table of Contents 82 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 83 1.1. Relation to other RFCs . . . . . . . . . . . . . . . . . 4 84 1.2. Specification Language . . . . . . . . . . . . . . . . . 6 85 1.3. Adherence to the NMDA . . . . . . . . . . . . . . . . . . 6 86 1.4. Conventions . . . . . . . . . . . . . . . . . . . . . . . 6 87 2. The "ietf-tls-common" Module . . . . . . . . . . . . . . . . 7 88 2.1. Data Model Overview . . . . . . . . . . . . . . . . . . . 7 89 2.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 11 90 2.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 12 91 3. The "ietf-tls-client" Module . . . . . . . . . . . . . . . . 19 92 3.1. Data Model Overview . . . . . . . . . . . . . . . . . . . 19 93 3.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 22 94 3.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 26 95 4. The "ietf-tls-server" Module . . . . . . . . . . . . . . . . 38 96 4.1. Data Model Overview . . . . . . . . . . . . . . . . . . . 38 97 4.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 40 98 4.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 44 99 5. Security Considerations . . . . . . . . . . . . . . . . . . . 56 100 5.1. The "iana-tls-cipher-suite-algs" Module . . . . . . . . . 56 101 5.2. The "ietf-tls-common" YANG Module . . . . . . . . . . . . 56 102 5.3. The "ietf-tls-client" YANG Module . . . . . . . . . . . . 57 103 5.4. The "ietf-tls-server" YANG Module . . . . . . . . . . . . 58 104 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 58 105 6.1. The "IETF XML" Registry . . . . . . . . . . . . . . . . . 58 106 6.2. The "YANG Module Names" Registry . . . . . . . . . . . . 59 107 6.3. The "iana-tls-cipher-suite-algs" Module . . . . . . . . . 59 108 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 60 109 7.1. Normative References . . . . . . . . . . . . . . . . . . 60 110 7.2. Informative References . . . . . . . . . . . . . . . . . 61 111 Appendix A. YANG Modules for IANA . . . . . . . . . . . . . . . 64 112 A.1. Initial Module for the "TLS Cipher Suites" Registry . . . 64 113 A.1.1. Data Model Overview . . . . . . . . . . . . . . . . . 64 114 A.1.2. Example Usage . . . . . . . . . . . . . . . . . . . . 65 115 A.1.3. YANG Module . . . . . . . . . . . . . . . . . . . . . 66 116 Appendix B. Change Log . . . . . . . . . . . . . . . . . . . . . 144 117 B.1. 00 to 01 . . . . . . . . . . . . . . . . . . . . . . . . 144 118 B.2. 01 to 02 . . . . . . . . . . . . . . . . . . . . . . . . 144 119 B.3. 02 to 03 . . . . . . . . . . . . . . . . . . . . . . . . 144 120 B.4. 03 to 04 . . . . . . . . . . . . . . . . . . . . . . . . 145 121 B.5. 04 to 05 . . . . . . . . . . . . . . . . . . . . . . . . 145 122 B.6. 05 to 06 . . . . . . . . . . . . . . . . . . . . . . . . 145 123 B.7. 06 to 07 . . . . . . . . . . . . . . . . . . . . . . . . 145 124 B.8. 07 to 08 . . . . . . . . . . . . . . . . . . . . . . . . 145 125 B.9. 08 to 09 . . . . . . . . . . . . . . . . . . . . . . . . 146 126 B.10. 09 to 10 . . . . . . . . . . . . . . . . . . . . . . . . 146 127 B.11. 10 to 11 . . . . . . . . . . . . . . . . . . . . . . . . 146 128 B.12. 11 to 12 . . . . . . . . . . . . . . . . . . . . . . . . 146 129 B.13. 12 to 13 . . . . . . . . . . . . . . . . . . . . . . . . 147 130 B.14. 12 to 13 . . . . . . . . . . . . . . . . . . . . . . . . 147 131 B.15. 13 to 14 . . . . . . . . . . . . . . . . . . . . . . . . 147 132 B.16. 14 to 15 . . . . . . . . . . . . . . . . . . . . . . . . 147 133 B.17. 15 to 16 . . . . . . . . . . . . . . . . . . . . . . . . 147 134 B.18. 16 to 17 . . . . . . . . . . . . . . . . . . . . . . . . 148 135 B.19. 17 to 18 . . . . . . . . . . . . . . . . . . . . . . . . 148 136 B.20. 18 to 19 . . . . . . . . . . . . . . . . . . . . . . . . 148 137 B.21. 19 to 20 . . . . . . . . . . . . . . . . . . . . . . . . 149 138 B.22. 20 to 21 . . . . . . . . . . . . . . . . . . . . . . . . 149 139 B.23. 21 to 22 . . . . . . . . . . . . . . . . . . . . . . . . 149 140 B.24. 22 to 23 . . . . . . . . . . . . . . . . . . . . . . . . 150 141 B.25. 23 to 24 . . . . . . . . . . . . . . . . . . . . . . . . 150 142 B.26. 24 to 25 . . . . . . . . . . . . . . . . . . . . . . . . 150 143 B.27. 25 to 26 . . . . . . . . . . . . . . . . . . . . . . . . 150 144 B.28. 26 to 27 . . . . . . . . . . . . . . . . . . . . . . . . 150 145 B.29. 27 to 28 . . . . . . . . . . . . . . . . . . . . . . . . 151 146 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 151 147 Contributors . . . . . . . . . . . . . . . . . . . . . . . . . . 151 148 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 151 150 1. Introduction 152 This document defines three YANG 1.1 [RFC7950] modules: the first 153 defines features and groupings common to both TLS clients and TLS 154 servers, the second defines a grouping for a generic TLS client, and 155 the third defines a grouping for a generic TLS server. 157 Any version of TLS may be configured. TLS 1.0 [RFC2246] and TLS 1.1 158 [RFC4346] are historic and hence the YANG "feature" statements 159 enabling them are marked "status obsolete". TLS 1.2 [RFC5246] is 160 obsoleted by TLS 1.3 [RFC8446] but still in common use, and hence its 161 "feature" statement is marked "status deprecated". All the feature 162 statements for 1.0, 1.1, and 1.3 have "description" statements 163 stating that it is NOT RECOMMENDED to enable obsolete protocol 164 versions. 166 It is intended that the YANG groupings will be used by applications 167 needing to configure TLS client and server protocol stacks. For 168 instance, these groupings are used to help define the data model for 169 HTTPS [RFC2818] and NETCONF over TLS [RFC7589] based clients and 170 servers in [I-D.ietf-netconf-http-client-server] and 171 [I-D.ietf-netconf-netconf-client-server] respectively. 173 The client and server YANG modules in this document each define one 174 grouping, which is focused on just TLS-specific configuration, and 175 specifically avoids any transport-level configuration, such as what 176 ports to listen-on or connect-to. This affords applications the 177 opportunity to define their own strategy for how the underlying TCP 178 connection is established. For instance, applications supporting 179 NETCONF Call Home [RFC8071] could use the "tls-server-grouping" 180 grouping for the TLS parts it provides, while adding data nodes for 181 the TCP-level call-home configuration. 183 1.1. Relation to other RFCs 185 This document presents one or more YANG modules [RFC7950] that are 186 part of a collection of RFCs that work together to, ultimately, 187 enable the configuration of the clients and servers of both the 188 NETCONF [RFC6241] and RESTCONF [RFC8040] protocols. 190 The modules have been defined in a modular fashion to enable their 191 use by other efforts, some of which are known to be in progress at 192 the time of this writing, with many more expected to be defined in 193 time. 195 The normative dependency relationship between the various RFCs in the 196 collection is presented in the below diagram. The labels in the 197 diagram represent the primary purpose provided by each RFC. 198 Hyperlinks to each RFC are provided below the diagram. 200 crypto-types 201 ^ ^ 202 / \ 203 / \ 204 truststore keystore 205 ^ ^ ^ ^ 206 | +---------+ | | 207 | | | | 208 | +------------+ | 209 tcp-client-server | / | | 210 ^ ^ ssh-client-server | | 211 | | ^ tls-client-server 212 | | | ^ ^ http-client-server 213 | | | | | ^ 214 | | | +-----+ +---------+ | 215 | | | | | | 216 | +-----------|--------|--------------+ | | 217 | | | | | | 218 +-----------+ | | | | | 219 | | | | | | 220 | | | | | | 221 netconf-client-server restconf-client-server 223 +=======================+===========================================+ 224 |Label in Diagram | Originating RFC | 225 +=======================+===========================================+ 226 |crypto-types | [I-D.ietf-netconf-crypto-types] | 227 +-----------------------+-------------------------------------------+ 228 |truststore | [I-D.ietf-netconf-trust-anchors] | 229 +-----------------------+-------------------------------------------+ 230 |keystore | [I-D.ietf-netconf-keystore] | 231 +-----------------------+-------------------------------------------+ 232 |tcp-client-server | [I-D.ietf-netconf-tcp-client-server] | 233 +-----------------------+-------------------------------------------+ 234 |ssh-client-server | [I-D.ietf-netconf-ssh-client-server] | 235 +-----------------------+-------------------------------------------+ 236 |tls-client-server | [I-D.ietf-netconf-tls-client-server] | 237 +-----------------------+-------------------------------------------+ 238 |http-client-server | [I-D.ietf-netconf-http-client-server] | 239 +-----------------------+-------------------------------------------+ 240 |netconf-client-server | [I-D.ietf-netconf-netconf-client-server] | 241 +-----------------------+-------------------------------------------+ 242 |restconf-client-server | [I-D.ietf-netconf-restconf-client-server] | 243 +-----------------------+-------------------------------------------+ 245 Table 1: Label to RFC Mapping 247 1.2. Specification Language 249 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 250 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 251 "OPTIONAL" in this document are to be interpreted as described in BCP 252 14 [RFC2119] [RFC8174] when, and only when, they appear in all 253 capitals, as shown here. 255 1.3. Adherence to the NMDA 257 This document is compliant with the Network Management Datastore 258 Architecture (NMDA) [RFC8342]. For instance, as described in 259 [I-D.ietf-netconf-trust-anchors] and [I-D.ietf-netconf-keystore], 260 trust anchors and keys installed during manufacturing are expected to 261 appear in . 263 1.4. Conventions 265 Various examples used in this document use a placeholder value for 266 binary data that has been base64 encoded (e.g., "BASE64VALUE="). 267 This placeholder value is used as real base64 encoded structures are 268 often many lines long and hence distracting to the example being 269 presented. 271 2. The "ietf-tls-common" Module 273 The TLS common model presented in this section contains features and 274 groupings common to both TLS clients and TLS servers. The "hello- 275 params-grouping" grouping can be used to configure the list of TLS 276 algorithms permitted by the TLS client or TLS server. The lists of 277 algorithms are ordered such that, if multiple algorithms are 278 permitted by the client, the algorithm that appears first in its list 279 that is also permitted by the server is used for the TLS transport 280 layer connection. The ability to restrict the algorithms allowed is 281 provided in this grouping for TLS clients and TLS servers that are 282 capable of doing so and may serve to make TLS clients and TLS servers 283 compliant with local security policies. This model supports both TLS 284 1.2 [RFC5246] and TLS 1.3 [RFC8446]. 286 Thus, in order to support both TLS1.2 and TLS1.3, the cipher-suites 287 part of the "hello-params-grouping" grouping should include three 288 parameters for configuring its permitted TLS algorithms, which are: 289 TLS Cipher Suites, TLS SignatureScheme, TLS Supported Groups. Note 290 that TLS1.2 only uses TLS Cipher Suites. 292 2.1. Data Model Overview 294 This section provides an overview of the "ietf-tls-common" module in 295 terms of its features, identities, and groupings. 297 2.1.1. Features 299 The following diagram lists all the "feature" statements defined in 300 the "ietf-tls-common" module: 302 Features: 303 +-- tls10 304 +-- tls11 305 +-- tls12 306 +-- tls13 307 +-- hello-params 308 +-- public-key-generation 310 | The diagram above uses syntax that is similar to but not 311 | defined in [RFC8340]. 313 2.1.2. Identities 315 The following diagram illustrates the relationship amongst the 316 "identity" statements defined in the "ietf-tls-common" module: 318 Identities: 319 +-- tls-version-base 320 +-- tls10 321 +-- tls11 322 +-- tls12 323 +-- tls13 325 | The diagram above uses syntax that is similar to but not 326 | defined in [RFC8340]. 328 Comments: 330 * The diagram shows that there are two base identities. 331 * One base identity is used to specific TLS versions, while the 332 other is used to specify cipher-suites. 333 * These base identities are "abstract", in the object oriented 334 programming sense, in that they only define a "class" of things, 335 rather than a specific thing. 337 2.1.3. Groupings 339 The "ietf-tls-common" module defines the following "grouping" 340 statement: 342 * hello-params-grouping 344 This grouping is presented in the following subsection. 346 2.1.3.1. The "hello-params-grouping" Grouping 348 The following tree diagram [RFC8340] illustrates the "hello-params- 349 grouping" grouping: 351 grouping hello-params-grouping: 352 +-- tls-versions 353 | +-- tls-version* identityref 354 +-- cipher-suites 355 +-- cipher-suite* identityref 357 Comments: 359 * This grouping is used by both the "tls-client-grouping" and the 360 "tls-server-grouping" groupings defined in Section 3.1.2.1 and 361 Section 4.1.2.1, respectively. 363 * This grouping enables client and server configurations to specify 364 the TLS versions and cipher suites that are to be used when 365 establishing TLS sessions. 367 * The "cipher-suites" list is "ordered-by user". 369 2.1.4. Protocol-accessible Nodes 371 The following tree diagram [RFC8340] lists all the protocol- 372 accessible nodes defined in the "ietf-tls-common" module, without 373 expanding the "grouping" statements: 375 module: ietf-tls-common 377 rpcs: 378 +---x generate-public-key {public-key-generation}? 379 +---w input 380 | +---w algorithm 381 | | tlscsa:cipher-suite-algorithm-ref 382 | +---w bits? uint16 383 | +---w (private-key-encoding)? 384 | +--:(cleartext) 385 | | +---w cleartext? empty 386 | +--:(encrypt) {ct:private-key-encryption}? 387 | | +---w encrypt-with 388 | | +---w ks:encrypted-by-choice-grouping 389 | +--:(hide) {ct:hidden-keys}? 390 | +---w hide? empty 391 +--ro output 392 +---u ct:asymmetric-key-pair-grouping 394 The following tree diagram [RFC8340] lists all the protocol- 395 accessible nodes defined in the "ietf-tls-common" module, with all 396 "grouping" statements expanded, enabling the module's full structure 397 to be seen: 399 =============== NOTE: '\' line wrapping per RFC 8792 ================ 401 module: ietf-tls-common 403 rpcs: 404 +---x generate-public-key {public-key-generation}? 405 +---w input 406 | +---w algorithm 407 | | tlscsa:cipher-suite-algorithm-ref 408 | +---w bits? uint16 409 | +---w (private-key-encoding)? 410 | +--:(cleartext) 411 | | +---w cleartext? empty 412 | +--:(encrypt) {ct:private-key-encryption}? 413 | | +---w encrypt-with 414 | | +---w (encrypted-by-choice) 415 | | +--:(symmetric-key-ref) 416 | | | {central-keystore-supported,symmetric\ 417 -keys}? 418 | | | +---w symmetric-key-ref? 419 | | | ks:symmetric-key-ref 420 | | +--:(asymmetric-key-ref) 421 | | {central-keystore-supported,asymmetri\ 422 c-keys}? 423 | | +---w asymmetric-key-ref? 424 | | ks:asymmetric-key-ref 425 | +--:(hide) {ct:hidden-keys}? 426 | +---w hide? empty 427 +--ro output 428 +--ro public-key-format identityref 429 +--ro public-key binary 430 +--ro private-key-format? identityref 431 +--ro (private-key-type) 432 +--:(cleartext-private-key) 433 | +--ro cleartext-private-key? binary 434 +--:(hidden-private-key) {hidden-keys}? 435 | +--ro hidden-private-key? empty 436 +--:(encrypted-private-key) {private-key-encryption}? 437 +--ro encrypted-private-key 438 +--ro encrypted-by 439 +--ro encrypted-value-format identityref 440 +--ro encrypted-value binary 442 Comments: 444 * Protocol-accessible nodes are those nodes that are accessible when 445 the module is "implemented", as described in Section 5.6.5 of 446 [RFC7950]. 448 * The protocol-accessible nodes for the "ietf-tls-common" module are 449 limited to the RPC "generate-public-key", which is additionally 450 constrained by the feature "public-key-generation". 452 * The "encrypted-by-choice-grouping" grouping is discussed in 453 Section 2.1.3.1 of [I-D.ietf-netconf-keystore]. 455 * The "asymmetric-key-pair-grouping" grouping is discussed in 456 Section 2.1.4.5 of [I-D.ietf-netconf-crypto-types]. 458 2.2. Example Usage 460 The following example illustrates the "hello-params-grouping' 461 grouping when populated with some data. 463 =============== NOTE: '\' line wrapping per RFC 8792 ================ 465 466 468 473 474 tlscmn:tls11 475 tlscmn:tls12 476 477 478 tlscsa:tls-ecdhe-ecdsa-with-aes-256-cbc-sha 480 tlscsa:tls-dhe-rsa-with-aes-128-cbc-sha256 482 tlscsa:tls-rsa-with-3des-ede-cbc-sha 483 484 486 The following example illustrates the "generate-public-key" RPC. 488 =============== NOTE: '\' line wrapping per RFC 8792 ================ 490 492 496 tlscsa:tls-ecdhe-psk-with-aes-128-gcm-sha256 498 521 499 500 hidden-asymmetric-key 501 502 503 505 2.3. YANG Module 507 This YANG module has a normative references to [RFC4346], [RFC5288], 508 [RFC5289], [RFC8422], and FIPS PUB 180-4. 510 This YANG module has a informative references to [RFC2246], 511 [RFC4346], [RFC5246], and [RFC8446]. 513 file "ietf-tls-common@2022-05-24.yang" 515 module ietf-tls-common { 516 yang-version 1.1; 517 namespace "urn:ietf:params:xml:ns:yang:ietf-tls-common"; 518 prefix tlscmn; 520 import iana-tls-cipher-suite-algs { 521 prefix tlscsa; 522 reference 523 "RFC FFFF: YANG Groupings for TLS Clients and SSH Servers"; 524 } 526 import ietf-crypto-types { 527 prefix ct; 528 reference 529 "RFC AAAA: YANG Data Types and Groupings for Cryptography"; 530 } 532 import ietf-keystore { 533 prefix ks; 534 reference 535 "RFC CCCC: A YANG Data Model for a Keystore"; 537 } 539 organization 540 "IETF NETCONF (Network Configuration) Working Group"; 542 contact 543 "WG List: NETCONF WG list 544 WG Web: https://datatracker.ietf.org/wg/netconf 545 Author: Kent Watsen 546 Author: Jeff Hartley 547 Author: Gary Wu "; 549 description 550 "This module defines a common features and groupings for 551 Transport Layer Security (TLS). 553 Copyright (c) 2022 IETF Trust and the persons identified 554 as authors of the code. All rights reserved. 556 Redistribution and use in source and binary forms, with 557 or without modification, is permitted pursuant to, and 558 subject to the license terms contained in, the Revised 559 BSD License set forth in Section 4.c of the IETF Trust's 560 Legal Provisions Relating to IETF Documents 561 (https://trustee.ietf.org/license-info). 563 This version of this YANG module is part of RFC FFFF 564 (https://www.rfc-editor.org/info/rfcFFFF); see the RFC 565 itself for full legal notices. 567 The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 568 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 569 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document 570 are to be interpreted as described in BCP 14 (RFC 2119) 571 (RFC 8174) when, and only when, they appear in all 572 capitals, as shown here."; 574 revision 2022-05-24 { 575 description 576 "Initial version"; 577 reference 578 "RFC FFFF: YANG Groupings for TLS Clients and TLS Servers"; 579 } 581 // Features 583 feature tls10 { 584 status "obsolete"; 585 description 586 "TLS Protocol Version 1.0 is supported. TLS 1.0 is obsolete 587 and thus it is NOT RECOMMENDED to enable this feature."; 588 reference 589 "RFC 2246: The TLS Protocol Version 1.0"; 590 } 592 feature tls11 { 593 status "obsolete"; 594 description 595 "TLS Protocol Version 1.1 is supported. TLS 1.1 is obsolete 596 and thus it is NOT RECOMMENDED to enable this feature."; 597 reference 598 "RFC 4346: The Transport Layer Security (TLS) Protocol 599 Version 1.1"; 600 } 602 feature tls12 { 603 status "deprecated"; 604 description 605 "TLS Protocol Version 1.2 is supported TLS 1.2 is obsolete 606 and thus it is NOT RECOMMENDED to enable this feature."; 607 reference 608 "RFC 5246: The Transport Layer Security (TLS) Protocol 609 Version 1.2"; 610 } 612 feature tls13 { 613 description 614 "TLS Protocol Version 1.3 is supported."; 615 reference 616 "RFC 8446: The Transport Layer Security (TLS) 617 Protocol Version 1.3"; 618 } 620 feature hello-params { 621 description 622 "TLS hello message parameters are configurable."; 623 } 625 feature public-key-generation { 626 description 627 "Indicates that the server implements the 628 'generate-public-key' RPC."; 629 } 631 // Identities 632 identity tls-version-base { 633 description 634 "Base identity used to identify TLS protocol versions."; 635 } 637 identity tls10 { 638 if-feature "tls10"; 639 base tls-version-base; 640 status "obsolete"; 641 description 642 "TLS Protocol Version 1.0."; 643 reference 644 "RFC 2246: The TLS Protocol Version 1.0"; 645 } 647 identity tls11 { 648 if-feature "tls11"; 649 base tls-version-base; 650 status "obsolete"; 651 description 652 "TLS Protocol Version 1.1."; 653 reference 654 "RFC 4346: The Transport Layer Security (TLS) Protocol 655 Version 1.1"; 656 } 658 identity tls12 { 659 if-feature "tls12"; 660 base tls-version-base; 661 status "deprecated"; 662 description 663 "TLS Protocol Version 1.2."; 664 reference 665 "RFC 5246: The Transport Layer Security (TLS) Protocol 666 Version 1.2"; 667 } 669 identity tls13 { 670 if-feature "tls13"; 671 base tls-version-base; 672 description 673 "TLS Protocol Version 1.3."; 674 reference 675 "RFC 8446: The Transport Layer Security (TLS) 676 Protocol Version 1.3"; 677 } 679 typedef epsk-supported-hash { 680 type enumeration { 681 enum sha-256 { 682 description 683 "The SHA-256 Hash."; 684 } 685 enum sha-384 { 686 description 687 "The SHA-384 Hash."; 688 } 689 } 690 description 691 "As per Section 4.2.11 of RFC 8446, the hash algorithm 692 supported by an instance of an External Pre-Shared 693 Key (EPSK)."; 694 reference 695 "RFC 8446: The Transport Layer Security (TLS) 696 Protocol Version 1.3 697 I-D.ietf-tls-external-psk-importer: Importing 698 External PSKs for TLS 699 I-D.ietf-tls-external-psk-guidance: Guidance 700 for External PSK Usage in TLS"; 701 } 703 // Groupings 705 grouping hello-params-grouping { 706 description 707 "A reusable grouping for TLS hello message parameters."; 708 reference 709 "RFC 5246: The Transport Layer Security (TLS) Protocol 710 Version 1.2 711 RFC 8446: The Transport Layer Security (TLS) Protocol 712 Version 1.3"; 713 container tls-versions { 714 description 715 "Parameters regarding TLS versions."; 716 leaf-list tls-version { 717 type identityref { 718 base tls-version-base; 719 } 720 description 721 "Acceptable TLS protocol versions. 723 If this leaf-list is not configured (has zero elements) 724 the acceptable TLS protocol versions are implementation- 725 defined."; 726 } 728 } 729 container cipher-suites { 730 description 731 "Parameters regarding cipher suites."; 732 leaf-list cipher-suite { 733 type identityref { 734 base tlscsa:cipher-suite-alg-base; 735 } 736 ordered-by user; 737 description 738 "Acceptable cipher suites in order of descending 739 preference. The configured host key algorithms should 740 be compatible with the algorithm used by the configured 741 private key. Please see Section 5 of RFC FFFF for 742 valid combinations. 744 If this leaf-list is not configured (has zero elements) 745 the acceptable cipher suites are implementation- 746 defined."; 747 reference 748 "RFC FFFF: YANG Groupings for TLS Clients and TLS Servers"; 749 } 750 } 751 } // hello-params-grouping 753 rpc generate-public-key { 754 if-feature "public-key-generation"; 755 description 756 "Requests the device to generate an public key using 757 the specified key algorithm."; 758 input { 759 leaf algorithm { 760 type tlscsa:cipher-suite-algorithm-ref; 761 mandatory true; 762 description 763 "The cipher suite algorithm that the generated key is 764 to work with. Implementations derive the public key 765 algorithm from the cipher suite algorithm. Example: 766 cipher suite 'tls-rsa-with-aes-256-cbc-sha256' maps 767 to the RSA public key."; 768 } 769 leaf bits { 770 type uint16; 771 description 772 "Specifies the number of bits in the key to create. 773 For RSA keys, the minimum size is 1024 bits and 774 the default is 3072 bits. Generally, 3072 bits is 775 considered sufficient. DSA keys must be exactly 1024 776 bits as specified by FIPS 186-2. For elliptical 777 keys, the 'bits' value determines the key length 778 of the curve (e.g., 256, 384 or 521), where valid 779 values supported by the server are conveyed via an 780 unspecified mechanism. For some public algorithms, 781 the keys have a fixed length and the 'bits' value, 782 if specified, will be ignored."; 783 } 784 choice private-key-encoding { 785 default cleartext; 786 description 787 "A choice amongst optional private key handling."; 788 case cleartext { 789 leaf cleartext { 790 type empty; 791 description 792 "Indicates that the private key is to be returned 793 as a cleartext value."; 794 } 795 } 796 case encrypt { 797 if-feature "ct:private-key-encryption"; 798 container encrypt-with { 799 description 800 "Indicates that the key is to be encrypted using 801 the specified symmetric or asymmetric key."; 802 uses ks:encrypted-by-choice-grouping; 803 } 804 } 805 case hide { 806 if-feature "ct:hidden-keys"; 807 leaf hide { 808 type empty; 809 description 810 "Indicates that the private key is to be hidden. 812 Unlike the 'cleartext' and 'encrypt' options, the 813 key returned is a placeholder for an internally 814 stored key. See the 'Support for Built-in Keys' 815 section in RFC CCCC for information about hidden 816 keys."; 817 } 818 } 819 } 820 } 821 output { 822 uses ct:asymmetric-key-pair-grouping; 823 } 825 } // end generate-public-key 827 } 829 831 3. The "ietf-tls-client" Module 833 This section defines a YANG 1.1 [RFC7950] module called "ietf-tls- 834 client". A high-level overview of the module is provided in 835 Section 3.1. Examples illustrating the module's use are provided in 836 Examples (Section 3.2). The YANG module itself is defined in 837 Section 3.3. 839 3.1. Data Model Overview 841 This section provides an overview of the "ietf-tls-client" module in 842 terms of its features and groupings. 844 3.1.1. Features 846 The following diagram lists all the "feature" statements defined in 847 the "ietf-tls-client" module: 849 Features: 850 +-- tls-client-keepalives 851 +-- client-ident-x509-cert 852 +-- client-ident-raw-public-key 853 +-- client-ident-psk 854 +-- server-auth-x509-cert 855 +-- server-auth-raw-public-key 856 +-- server-auth-psk 858 | The diagram above uses syntax that is similar to but not 859 | defined in [RFC8340]. 861 3.1.2. Groupings 863 The "ietf-tls-client" module defines the following "grouping" 864 statement: 866 * tls-client-grouping 868 This grouping is presented in the following subsection. 870 3.1.2.1. The "tls-client-grouping" Grouping 872 The following tree diagram [RFC8340] illustrates the "tls-client- 873 grouping" grouping: 875 =============== NOTE: '\' line wrapping per RFC 8792 ================ 877 grouping tls-client-grouping: 878 +-- client-identity! 879 | +-- (auth-type) 880 | +--:(certificate) {client-ident-x509-cert}? 881 | | +-- certificate 882 | | +---u ks:local-or-keystore-end-entity-cert-with-key-\ 883 grouping 884 | +--:(raw-public-key) {client-ident-raw-public-key}? 885 | | +-- raw-private-key 886 | | +---u ks:local-or-keystore-asymmetric-key-grouping 887 | +--:(tls12-psk) {client-ident-tls12-psk}? 888 | | +-- tls12-psk 889 | | +---u ks:local-or-keystore-symmetric-key-grouping 890 | | +-- id? 891 | | string 892 | +--:(tls13-epsk) {client-ident-tls13-epsk}? 893 | +-- tls13-epsk 894 | +---u ks:local-or-keystore-symmetric-key-grouping 895 | +-- external-identity 896 | | string 897 | +-- hash 898 | | tlscmn:epsk-supported-hash 899 | +-- context? 900 | | string 901 | +-- target-protocol? 902 | | uint16 903 | +-- target-kdf? 904 | uint16 905 +-- server-authentication 906 | +-- ca-certs! {server-auth-x509-cert}? 907 | | +---u ts:local-or-truststore-certs-grouping 908 | +-- ee-certs! {server-auth-x509-cert}? 909 | | +---u ts:local-or-truststore-certs-grouping 910 | +-- raw-public-keys! {server-auth-raw-public-key}? 911 | | +---u ts:local-or-truststore-public-keys-grouping 912 | +-- tls12-psks? empty {server-auth-tls12-psk}? 913 | +-- tls13-epsks? empty {server-auth-tls13-epsk}? 914 +-- hello-params {tlscmn:hello-params}? 915 | +---u tlscmn:hello-params-grouping 916 +-- keepalives {tls-client-keepalives}? 917 +-- peer-allowed-to-send? empty 918 +-- test-peer-aliveness! 919 +-- max-wait? uint16 920 +-- max-attempts? uint8 922 Comments: 924 * The "client-identity" node, which is optionally configured (as 925 client authentication MAY occur at a higher protocol layer), 926 configures identity credentials, each enabled by a "feature" 927 statement defined in Section 3.1.1. 929 * The "server-authentication" node configures trust anchors for 930 authenticating the TLS server, with each option enabled by a 931 "feature" statement. 933 * The "hello-params" node, which must be enabled by a feature, 934 configures parameters for the TLS sessions established by this 935 configuration. 937 * The "keepalives" node, which must be enabled by a feature, 938 configures a "presence" container for testing the aliveness of the 939 TLS server. The aliveness-test occurs at the TLS protocol layer. 941 * For the referenced grouping statement(s): 943 - The "local-or-keystore-end-entity-cert-with-key-grouping" 944 grouping is discussed in Section 2.1.3.6 of 945 [I-D.ietf-netconf-keystore]. 946 - The "local-or-keystore-asymmetric-key-grouping" grouping is 947 discussed in Section 2.1.3.4 of [I-D.ietf-netconf-keystore]. 948 - The "local-or-keystore-symmetric-key-grouping" grouping is 949 discussed in Section 2.1.3.3 of [I-D.ietf-netconf-keystore]. 950 - The "local-or-truststore-certs-grouping" grouping is discussed 951 in Section 2.1.3.1 of [I-D.ietf-netconf-trust-anchors]. 952 - The "local-or-truststore-public-keys-grouping" grouping is 953 discussed in Section 2.1.3.2 of 954 [I-D.ietf-netconf-trust-anchors]. 955 - The "hello-params-grouping" grouping is discussed in 956 Section 2.1.3.1 in this document. 958 3.1.3. Protocol-accessible Nodes 960 The "ietf-tls-client" module defines only "grouping" statements that 961 are used by other modules to instantiate protocol-accessible nodes. 963 3.2. Example Usage 965 This section presents two examples showing the "tls-client-grouping" 966 grouping populated with some data. These examples are effectively 967 the same except the first configures the client identity using a 968 local key while the second uses a key configured in a keystore. Both 969 examples are consistent with the examples presented in Section 2 of 970 [I-D.ietf-netconf-trust-anchors] and Section 3.2 of 971 [I-D.ietf-netconf-keystore]. 973 The following configuration example uses local-definitions for the 974 client identity and server authentication: 976 =============== NOTE: '\' line wrapping per RFC 8792 ================ 978 979 981 984 985 986 987 988 ct:subject-public-key-info-format\ 989 990 BASE64VALUE= 991 ct:rsa-private-key-format 993 BASE64VALUE= 995 BASE64VALUE= 996 997 998 1012 1021 1035 1036 1037 1038 1039 1040 1041 Server Cert Issuer #1 1042 BASE64VALUE= 1043 1044 1045 Server Cert Issuer #2 1046 BASE64VALUE= 1047 1048 1049 1050 1051 1052 1053 My Application #1 1054 BASE64VALUE= 1055 1056 1057 My Application #2 1058 BASE64VALUE= 1059 1060 1061 1062 1063 1064 1065 corp-fw1 1066 ct:subject-public-key-info-fo\ 1067 rmat 1068 BASE64VALUE= 1070 1071 1072 corp-fw2 1073 ct:subject-public-key-info-fo\ 1074 rmat 1075 BASE64VALUE= 1076 1077 1078 1079 1080 1081 1082 1083 1084 30 1085 3 1086 1087 1088 1090 The following configuration example uses keystore-references for the 1091 client identity and truststore-references for server authentication: 1092 from the keystore: 1094 =============== NOTE: '\' line wrapping per RFC 8792 ================ 1096 1097 1099 1100 1101 1102 1103 1104 rsa-asymmetric-key 1105 ex-rsa-cert 1106 1107 1108 1114 1121 1133 1134 1135 1136 1137 trusted-server-ca-certs 1139 1140 1141 trusted-server-ee-certs 1143 1144 1145 Raw Public Keys for TLS Servers 1147 1148 1149 1150 1151 1152 1153 30 1154 3 1155 1156 1157 1159 3.3. YANG Module 1161 This YANG module has normative references to 1162 [I-D.ietf-netconf-trust-anchors] and [I-D.ietf-netconf-keystore], and 1163 Informative references to [RFC5246], [RFC8446], 1164 [I-D.ietf-tls-external-psk-importer] and 1165 [I-D.ietf-tls-external-psk-guidance]. 1167 file "ietf-tls-client@2022-05-24.yang" 1169 module ietf-tls-client { 1170 yang-version 1.1; 1171 namespace "urn:ietf:params:xml:ns:yang:ietf-tls-client"; 1172 prefix tlsc; 1174 import ietf-netconf-acm { 1175 prefix nacm; 1176 reference 1177 "RFC 8341: Network Configuration Access Control Model"; 1178 } 1180 import ietf-crypto-types { 1181 prefix ct; 1182 reference 1183 "RFC AAAA: YANG Data Types and Groupings for Cryptography"; 1184 } 1186 import ietf-truststore { 1187 prefix ts; 1188 reference 1189 "RFC BBBB: A YANG Data Model for a Truststore"; 1190 } 1192 import ietf-keystore { 1193 prefix ks; 1194 reference 1195 "RFC CCCC: A YANG Data Model for a Keystore"; 1196 } 1198 import ietf-tls-common { 1199 prefix tlscmn; 1200 revision-date 2022-05-24; // stable grouping definitions 1201 reference 1202 "RFC FFFF: YANG Groupings for TLS Clients and TLS Servers"; 1203 } 1205 organization 1206 "IETF NETCONF (Network Configuration) Working Group"; 1208 contact 1209 "WG List: NETCONF WG list 1210 WG Web: https://datatracker.ietf.org/wg/netconf 1211 Author: Kent Watsen 1212 Author: Jeff Hartley 1213 Author: Gary Wu "; 1215 description 1216 "This module defines reusable groupings for TLS clients that 1217 can be used as a basis for specific TLS client instances. 1219 Copyright (c) 2022 IETF Trust and the persons identified 1220 as authors of the code. All rights reserved. 1222 Redistribution and use in source and binary forms, with 1223 or without modification, is permitted pursuant to, and 1224 subject to the license terms contained in, the Revised 1225 BSD License set forth in Section 4.c of the IETF Trust's 1226 Legal Provisions Relating to IETF Documents 1227 (https://trustee.ietf.org/license-info). 1229 This version of this YANG module is part of RFC FFFF 1230 (https://www.rfc-editor.org/info/rfcFFFF); see the RFC 1231 itself for full legal notices. 1233 The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 1234 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 1235 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document 1236 are to be interpreted as described in BCP 14 (RFC 2119) 1237 (RFC 8174) when, and only when, they appear in all 1238 capitals, as shown here."; 1240 revision 2022-05-24 { 1241 description 1242 "Initial version"; 1243 reference 1244 "RFC FFFF: YANG Groupings for TLS Clients and TLS Servers"; 1245 } 1247 // Features 1249 feature tls-client-keepalives { 1250 description 1251 "Per socket TLS keepalive parameters are configurable for 1252 TLS clients on the server implementing this feature."; 1253 } 1255 feature client-ident-x509-cert { 1256 description 1257 "Indicates that the client supports identifying itself 1258 using X.509 certificates."; 1259 reference 1260 "RFC 5280: 1261 Internet X.509 Public Key Infrastructure Certificate 1262 and Certificate Revocation List (CRL) Profile"; 1264 } 1266 feature client-ident-raw-public-key { 1267 description 1268 "Indicates that the client supports identifying itself 1269 using raw public keys."; 1270 reference 1271 "RFC 7250: 1272 Using Raw Public Keys in Transport Layer Security (TLS) 1273 and Datagram Transport Layer Security (DTLS)"; 1274 } 1276 feature client-ident-tls12-psk { 1277 description 1278 "Indicates that the client supports identifying itself 1279 using TLS-1.2 PSKs (pre-shared or pairwise-symmetric keys)."; 1280 reference 1281 "RFC 4279: 1282 Pre-Shared Key Ciphersuites for Transport Layer Security 1283 (TLS)"; 1284 } 1286 feature client-ident-tls13-epsk { 1287 description 1288 "Indicates that the client supports identifying itself 1289 using TLS-1.3 External PSKs (pre-shared keys)."; 1290 reference 1291 "RFC 8446: 1292 The Transport Layer Security (TLS) Protocol Version 1.3"; 1293 } 1295 feature server-auth-x509-cert { 1296 description 1297 "Indicates that the client supports authenticating servers 1298 using X.509 certificates."; 1299 reference 1300 "RFC 5280: 1301 Internet X.509 Public Key Infrastructure Certificate 1302 and Certificate Revocation List (CRL) Profile"; 1303 } 1305 feature server-auth-raw-public-key { 1306 description 1307 "Indicates that the client supports authenticating servers 1308 using raw public keys."; 1309 reference 1310 "RFC 7250: 1311 Using Raw Public Keys in Transport Layer Security (TLS) 1312 and Datagram Transport Layer Security (DTLS)"; 1313 } 1315 feature server-auth-tls12-psk { 1316 description 1317 "Indicates that the client supports authenticating servers 1318 using PSKs (pre-shared or pairwise-symmetric keys)."; 1319 reference 1320 "RFC 4279: 1321 Pre-Shared Key Ciphersuites for Transport Layer Security 1322 (TLS)"; 1323 } 1325 feature server-auth-tls13-epsk { 1326 description 1327 "Indicates that the client supports authenticating servers 1328 using TLS-1.3 External PSKs (pre-shared keys)."; 1329 reference 1330 "RFC 8446: 1331 The Transport Layer Security (TLS) Protocol Version 1.3"; 1332 } 1334 // Groupings 1336 grouping tls-client-grouping { 1337 description 1338 "A reusable grouping for configuring a TLS client without 1339 any consideration for how an underlying TCP session is 1340 established. 1342 Note that this grouping uses fairly typical descendant 1343 node names such that a stack of 'uses' statements will 1344 have name conflicts. It is intended that the consuming 1345 data model will resolve the issue (e.g., by wrapping 1346 the 'uses' statement in a container called 1347 'tls-client-parameters'). This model purposely does 1348 not do this itself so as to provide maximum flexibility 1349 to consuming models."; 1351 container client-identity { 1352 nacm:default-deny-write; 1353 presence 1354 "Indicates that a TLS-level client identity has been 1355 configured. This statement is present so the mandatory 1356 descendant do not imply that this node must be configured."; 1357 description 1358 "Identity credentials the TLS client MAY present when 1359 establishing a connection to a TLS server. If not 1360 configured, then client authentication is presumed to 1361 occur a protocol layer above TLS. When configured, 1362 and requested by the TLS server when establishing a 1363 TLS session, these credentials are passed in the 1364 Certificate message defined in Section 7.4.2 of 1365 RFC 5246 and Section 4.4.2 in RFC 8446."; 1366 reference 1367 "RFC 5246: The Transport Layer Security (TLS) 1368 Protocol Version 1.2 1369 RFC 8446: The Transport Layer Security (TLS) 1370 Protocol Version 1.3 1371 RFC CCCC: A YANG Data Model for a Keystore"; 1372 choice auth-type { 1373 mandatory true; 1374 description 1375 "A choice amongst authentication types, of which one must 1376 be enabled (via its associated 'feature') and selected."; 1377 case certificate { 1378 if-feature "client-ident-x509-cert"; 1379 container certificate { 1380 description 1381 "Specifies the client identity using a certificate."; 1382 uses 1383 ks:local-or-keystore-end-entity-cert-with-key-grouping{ 1384 refine "local-or-keystore/local/local-definition" { 1385 must 'public-key-format' 1386 + ' = "ct:subject-public-key-info-format"'; 1387 } 1388 refine "local-or-keystore/keystore/keystore-reference" 1389 + "/asymmetric-key" { 1390 must 'deref(.)/../ks:public-key-format' 1391 + ' = "ct:subject-public-key-info-format"'; 1392 } 1393 } 1394 } 1395 } 1396 case raw-public-key { 1397 if-feature "client-ident-raw-public-key"; 1398 container raw-private-key { 1399 description 1400 "Specifies the client identity using a raw 1401 private key."; 1402 uses ks:local-or-keystore-asymmetric-key-grouping { 1403 refine "local-or-keystore/local/local-definition" { 1404 must 'public-key-format' 1405 + ' = "ct:subject-public-key-info-format"'; 1406 } 1407 refine "local-or-keystore/keystore" 1408 + "/keystore-reference" { 1409 must 'deref(.)/../ks:public-key-format' 1410 + ' = "ct:subject-public-key-info-format"'; 1411 } 1412 } 1413 } 1414 } 1415 case tls12-psk { 1416 if-feature "client-ident-tls12-psk"; 1417 container tls12-psk { 1418 description 1419 "Specifies the client identity using a PSK (pre-shared 1420 or pairwise-symmetric key)."; 1421 uses ks:local-or-keystore-symmetric-key-grouping; 1422 leaf id { 1423 type string; 1424 description 1425 "The key 'psk_identity' value used in the TLS 1426 'ClientKeyExchange' message."; 1427 reference 1428 "RFC 4279: Pre-Shared Key Ciphersuites for 1429 Transport Layer Security (TLS)"; 1430 } 1431 } 1432 } 1433 case tls13-epsk { 1434 if-feature "client-ident-tls13-epsk"; 1435 container tls13-epsk { 1436 description 1437 "An External Pre-Shared Key (EPSK) is established 1438 or provisioned out-of-band, i.e., not from a TLS 1439 connection. An EPSK is a tuple of (Base Key, 1440 External Identity, Hash). External PSKs MUST NOT 1441 be imported for (D)TLS 1.2 or prior versions. When 1442 PSKs are provisioned out of band, the PSK identity 1443 and the KDF hash algorithm to be used with the PSK 1444 MUST also be provisioned. 1446 The structure of this container is designed 1447 to satisfy the requirements of RFC 8446 1448 Section 4.2.11, the recommendations from I-D 1449 ietf-tls-external-psk-guidance Section 6, 1450 and the EPSK input fields detailed in I-D 1451 draft-ietf-tls-external-psk-importer 1452 Section 3.1. The base-key is based upon 1453 ks:local-or-keystore-symmetric-key-grouping 1454 in order to provide users with flexible and 1455 secure storage options."; 1457 reference 1458 "RFC 8446: The Transport Layer Security (TLS) 1459 Protocol Version 1.3 1460 I-D.ietf-tls-external-psk-importer: 1461 Importing External PSKs for TLS 1462 I-D.ietf-tls-external-psk-guidance: 1463 Guidance for External PSK Usage in TLS"; 1464 uses ks:local-or-keystore-symmetric-key-grouping; 1465 leaf external-identity { 1466 type string; 1467 mandatory true; 1468 description 1469 "As per Section 4.2.11 of RFC 8446, and Section 4.1 1470 of I-D. ietf-tls-external-psk-guidance: 1471 A sequence of bytes used to identify an EPSK. A 1472 label for a pre-shared key established externally."; 1473 reference 1474 "RFC 8446: The Transport Layer Security (TLS) 1475 Protocol Version 1.3 1476 I-D.ietf-tls-external-psk-guidance: 1477 Guidance for External PSK Usage in TLS"; 1478 } 1479 leaf hash { 1480 type tlscmn:epsk-supported-hash; 1481 mandatory true; 1482 description 1483 "As per Section 4.2.11 of RFC 8446, for externally 1484 established PSKs, the Hash algorithm MUST be set 1485 when the PSK is established or default to SHA-256 1486 if no such algorithm is defined. The server MUST 1487 ensure that it selects a compatible PSK (if any) 1488 and cipher suite. Each PSK MUST only be used with 1489 a single hash function."; 1490 reference 1491 "RFC 8446: The Transport Layer Security (TLS) 1492 Protocol Version 1.3"; 1493 } 1494 leaf context { 1495 type string; 1496 description 1497 "As per Section 4.1 of I-D. 1498 ietf-tls-external-psk-guidance: Context may include 1499 information about peer roles or identities to 1500 mitigate Selfie-style reflection attacks [Selfie]. 1501 If the EPSK is a key derived from some other 1502 protocol or sequence of protocols, context 1503 MUST include a channel binding for the deriving 1504 protocols [RFC5056]. The details of this binding 1505 are protocol specific."; 1506 reference 1507 "I-D.ietf-tls-external-psk-importer: 1508 Importing External PSKs for TLS 1509 I-D.ietf-tls-external-psk-guidance: 1510 Guidance for External PSK Usage in TLS"; 1511 } 1512 leaf target-protocol { 1513 type uint16; 1514 description 1515 "As per Section 3.1 of I-D. 1516 ietf-tls-external-psk-guidance: 1517 The protocol for which a PSK is imported for use."; 1518 reference 1519 "I-D.ietf-tls-external-psk-importer: 1520 Importing External PSKs for TLS"; 1521 } 1522 leaf target-kdf { 1523 type uint16; 1524 description 1525 "As per Section 3.1 of I-D. 1526 ietf-tls-external-psk-guidance: 1527 The specific Key Derivation Function (KDF) for which 1528 a PSK is imported for use."; 1529 reference 1530 "I-D.ietf-tls-external-psk-importer: 1531 Importing External PSKs for TLS"; 1532 } 1533 } 1534 } 1535 } 1536 } // container client-identity 1538 container server-authentication { 1539 nacm:default-deny-write; 1540 must 'ca-certs or ee-certs or raw-public-keys or tls12-psks 1541 or tls13-epsks'; 1542 description 1543 "Specifies how the TLS client can authenticate TLS servers. 1544 Any combination of credentials is additive and unordered. 1546 Note that no configuration is required for PSK (pre-shared 1547 or pairwise-symmetric key) based authentication as the key 1548 is necessarily the same as configured in the '../client- 1549 identity' node."; 1550 container ca-certs { 1551 if-feature "server-auth-x509-cert"; 1552 presence 1553 "Indicates that CA certificates have been configured. 1554 This statement is present so the mandatory descendant 1555 nodes do not imply that this node must be configured."; 1556 description 1557 "A set of certificate authority (CA) certificates used by 1558 the TLS client to authenticate TLS server certificates. 1559 A server certificate is authenticated if it has a valid 1560 chain of trust to a configured CA certificate."; 1561 reference 1562 "RFC BBBB: A YANG Data Model for a Truststore"; 1563 uses ts:local-or-truststore-certs-grouping; 1564 } 1565 container ee-certs { 1566 if-feature "server-auth-x509-cert"; 1567 presence 1568 "Indicates that EE certificates have been configured. 1569 This statement is present so the mandatory descendant 1570 nodes do not imply that this node must be configured."; 1571 description 1572 "A set of server certificates (i.e., end entity 1573 certificates) used by the TLS client to authenticate 1574 certificates presented by TLS servers. A server 1575 certificate is authenticated if it is an exact 1576 match to a configured server certificate."; 1577 reference 1578 "RFC BBBB: A YANG Data Model for a Truststore"; 1579 uses ts:local-or-truststore-certs-grouping; 1580 } 1581 container raw-public-keys { 1582 if-feature "server-auth-raw-public-key"; 1583 presence 1584 "Indicates that raw public keys have been configured. 1585 This statement is present so the mandatory descendant 1586 nodes do not imply that this node must be configured."; 1587 description 1588 "A set of raw public keys used by the TLS client to 1589 authenticate raw public keys presented by the TLS 1590 server. A raw public key is authenticated if it 1591 is an exact match to a configured raw public key."; 1592 reference 1593 "RFC BBBB: A YANG Data Model for a Truststore"; 1594 uses ts:local-or-truststore-public-keys-grouping { 1595 refine "local-or-truststore/local/local-definition" 1596 + "/public-key" { 1597 must 'public-key-format' 1598 + ' = "ct:subject-public-key-info-format"'; 1599 } 1600 refine "local-or-truststore/truststore" 1601 + "/truststore-reference" { 1602 must 'deref(.)/../*/ts:public-key-format' 1603 + ' = "ct:subject-public-key-info-format"'; 1604 } 1605 } 1606 } 1607 leaf tls12-psks { 1608 if-feature "server-auth-tls12-psk"; 1609 type empty; 1610 description 1611 "Indicates that the TLS client can authenticate TLS servers 1612 using configure PSKs (pre-shared or pairwise-symmetric 1613 keys). 1615 No configuration is required since the PSK value is the 1616 same as PSK value configured in the 'client-identity' 1617 node."; 1618 } 1619 leaf tls13-epsks { 1620 if-feature "server-auth-tls13-epsk"; 1621 type empty; 1622 description 1623 "Indicates that the TLS client can authenticate TLS servers 1624 using configured external PSKs (pre-shared keys). 1626 No configuration is required since the PSK value is the 1627 same as PSK value configured in the 'client-identity' 1628 node."; 1629 } 1630 } // container server-authentication 1632 container hello-params { 1633 nacm:default-deny-write; 1634 if-feature "tlscmn:hello-params"; 1635 uses tlscmn:hello-params-grouping; 1636 description 1637 "Configurable parameters for the TLS hello message."; 1638 } // container hello-params 1640 container keepalives { 1641 nacm:default-deny-write; 1642 if-feature "tls-client-keepalives"; 1643 description 1644 "Configures the keepalive policy for the TLS client."; 1645 leaf peer-allowed-to-send { 1646 type empty; 1647 description 1648 "Indicates that the remote TLS server is allowed to send 1649 HeartbeatRequest messages, as defined by RFC 6520 1650 to this TLS client."; 1651 reference 1652 "RFC 6520: Transport Layer Security (TLS) and Datagram 1653 Transport Layer Security (DTLS) Heartbeat Extension"; 1654 } 1655 container test-peer-aliveness { 1656 presence 1657 "Indicates that the TLS client proactively tests the 1658 aliveness of the remote TLS server."; 1659 description 1660 "Configures the keep-alive policy to proactively test 1661 the aliveness of the TLS server. An unresponsive 1662 TLS server is dropped after approximately max-wait 1663 * max-attempts seconds. The TLS client MUST send 1664 HeartbeatRequest messages, as defined by RFC 6520."; 1665 reference 1666 "RFC 6520: Transport Layer Security (TLS) and Datagram 1667 Transport Layer Security (DTLS) Heartbeat Extension"; 1668 leaf max-wait { 1669 type uint16 { 1670 range "1..max"; 1671 } 1672 units "seconds"; 1673 default "30"; 1674 description 1675 "Sets the amount of time in seconds after which if 1676 no data has been received from the TLS server, a 1677 TLS-level message will be sent to test the 1678 aliveness of the TLS server."; 1679 } 1680 leaf max-attempts { 1681 type uint8; 1682 default "3"; 1683 description 1684 "Sets the maximum number of sequential keep-alive 1685 messages that can fail to obtain a response from 1686 the TLS server before assuming the TLS server is 1687 no longer alive."; 1688 } 1689 } 1690 } 1691 } // grouping tls-client-grouping 1693 } 1695 1697 4. The "ietf-tls-server" Module 1699 This section defines a YANG 1.1 module called "ietf-tls-server". A 1700 high-level overview of the module is provided in Section 4.1. 1701 Examples illustrating the module's use are provided in Examples 1702 (Section 4.2). The YANG module itself is defined in Section 4.3. 1704 4.1. Data Model Overview 1706 This section provides an overview of the "ietf-tls-server" module in 1707 terms of its features and groupings. 1709 4.1.1. Features 1711 The following diagram lists all the "feature" statements defined in 1712 the "ietf-tls-server" module: 1714 Features: 1715 +-- tls-server-keepalives 1716 +-- server-ident-x509-cert 1717 +-- server-ident-raw-public-key 1718 +-- server-ident-psk 1719 +-- client-auth-supported 1720 +-- client-auth-x509-cert 1721 +-- client-auth-raw-public-key 1722 +-- client-auth-psk 1724 | The diagram above uses syntax that is similar to but not 1725 | defined in [RFC8340]. 1727 4.1.2. Groupings 1729 The "ietf-tls-server" module defines the following "grouping" 1730 statement: 1732 * tls-server-grouping 1734 This grouping is presented in the following subsection. 1736 4.1.2.1. The "tls-server-grouping" Grouping 1738 The following tree diagram [RFC8340] illustrates the "tls-server- 1739 grouping" grouping: 1741 =============== NOTE: '\' line wrapping per RFC 8792 ================ 1743 grouping tls-server-grouping: 1744 +-- server-identity 1745 | +-- (auth-type) 1746 | +--:(certificate) {server-ident-x509-cert}? 1747 | | +-- certificate 1748 | | +---u ks:local-or-keystore-end-entity-cert-with-key-\ 1749 grouping 1750 | +--:(raw-private-key) {server-ident-raw-public-key}? 1751 | | +-- raw-private-key 1752 | | +---u ks:local-or-keystore-asymmetric-key-grouping 1753 | +--:(tls12-psk) {server-ident-tls12-psk}? 1754 | | +-- tls12-psk 1755 | | +---u ks:local-or-keystore-symmetric-key-grouping 1756 | | +-- id_hint? 1757 | | string 1758 | +--:(tls13-epsk) {server-ident-tls13-epsk}? 1759 | +-- tls13-epsk 1760 | +---u ks:local-or-keystore-symmetric-key-grouping 1761 | +-- external-identity 1762 | | string 1763 | +-- hash 1764 | | tlscmn:epsk-supported-hash 1765 | +-- context? 1766 | | string 1767 | +-- target-protocol? 1768 | | uint16 1769 | +-- target-kdf? 1770 | uint16 1771 +-- client-authentication! {client-auth-supported}? 1772 | +-- ca-certs! {client-auth-x509-cert}? 1773 | | +---u ts:local-or-truststore-certs-grouping 1774 | +-- ee-certs! {client-auth-x509-cert}? 1775 | | +---u ts:local-or-truststore-certs-grouping 1776 | +-- raw-public-keys! {client-auth-raw-public-key}? 1777 | | +---u ts:local-or-truststore-public-keys-grouping 1778 | +-- tls12-psks? empty {client-auth-tls12-psk}? 1779 | +-- tls13-epsks? empty {client-auth-tls13-epsk}? 1780 +-- hello-params {tlscmn:hello-params}? 1781 | +---u tlscmn:hello-params-grouping 1782 +-- keepalives {tls-server-keepalives}? 1783 +-- peer-allowed-to-send? empty 1784 +-- test-peer-aliveness! 1785 +-- max-wait? uint16 1786 +-- max-attempts? uint8 1788 Comments: 1790 * The "server-identity" node configures identity credentials, each 1791 of which is enabled by a "feature". 1793 * The "client-authentication" node, which is optionally configured 1794 (as client authentication MAY occur at a higher protocol layer), 1795 configures trust anchors for authenticating the TLS client, with 1796 each option enabled by a "feature" statement. 1798 * The "hello-params" node, which must be enabled by a feature, 1799 configures parameters for the TLS sessions established by this 1800 configuration. 1802 * The "keepalives" node, which must be enabled by a feature, 1803 configures a flag enabling the TLS client to test the aliveness of 1804 the TLS server, as well as a "presence" container for testing the 1805 aliveness of the TLSi client. The aliveness-tests occurs at the 1806 TLS protocol layer. 1808 * For the referenced grouping statement(s): 1810 - The "local-or-keystore-end-entity-cert-with-key-grouping" 1811 grouping is discussed in Section 2.1.3.6 of 1812 [I-D.ietf-netconf-keystore]. 1813 - The "local-or-keystore-asymmetric-key-grouping" grouping is 1814 discussed in Section 2.1.3.4 of [I-D.ietf-netconf-keystore]. 1815 - The "local-or-keystore-symmetric-key-grouping" grouping is 1816 discussed in Section 2.1.3.3 of [I-D.ietf-netconf-keystore]. 1817 - The "local-or-truststore-public-keys-grouping" grouping is 1818 discussed in Section 2.1.3.2 of 1819 [I-D.ietf-netconf-trust-anchors]. 1820 - The "local-or-truststore-certs-grouping" grouping is discussed 1821 in Section 2.1.3.1 of [I-D.ietf-netconf-trust-anchors]. 1822 - The "hello-params-grouping" grouping is discussed in 1823 Section 2.1.3.1 in this document. 1825 4.1.3. Protocol-accessible Nodes 1827 The "ietf-tls-server" module defines only "grouping" statements that 1828 are used by other modules to instantiate protocol-accessible nodes. 1830 4.2. Example Usage 1832 This section presents two examples showing the "tls-server-grouping" 1833 grouping populated with some data. These examples are effectively 1834 the same except the first configures the server identity using a 1835 local key while the second uses a key configured in a keystore. Both 1836 examples are consistent with the examples presented in Section 2 of 1837 [I-D.ietf-netconf-trust-anchors] and Section 3.2 of 1839 [I-D.ietf-netconf-keystore]. 1841 The following configuration example uses local-definitions for the 1842 server identity and client authentication: 1844 =============== NOTE: '\' line wrapping per RFC 8792 ================ 1846 1847 1849 1852 1853 1854 1855 1856 ct:subject-public-key-info-format\ 1857 1858 BASE64VALUE= 1859 ct:rsa-private-key-format 1861 BASE64VALUE= 1863 BASE64VALUE= 1864 1865 1866 1880 1890 1904 1905 1906 1907 1908 1909 1910 Identity Cert Issuer #1 1911 BASE64VALUE= 1912 1913 1914 Identity Cert Issuer #2 1915 BASE64VALUE= 1916 1917 1918 1919 1920 1921 1922 Application #1 1923 BASE64VALUE= 1924 1925 1926 Application #2 1927 BASE64VALUE= 1928 1929 1930 1931 1932 1933 1934 User A 1935 ct:subject-public-key-info-fo\ 1937 rmat 1938 BASE64VALUE= 1939 1940 1941 User B 1942 ct:subject-public-key-info-fo\ 1943 rmat 1944 BASE64VALUE= 1945 1946 1947 1948 1949 1950 1951 1952 1953 1954 1956 The following configuration example uses keystore-references for the 1957 server identity and truststore-references for client authentication: 1958 from the keystore: 1960 =============== NOTE: '\' line wrapping per RFC 8792 ================ 1962 1963 1965 1966 1967 1968 1969 1970 rsa-asymmetric-key 1971 ex-rsa-cert 1972 1973 1974 1980 1988 2000 2001 2002 2003 2004 trusted-client-ca-certs 2006 2007 2008 trusted-client-ee-certs 2010 2011 2012 Raw Public Keys for TLS Clients 2014 2015 2016 2017 2018 2019 2020 2021 2023 4.3. YANG Module 2025 This YANG module has normative references to 2026 [I-D.ietf-netconf-trust-anchors] and [I-D.ietf-netconf-keystore], and 2027 Informative references to [RFC5246], [RFC8446], 2028 [I-D.ietf-tls-external-psk-importer] and 2029 [I-D.ietf-tls-external-psk-guidance]. 2031 file "ietf-tls-server@2022-05-24.yang" 2032 module ietf-tls-server { 2033 yang-version 1.1; 2034 namespace "urn:ietf:params:xml:ns:yang:ietf-tls-server"; 2035 prefix tlss; 2037 import ietf-netconf-acm { 2038 prefix nacm; 2039 reference 2040 "RFC 8341: Network Configuration Access Control Model"; 2041 } 2043 import ietf-crypto-types { 2044 prefix ct; 2045 reference 2046 "RFC AAAA: YANG Data Types and Groupings for Cryptography"; 2047 } 2049 import ietf-truststore { 2050 prefix ts; 2051 reference 2052 "RFC BBBB: A YANG Data Model for a Truststore"; 2053 } 2055 import ietf-keystore { 2056 prefix ks; 2057 reference 2058 "RFC CCCC: A YANG Data Model for a Keystore"; 2059 } 2061 import ietf-tls-common { 2062 prefix tlscmn; 2063 revision-date 2022-05-24; // stable grouping definitions 2064 reference 2065 "RFC FFFF: YANG Groupings for TLS Clients and TLS Servers"; 2066 } 2068 organization 2069 "IETF NETCONF (Network Configuration) Working Group"; 2071 contact 2072 "WG List: NETCONF WG list 2073 WG Web: https://datatracker.ietf.org/wg/netconf 2074 Author: Kent Watsen 2075 Author: Jeff Hartley 2076 Author: Gary Wu "; 2078 description 2079 "This module defines reusable groupings for TLS servers that 2080 can be used as a basis for specific TLS server instances. 2082 Copyright (c) 2022 IETF Trust and the persons identified 2083 as authors of the code. All rights reserved. 2085 Redistribution and use in source and binary forms, with 2086 or without modification, is permitted pursuant to, and 2087 subject to the license terms contained in, the Revised 2088 BSD License set forth in Section 4.c of the IETF Trust's 2089 Legal Provisions Relating to IETF Documents 2090 (https://trustee.ietf.org/license-info). 2092 This version of this YANG module is part of RFC FFFF 2093 (https://www.rfc-editor.org/info/rfcFFFF); see the RFC 2094 itself for full legal notices. 2096 The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 2097 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 2098 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document 2099 are to be interpreted as described in BCP 14 (RFC 2119) 2100 (RFC 8174) when, and only when, they appear in all 2101 capitals, as shown here."; 2103 revision 2022-05-24 { 2104 description 2105 "Initial version"; 2106 reference 2107 "RFC FFFF: YANG Groupings for TLS Clients and TLS Servers"; 2108 } 2110 // Features 2112 feature tls-server-keepalives { 2113 description 2114 "Per socket TLS keepalive parameters are configurable for 2115 TLS servers on the server implementing this feature."; 2116 } 2118 feature server-ident-x509-cert { 2119 description 2120 "Indicates that the server supports identifying itself 2121 using X.509 certificates."; 2122 reference 2123 "RFC 5280: 2124 Internet X.509 Public Key Infrastructure Certificate 2125 and Certificate Revocation List (CRL) Profile"; 2126 } 2127 feature server-ident-raw-public-key { 2128 description 2129 "Indicates that the server supports identifying itself 2130 using raw public keys."; 2131 reference 2132 "RFC 7250: 2133 Using Raw Public Keys in Transport Layer Security (TLS) 2134 and Datagram Transport Layer Security (DTLS)"; 2135 } 2137 feature server-ident-tls12-psk { 2138 description 2139 "Indicates that the server supports identifying itself 2140 using TLS-1.2 PSKs (pre-shared or pairwise-symmetric keys)."; 2141 reference 2142 "RFC 4279: 2143 Pre-Shared Key Ciphersuites for Transport Layer Security 2144 (TLS)"; 2145 } 2147 feature server-ident-tls13-epsk { 2148 description 2149 "Indicates that the server supports identifying itself 2150 using TLS-1.3 External PSKs (pre-shared keys)."; 2151 reference 2152 "RFC 8446: 2153 The Transport Layer Security (TLS) Protocol Version 1.3"; 2154 } 2156 feature client-auth-supported { 2157 description 2158 "Indicates that the configuration for how to authenticate 2159 clients can be configured herein. TLS-level client 2160 authentication may not be needed when client authentication 2161 is expected to occur only at another protocol layer."; 2162 } 2164 feature client-auth-x509-cert { 2165 description 2166 "Indicates that the server supports authenticating clients 2167 using X.509 certificates."; 2168 reference 2169 "RFC 5280: 2170 Internet X.509 Public Key Infrastructure Certificate 2171 and Certificate Revocation List (CRL) Profile"; 2172 } 2174 feature client-auth-raw-public-key { 2175 description 2176 "Indicates that the server supports authenticating clients 2177 using raw public keys."; 2178 reference 2179 "RFC 7250: 2180 Using Raw Public Keys in Transport Layer Security (TLS) 2181 and Datagram Transport Layer Security (DTLS)"; 2182 } 2184 feature client-auth-tls12-psk { 2185 description 2186 "Indicates that the server supports authenticating clients 2187 using PSKs (pre-shared or pairwise-symmetric keys)."; 2188 reference 2189 "RFC 4279: 2190 Pre-Shared Key Ciphersuites for Transport Layer Security 2191 (TLS)"; 2192 } 2194 feature client-auth-tls13-epsk { 2195 description 2196 "Indicates that the server supports authenticating clients 2197 using TLS-1.3 External PSKs (pre-shared keys)."; 2198 reference 2199 "RFC 8446: 2200 The Transport Layer Security (TLS) Protocol Version 1.3"; 2201 } 2203 // Groupings 2205 grouping tls-server-grouping { 2206 description 2207 "A reusable grouping for configuring a TLS server without 2208 any consideration for how underlying TCP sessions are 2209 established. 2211 Note that this grouping uses fairly typical descendant 2212 node names such that a stack of 'uses' statements will 2213 have name conflicts. It is intended that the consuming 2214 data model will resolve the issue (e.g., by wrapping 2215 the 'uses' statement in a container called 2216 'tls-server-parameters'). This model purposely does 2217 not do this itself so as to provide maximum flexibility 2218 to consuming models."; 2220 container server-identity { 2221 nacm:default-deny-write; 2222 description 2223 "A locally-defined or referenced end-entity certificate, 2224 including any configured intermediate certificates, the 2225 TLS server will present when establishing a TLS connection 2226 in its Certificate message, as defined in Section 7.4.2 2227 in RFC 5246 and Section 4.4.2 in RFC 8446."; 2228 reference 2229 "RFC 5246: The Transport Layer Security (TLS) Protocol 2230 Version 1.2 2231 RFC 8446: The Transport Layer Security (TLS) Protocol 2232 Version 1.3 2233 RFC CCCC: A YANG Data Model for a Keystore"; 2234 choice auth-type { 2235 mandatory true; 2236 description 2237 "A choice amongst authentication types, of which one must 2238 be enabled (via its associated 'feature') and selected."; 2239 case certificate { 2240 if-feature "server-ident-x509-cert"; 2241 container certificate { 2242 description 2243 "Specifies the server identity using a certificate."; 2244 uses 2245 ks:local-or-keystore-end-entity-cert-with-key-grouping{ 2246 refine "local-or-keystore/local/local-definition" { 2247 must 'public-key-format' 2248 + ' = "ct:subject-public-key-info-format"'; 2249 } 2250 refine "local-or-keystore/keystore/keystore-reference" 2251 + "/asymmetric-key" { 2252 must 'deref(.)/../ks:public-key-format' 2253 + ' = "ct:subject-public-key-info-format"'; 2254 } 2255 } 2256 } 2257 } 2258 case raw-private-key { 2259 if-feature "server-ident-raw-public-key"; 2260 container raw-private-key { 2261 description 2262 "Specifies the server identity using a raw 2263 private key."; 2264 uses ks:local-or-keystore-asymmetric-key-grouping { 2265 refine "local-or-keystore/local/local-definition" { 2266 must 'public-key-format' 2267 + ' = "ct:subject-public-key-info-format"'; 2268 } 2269 refine "local-or-keystore/keystore/keystore-reference"{ 2270 must 'deref(.)/../ks:public-key-format' 2271 + ' = "ct:subject-public-key-info-format"'; 2272 } 2273 } 2274 } 2275 } 2276 case tls12-psk { 2277 if-feature "server-ident-tls12-psk"; 2278 container tls12-psk { 2279 description 2280 "Specifies the server identity using a PSK (pre-shared 2281 or pairwise-symmetric key)."; 2282 uses ks:local-or-keystore-symmetric-key-grouping; 2283 leaf id_hint { 2284 type string; 2285 description 2286 "The key 'psk_identity_hint' value used in the TLS 2287 'ServerKeyExchange' message."; 2288 reference 2289 "RFC 4279: Pre-Shared Key Ciphersuites for 2290 Transport Layer Security (TLS)"; 2291 } 2292 } 2293 } 2294 case tls13-epsk { 2295 if-feature "server-ident-tls13-epsk"; 2296 container tls13-epsk { 2297 description 2298 "An External Pre-Shared Key (EPSK) is established 2299 or provisioned out-of-band, i.e., not from a TLS 2300 connection. An EPSK is a tuple of (Base Key, 2301 External Identity, Hash). External PSKs MUST 2302 NOT be imported for (D)TLS 1.2 or prior versions. 2303 When PSKs are provisioned out of band, the PSK 2304 identity and the KDF hash algorithm to be used 2305 with the PSK MUST also be provisioned. 2307 The structure of this container is designed 2308 to satisfy the requirements of RFC 8446 2309 Section 4.2.11, the recommendations from 2310 I-D ietf-tls-external-psk-guidance Section 6, 2311 and the EPSK input fields detailed in 2312 I-D draft-ietf-tls-external-psk-importer 2313 Section 3.1. The base-key is based upon 2314 ks:local-or-keystore-symmetric-key-grouping 2315 in order to provide users with flexible and 2316 secure storage options."; 2317 reference 2318 "RFC 8446: The Transport Layer Security (TLS) 2319 Protocol Version 1.3 2320 I-D.ietf-tls-external-psk-importer: Importing 2321 External PSKs for TLS 2322 I-D.ietf-tls-external-psk-guidance: Guidance 2323 for External PSK Usage in TLS"; 2324 uses ks:local-or-keystore-symmetric-key-grouping; 2325 leaf external-identity { 2326 type string; 2327 mandatory true; 2328 description 2329 "As per Section 4.2.11 of RFC 8446, and Section 4.1 2330 of I-D. ietf-tls-external-psk-guidance: A sequence 2331 of bytes used to identify an EPSK. A label for a 2332 pre-shared key established externally."; 2333 reference 2334 "RFC 8446: The Transport Layer Security (TLS) 2335 Protocol Version 1.3 2336 I-D.ietf-tls-external-psk-guidance: 2337 Guidance for External PSK Usage in TLS"; 2338 } 2339 leaf hash { 2340 type tlscmn:epsk-supported-hash; 2341 mandatory true; 2342 description 2343 "As per Section 4.2.11 of RFC 8446, for externally 2344 established PSKs, the Hash algorithm MUST be set 2345 when the PSK is established or default to SHA-256 2346 if no such algorithm is defined. The server MUST 2347 ensure that it selects a compatible PSK (if any) 2348 and cipher suite. Each PSK MUST only be used 2349 with a single hash function."; 2350 reference 2351 "RFC 8446: The Transport Layer Security (TLS) 2352 Protocol Version 1.3"; 2353 } 2354 leaf context { 2355 type string; 2356 description 2357 "As per Section 4.1 of I-D. 2358 ietf-tls-external-psk-guidance: Context 2359 may include information about peer roles or 2360 identities to mitigate Selfie-style reflection 2361 attacks [Selfie]. If the EPSK is a key derived 2362 from some other protocol or sequence of protocols, 2363 context MUST include a channel binding for the 2364 deriving protocols [RFC5056]. The details of 2365 this binding are protocol specific."; 2366 reference 2367 "I-D.ietf-tls-external-psk-importer: 2368 Importing External PSKs for TLS 2369 I-D.ietf-tls-external-psk-guidance: 2370 Guidance for External PSK Usage in TLS"; 2371 } 2372 leaf target-protocol { 2373 type uint16; 2374 description 2375 "As per Section 3.1 of I-D. 2376 ietf-tls-external-psk-guidance: The protocol 2377 for which a PSK is imported for use."; 2378 reference 2379 "I-D.ietf-tls-external-psk-importer: 2380 Importing External PSKs for TLS"; 2381 } 2382 leaf target-kdf { 2383 type uint16; 2384 description 2385 "As per Section 3.1 of I-D. 2386 ietf-tls-external-psk-guidance: The specific Key 2387 Derivation Function (KDF) for which a PSK is 2388 imported for use."; 2389 reference 2390 "I-D.ietf-tls-external-psk-importer: 2391 Importing External PSKs for TLS"; 2392 } 2393 } 2394 } 2395 } 2396 } // container server-identity 2398 container client-authentication { 2399 if-feature "client-auth-supported"; 2400 nacm:default-deny-write; 2401 must 'ca-certs or ee-certs or raw-public-keys or tls12-psks 2402 or tls13-epsks'; 2403 presence 2404 "Indicates that client authentication is supported (i.e., 2405 that the server will request clients send certificates). 2406 If not configured, the TLS server SHOULD NOT request the 2407 TLS clients provide authentication credentials."; 2408 description 2409 "Specifies how the TLS server can authenticate TLS clients. 2410 Any combination of credentials is additive and unordered. 2412 Note that no configuration is required for PSK (pre-shared 2413 or pairwise-symmetric key) based authentication as the key 2414 is necessarily the same as configured in the '../server- 2415 identity' node."; 2416 container ca-certs { 2417 if-feature "client-auth-x509-cert"; 2418 presence 2419 "Indicates that CA certificates have been configured. 2420 This statement is present so the mandatory descendant 2421 nodes do not imply that this node must be configured."; 2422 description 2423 "A set of certificate authority (CA) certificates used by 2424 the TLS server to authenticate TLS client certificates. 2425 A client certificate is authenticated if it has a valid 2426 chain of trust to a configured CA certificate."; 2427 reference 2428 "RFC BBBB: A YANG Data Model for a Truststore"; 2429 uses ts:local-or-truststore-certs-grouping; 2430 } 2431 container ee-certs { 2432 if-feature "client-auth-x509-cert"; 2433 presence 2434 "Indicates that EE certificates have been configured. 2435 This statement is present so the mandatory descendant 2436 nodes do not imply that this node must be configured."; 2437 description 2438 "A set of client certificates (i.e., end entity 2439 certificates) used by the TLS server to authenticate 2440 certificates presented by TLS clients. A client 2441 certificate is authenticated if it is an exact 2442 match to a configured client certificate."; 2443 reference 2444 "RFC BBBB: A YANG Data Model for a Truststore"; 2445 uses ts:local-or-truststore-certs-grouping; 2446 } 2447 container raw-public-keys { 2448 if-feature "client-auth-raw-public-key"; 2449 presence 2450 "Indicates that raw public keys have been configured. 2451 This statement is present so the mandatory descendant 2452 nodes do not imply that this node must be configured."; 2453 description 2454 "A set of raw public keys used by the TLS server to 2455 authenticate raw public keys presented by the TLS 2456 client. A raw public key is authenticated if it 2457 is an exact match to a configured raw public key."; 2458 reference 2459 "RFC BBBB: A YANG Data Model for a Truststore"; 2460 uses ts:local-or-truststore-public-keys-grouping { 2461 refine "local-or-truststore/local/local-definition" 2462 + "/public-key" { 2464 must 'public-key-format' 2465 + ' = "ct:subject-public-key-info-format"'; 2466 } 2467 refine "local-or-truststore/truststore" 2468 + "/truststore-reference" { 2469 must 'deref(.)/../*/ts:public-key-format' 2470 + ' = "ct:subject-public-key-info-format"'; 2471 } 2472 } 2473 } 2474 leaf tls12-psks { 2475 if-feature "client-auth-tls12-psk"; 2476 type empty; 2477 description 2478 "Indicates that the TLS server can authenticate TLS clients 2479 using configured PSKs (pre-shared or pairwise-symmetric 2480 keys). 2482 No configuration is required since the PSK value is the 2483 same as PSK value configured in the 'server-identity' 2484 node."; 2485 } 2486 leaf tls13-epsks { 2487 if-feature "client-auth-tls13-epsk"; 2488 type empty; 2489 description 2490 "Indicates that the TLS 1.3 server can authenticate TLS 2491 clients using configured external PSKs (pre-shared keys). 2493 No configuration is required since the PSK value is the 2494 same as PSK value configured in the 'server-identity' 2495 node."; 2496 } 2497 } // container client-authentication 2499 container hello-params { 2500 nacm:default-deny-write; 2501 if-feature "tlscmn:hello-params"; 2502 uses tlscmn:hello-params-grouping; 2503 description 2504 "Configurable parameters for the TLS hello message."; 2505 } // container hello-params 2507 container keepalives { 2508 nacm:default-deny-write; 2509 if-feature "tls-server-keepalives"; 2510 description 2511 "Configures the keepalive policy for the TLS server."; 2513 leaf peer-allowed-to-send { 2514 type empty; 2515 description 2516 "Indicates that the remote TLS client is allowed to send 2517 HeartbeatRequest messages, as defined by RFC 6520 2518 to this TLS server."; 2519 reference 2520 "RFC 6520: Transport Layer Security (TLS) and Datagram 2521 Transport Layer Security (DTLS) Heartbeat Extension"; 2522 } 2523 container test-peer-aliveness { 2524 presence 2525 "Indicates that the TLS server proactively tests the 2526 aliveness of the remote TLS client."; 2527 description 2528 "Configures the keep-alive policy to proactively test 2529 the aliveness of the TLS client. An unresponsive 2530 TLS client is dropped after approximately max-wait 2531 * max-attempts seconds."; 2532 leaf max-wait { 2533 type uint16 { 2534 range "1..max"; 2535 } 2536 units "seconds"; 2537 default "30"; 2538 description 2539 "Sets the amount of time in seconds after which if 2540 no data has been received from the TLS client, a 2541 TLS-level message will be sent to test the 2542 aliveness of the TLS client."; 2543 } 2544 leaf max-attempts { 2545 type uint8; 2546 default "3"; 2547 description 2548 "Sets the maximum number of sequential keep-alive 2549 messages that can fail to obtain a response from 2550 the TLS client before assuming the TLS client is 2551 no longer alive."; 2552 } 2553 } 2554 } // container keepalives 2555 } // grouping tls-server-grouping 2557 } 2559 2561 5. Security Considerations 2563 5.1. The "iana-tls-cipher-suite-algs" Module 2565 The "iana-tls-cipher-suite-algs" YANG module defines a data model 2566 that is designed to be accessed via YANG based management protocols, 2567 such as NETCONF [RFC6241] and RESTCONF [RFC8040]. Both of these 2568 protocols have mandatory-to-implement secure transport layers (e.g., 2569 SSH, TLS) with mutual authentication. 2571 The NETCONF access control model (NACM) [RFC8341] provides the means 2572 to restrict access for particular users to a pre-configured subset of 2573 all available protocol operations and content. 2575 This YANG module defines YANG identities, for a public IANA- 2576 maintained registry, and a single protocol-accessible read-only node 2577 for the subset of those identities supported by a server. 2579 YANG identities are not security-sensitive, as they are statically 2580 defined in the publicly-accessible YANG module. 2582 The protocol-accessible read-only node for the algorithms supported 2583 by a server is mildly sensitive, but not to the extent that special 2584 NACM annotations are needed to prevent read-access to regular 2585 authenticated administrators. 2587 This module does not define any writable-nodes, RPCs, actions, or 2588 notifications, and thus the security consideration for such is not 2589 provided here. 2591 5.2. The "ietf-tls-common" YANG Module 2593 The "ietf-tls-common" YANG module defines "grouping" statements that 2594 are designed to be accessed via YANG based management protocols, such 2595 as NETCONF [RFC6241] and RESTCONF [RFC8040]. Both of these protocols 2596 have mandatory-to-implement secure transport layers (e.g., SSH, TLS) 2597 with mutual authentication. 2599 The NETCONF access control model (NACM) [RFC8341] provides the means 2600 to restrict access for particular users to a pre-configured subset of 2601 all available protocol operations and content. 2603 Since the module in this document only define groupings, these 2604 considerations are primarily for the designers of other modules that 2605 use these groupings. 2607 None of the readable data nodes defined in this YANG module are 2608 considered sensitive or vulnerable in network environments. The NACM 2609 "default-deny-all" extension has not been set for any data nodes 2610 defined in this module. 2612 None of the writable data nodes defined in this YANG module are 2613 considered sensitive or vulnerable in network environments. The NACM 2614 "default-deny-write" extension has not been set for any data nodes 2615 defined in this module. 2617 This module does not define any RPCs, actions, or notifications, and 2618 thus the security consideration for such is not provided here. 2620 5.3. The "ietf-tls-client" YANG Module 2622 The "ietf-tls-client" YANG module defines "grouping" statements that 2623 are designed to be accessed via YANG based management protocols, such 2624 as NETCONF [RFC6241] and RESTCONF [RFC8040]. Both of these protocols 2625 have mandatory-to-implement secure transport layers (e.g., SSH, TLS) 2626 with mutual authentication. 2628 The NETCONF access control model (NACM) [RFC8341] provides the means 2629 to restrict access for particular users to a pre-configured subset of 2630 all available protocol operations and content. 2632 Since the module in this document only define groupings, these 2633 considerations are primarily for the designers of other modules that 2634 use these groupings. 2636 None of the readable data nodes defined in this YANG module are 2637 considered sensitive or vulnerable in network environments. The NACM 2638 "default-deny-all" extension has not been set for any data nodes 2639 defined in this module. 2641 | Please be aware that this module uses the "key" and "private- 2642 | key" nodes from the "ietf-crypto-types" module 2643 | [I-D.ietf-netconf-crypto-types], where said nodes have the NACM 2644 | extension "default-deny-all" set, thus preventing unrestricted 2645 | read-access to the cleartext key values. 2647 All the writable data nodes defined by this module may be considered 2648 sensitive or vulnerable in some network environments. For instance, 2649 any modification to a key or reference to a key may dramatically 2650 alter the implemented security policy. For this reason, the NACM 2651 extension "default-deny-write" has been set for all data nodes 2652 defined in this module. 2654 This module does not define any RPCs, actions, or notifications, and 2655 thus the security consideration for such is not provided here. 2657 5.4. The "ietf-tls-server" YANG Module 2659 The "ietf-tls-server" YANG module defines "grouping" statements that 2660 are designed to be accessed via YANG based management protocols, such 2661 as NETCONF [RFC6241] and RESTCONF [RFC8040]. Both of these protocols 2662 have mandatory-to-implement secure transport layers (e.g., SSH, TLS) 2663 with mutual authentication. 2665 The NETCONF access control model (NACM) [RFC8341] provides the means 2666 to restrict access for particular users to a pre-configured subset of 2667 all available protocol operations and content. 2669 Since the module in this document only define groupings, these 2670 considerations are primarily for the designers of other modules that 2671 use these groupings. 2673 None of the readable data nodes defined in this YANG module are 2674 considered sensitive or vulnerable in network environments. The NACM 2675 "default-deny-all" extension has not been set for any data nodes 2676 defined in this module. 2678 | Please be aware that this module uses the "key" and "private- 2679 | key" nodes from the "ietf-crypto-types" module 2680 | [I-D.ietf-netconf-crypto-types], where said nodes have the NACM 2681 | extension "default-deny-all" set, thus preventing unrestricted 2682 | read-access to the cleartext key values. 2684 All the writable data nodes defined by this module may be considered 2685 sensitive or vulnerable in some network environments. For instance, 2686 any modification to a key or reference to a key may dramatically 2687 alter the implemented security policy. For this reason, the NACM 2688 extension "default-deny-write" has been set for all data nodes 2689 defined in this module. 2691 This module does not define any RPCs, actions, or notifications, and 2692 thus the security consideration for such is not provided here. 2694 6. IANA Considerations 2696 6.1. The "IETF XML" Registry 2698 This document registers four URIs in the "ns" subregistry of the IETF 2699 XML Registry [RFC3688]. Following the format in [RFC3688], the 2700 following registrations are requested: 2702 URI: urn:ietf:params:xml:ns:yang:iana-tls-cipher-suite-algs 2703 Registrant Contact: IANA 2704 XML: N/A, the requested URI is an XML namespace. 2706 URI: urn:ietf:params:xml:ns:yang:ietf-tls-common 2707 Registrant Contact: The IESG 2708 XML: N/A, the requested URI is an XML namespace. 2710 URI: urn:ietf:params:xml:ns:yang:ietf-tls-client 2711 Registrant Contact: The IESG 2712 XML: N/A, the requested URI is an XML namespace. 2714 URI: urn:ietf:params:xml:ns:yang:ietf-tls-server 2715 Registrant Contact: The IESG 2716 XML: N/A, the requested URI is an XML namespace. 2718 6.2. The "YANG Module Names" Registry 2720 This document registers four YANG modules in the YANG Module Names 2721 registry [RFC6020]. Following the format in [RFC6020], the following 2722 registrations are requested: 2724 name: iana-tls-cipher-suite-algs 2725 namespace: urn:ietf:params:xml:ns:yang:iana-tls-cipher-suite-algs 2726 prefix: tlscsa 2727 reference: RFC FFFF 2729 name: ietf-tls-common 2730 namespace: urn:ietf:params:xml:ns:yang:ietf-tls-common 2731 prefix: tlscmn 2732 reference: RFC FFFF 2734 name: ietf-tls-client 2735 namespace: urn:ietf:params:xml:ns:yang:ietf-tls-client 2736 prefix: tlsc 2737 reference: RFC FFFF 2739 name: ietf-tls-server 2740 namespace: urn:ietf:params:xml:ns:yang:ietf-tls-server 2741 prefix: tlss 2742 reference: RFC FFFF 2744 6.3. The "iana-tls-cipher-suite-algs" Module 2746 IANA is requested to maintain a YANG module called "iana-tls-cipher- 2747 suite-algs" that shadows the "TLS Cipher Suites" sub-registry of the 2748 "Transport Layer Security (TLS) Parameters" registry 2749 [IANA-CIPHER-ALGS]. 2751 This registry defines a YANG identity for each cipher suite 2752 algorithm, and a "base" identity from which all of the other 2753 identities are derived. 2755 An initial version of this module can be found in Appendix A.1. 2757 * Please note that this module was created on June 2st, 2021, and 2758 that additional entries may have been added in the interim before 2759 this document's publication. If this is that case, IANA may 2760 either publish just an updated module containing the new entries, 2761 or publish the initial module as is immediately followed by a 2762 "revision" containing the additional algorithm names. 2764 * Please also note that the "status" statement has been set to 2765 "deprecated", if the "RECOMMENDED" column in the registry had the 2766 value 'N', and to "obsolete", if the "References" column included 2767 Moving single-DES and IDEA TLS ciphersuites to Historic 2768 (https://datatracker.ietf.org/doc/status-change-tls-des-idea- 2769 ciphers-to-historic) reference. 2771 7. References 2773 7.1. Normative References 2775 [I-D.ietf-netconf-crypto-types] 2776 Watsen, K., "YANG Data Types and Groupings for 2777 Cryptography", Work in Progress, Internet-Draft, draft- 2778 ietf-netconf-crypto-types-22, 7 March 2022, 2779 . 2782 [I-D.ietf-netconf-keystore] 2783 Watsen, K., "A YANG Data Model for a Keystore", Work in 2784 Progress, Internet-Draft, draft-ietf-netconf-keystore-24, 2785 7 March 2022, . 2788 [I-D.ietf-netconf-trust-anchors] 2789 Watsen, K., "A YANG Data Model for a Truststore", Work in 2790 Progress, Internet-Draft, draft-ietf-netconf-trust- 2791 anchors-17, 7 March 2022, 2792 . 2795 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 2796 Requirement Levels", BCP 14, RFC 2119, 2797 DOI 10.17487/RFC2119, March 1997, 2798 . 2800 [RFC5288] Salowey, J., Choudhury, A., and D. McGrew, "AES Galois 2801 Counter Mode (GCM) Cipher Suites for TLS", RFC 5288, 2802 DOI 10.17487/RFC5288, August 2008, 2803 . 2805 [RFC5289] Rescorla, E., "TLS Elliptic Curve Cipher Suites with SHA- 2806 256/384 and AES Galois Counter Mode (GCM)", RFC 5289, 2807 DOI 10.17487/RFC5289, August 2008, 2808 . 2810 [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for 2811 the Network Configuration Protocol (NETCONF)", RFC 6020, 2812 DOI 10.17487/RFC6020, October 2010, 2813 . 2815 [RFC7589] Badra, M., Luchuk, A., and J. Schoenwaelder, "Using the 2816 NETCONF Protocol over Transport Layer Security (TLS) with 2817 Mutual X.509 Authentication", RFC 7589, 2818 DOI 10.17487/RFC7589, June 2015, 2819 . 2821 [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", 2822 RFC 7950, DOI 10.17487/RFC7950, August 2016, 2823 . 2825 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2826 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 2827 May 2017, . 2829 [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration 2830 Access Control Model", STD 91, RFC 8341, 2831 DOI 10.17487/RFC8341, March 2018, 2832 . 2834 [RFC8422] Nir, Y., Josefsson, S., and M. Pegourie-Gonnard, "Elliptic 2835 Curve Cryptography (ECC) Cipher Suites for Transport Layer 2836 Security (TLS) Versions 1.2 and Earlier", RFC 8422, 2837 DOI 10.17487/RFC8422, August 2018, 2838 . 2840 [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol 2841 Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, 2842 . 2844 7.2. Informative References 2846 [I-D.ietf-netconf-http-client-server] 2847 Watsen, K., "YANG Groupings for HTTP Clients and HTTP 2848 Servers", Work in Progress, Internet-Draft, draft-ietf- 2849 netconf-http-client-server-09, 7 March 2022, 2850 . 2853 [I-D.ietf-netconf-netconf-client-server] 2854 Watsen, K., "NETCONF Client and Server Models", Work in 2855 Progress, Internet-Draft, draft-ietf-netconf-netconf- 2856 client-server-25, 7 March 2022, 2857 . 2860 [I-D.ietf-netconf-restconf-client-server] 2861 Watsen, K., "RESTCONF Client and Server Models", Work in 2862 Progress, Internet-Draft, draft-ietf-netconf-restconf- 2863 client-server-25, 7 March 2022, 2864 . 2867 [I-D.ietf-netconf-ssh-client-server] 2868 Watsen, K., "YANG Groupings for SSH Clients and SSH 2869 Servers", Work in Progress, Internet-Draft, draft-ietf- 2870 netconf-ssh-client-server-27, 7 March 2022, 2871 . 2874 [I-D.ietf-netconf-tcp-client-server] 2875 Watsen, K. and M. Scharf, "YANG Groupings for TCP Clients 2876 and TCP Servers", Work in Progress, Internet-Draft, draft- 2877 ietf-netconf-tcp-client-server-12, 7 March 2022, 2878 . 2881 [I-D.ietf-netconf-tls-client-server] 2882 Watsen, K., "YANG Groupings for TLS Clients and TLS 2883 Servers", Work in Progress, Internet-Draft, draft-ietf- 2884 netconf-tls-client-server-27, 7 March 2022, 2885 . 2888 [I-D.ietf-tls-external-psk-guidance] 2889 Housley, R., Hoyland, J., Sethi, M., and C. A. Wood, 2890 "Guidance for External PSK Usage in TLS", Work in 2891 Progress, Internet-Draft, draft-ietf-tls-external-psk- 2892 guidance-06, 4 February 2022, 2893 . 2896 [I-D.ietf-tls-external-psk-importer] 2897 Benjamin, D. and C. A. Wood, "Importing External PSKs for 2898 TLS", Work in Progress, Internet-Draft, draft-ietf-tls- 2899 external-psk-importer-08, 22 April 2022, 2900 . 2903 [IANA-CIPHER-ALGS] 2904 (IANA), I. A. N. A., "IANA "TLS Cipher Suites" Sub- 2905 registry of the "Transport Layer Security (TLS) 2906 Parameters" Registry", . 2909 [RFC2246] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0", 2910 RFC 2246, DOI 10.17487/RFC2246, January 1999, 2911 . 2913 [RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, 2914 DOI 10.17487/RFC2818, May 2000, 2915 . 2917 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, 2918 DOI 10.17487/RFC3688, January 2004, 2919 . 2921 [RFC4346] Dierks, T. and E. Rescorla, "The Transport Layer Security 2922 (TLS) Protocol Version 1.1", RFC 4346, 2923 DOI 10.17487/RFC4346, April 2006, 2924 . 2926 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security 2927 (TLS) Protocol Version 1.2", RFC 5246, 2928 DOI 10.17487/RFC5246, August 2008, 2929 . 2931 [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., 2932 and A. Bierman, Ed., "Network Configuration Protocol 2933 (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, 2934 . 2936 [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF 2937 Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, 2938 . 2940 [RFC8071] Watsen, K., "NETCONF Call Home and RESTCONF Call Home", 2941 RFC 8071, DOI 10.17487/RFC8071, February 2017, 2942 . 2944 [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", 2945 BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, 2946 . 2948 [RFC8342] Bjorklund, M., Schoenwaelder, J., Shafer, P., Watsen, K., 2949 and R. Wilton, "Network Management Datastore Architecture 2950 (NMDA)", RFC 8342, DOI 10.17487/RFC8342, March 2018, 2951 . 2953 Appendix A. YANG Modules for IANA 2955 The module contained in this section was generated by scripts using 2956 the contents of the associated sub-registry as they existed on June 2957 2nd, 2021. 2959 A.1. Initial Module for the "TLS Cipher Suites" Registry 2961 A.1.1. Data Model Overview 2963 This section provides an overview of the "iana-tls-cipher-suite-algs" 2964 module in terms of its identities and protocol-accessible nodes. 2966 A.1.1.1. Identities 2968 The following diagram lists the base "identity" statements defined in 2969 the module, of which there is just one, and illustrates that all the 2970 derived identity statements are generated from the associated IANA- 2971 maintained registry [IANA-CIPHER-ALGS]. 2973 Identities: 2974 +-- cipher-suite-alg-base 2975 +-- 2977 | The diagram above uses syntax that is similar to but not 2978 | defined in [RFC8340]. 2980 A.1.1.2. Typedefs 2982 The following diagram illustrates the "typedef" statements defined in 2983 the "iana-tls-cipher-suite-algs" module: 2985 Typedefs: 2986 identityref 2987 +-- cipher-suite-algorithm-ref 2989 | The diagram above uses syntax that is similar to but not 2990 | defined in [RFC8340]. 2992 Comments: 2994 * The typedef defined in the "iana-tls-cipher-suite-algs" module 2995 extends the "identityref" type defined in [RFC7950]. 2997 A.1.1.3. Protocol-accessible Nodes 2999 The following tree diagram [RFC8340] lists all the protocol- 3000 accessible nodes defined in the "iana-tls-cipher-suite-alg" module: 3002 module: iana-tls-cipher-suite-algs 3003 +--ro supported-algorithms 3004 +--ro supported-algorithm* cipher-suite-algorithm-ref 3006 Comments: 3008 * Protocol-accessible nodes are those nodes that are accessible when 3009 the module is "implemented", as described in Section 5.6.5 of 3010 [RFC7950]. 3012 A.1.2. Example Usage 3014 The following example illustrates operational state data indicating 3015 the TLS cipher suite algorithms supported by the server: 3017 =============== NOTE: '\' line wrapping per RFC 8792 ================ 3019 3023 tlscsa:tls-ecdhe-ecdsa-with-aes-256-cbc-sha 3025 tlscsa:tls-dhe-rsa-with-aes-128-cbc-sha256 3027 tlscsa:tls-rsa-with-3des-ede-cbc-sha 3029 tlscsa:tls-ecdhe-psk-with-aes-256-gcm-sha384<\ 3030 /supported-algorithm> 3031 tlscsa:tls-dhe-psk-with-chacha20-poly1305-sha\ 3032 256 3033 tlscsa:tls-eccpwd-with-aes-256-gcm-sha384 3035 tlscsa:tls-psk-with-aes-256-ccm 3037 tlscsa:tls-dhe-psk-with-camellia-256-cbc-sha3\ 3038 84 3039 tlscsa:tls-ecdh-rsa-with-aes-256-cbc-sha384 3041 tlscsa:tls-ecdh-rsa-with-3des-ede-cbc-sha 3043 tlscsa:tls-dh-dss-with-aes-128-gcm-sha256 3045 3047 A.1.3. YANG Module 3049 Following are the complete contents to the initial IANA-maintained 3050 YANG module. Please note that the date "2021-06-02" reflects the day 3051 on which the extraction occurred. 3053 file "iana-tls-cipher-suite-algs@2021-06-02.yang" 3055 module iana-tls-cipher-suite-algs { 3056 yang-version 1.1; 3057 namespace "urn:ietf:params:xml:ns:yang:iana-tls-cipher-suite-algs"; 3058 prefix tlscsa; 3060 organization 3061 "Internet Assigned Numbers Authority (IANA)"; 3063 contact 3064 "Postal: ICANN 3065 12025 Waterfront Drive, Suite 300 3066 Los Angeles, CA 90094-2536 3067 United States of America 3068 Tel: +1 310 301 5800 3069 Email: iana@iana.org"; 3071 description 3072 "This module defines identities for the Cipher Suite 3073 algorithms defined in the 'TLS Cipher Suites' sub-registry 3074 of the 'Transport Layer Security (TLS) Parameters' registry 3075 maintained by IANA. 3077 Copyright (c) 2021 IETF Trust and the persons identified as 3078 authors of the code. All rights reserved. 3080 Redistribution and use in source and binary forms, with 3081 or without modification, is permitted pursuant to, and 3082 subject to the license terms contained in, the Revised 3083 BSD License set forth in Section 4.c of the IETF Trust's 3084 Legal Provisions Relating to IETF Documents 3085 (https://trustee.ietf.org/license-info). 3087 The initial version of this YANG module is part of RFC FFFF 3088 (https://www.rfc-editor.org/info/rfcFFFF); see the RFC 3089 itself for full legal notices."; 3091 revision 2021-06-02 { 3092 description 3093 "Initial version"; 3094 reference 3095 "RFC FFFF: YANG Groupings for TLS Clients and TLS Servers"; 3096 } 3098 // Typedefs 3100 typedef cipher-suite-algorithm-ref { 3101 type identityref { 3102 base "cipher-suite-alg-base"; 3103 } 3104 description 3105 "A reference to a TLS cipher suite algorithm identifier."; 3106 } 3108 // Identities 3110 identity cipher-suite-alg-base { 3111 description 3112 "Base identity used to identify TLS cipher suites."; 3113 } 3115 identity tls-null-with-null-null { 3116 base cipher-suite-alg-base; 3117 status deprecated; 3118 description 3119 "TLS-NULL-WITH-NULL-NULL"; 3120 reference 3121 "RFC 5246: 3122 The Transport Layer Security (TLS) Protocol Version 1.2"; 3123 } 3125 identity tls-rsa-with-null-md5 { 3126 base cipher-suite-alg-base; 3127 status deprecated; 3128 description 3129 "TLS-RSA-WITH-NULL-MD5"; 3130 reference 3131 "RFC 5246: 3132 The Transport Layer Security (TLS) Protocol Version 1.2"; 3133 } 3135 identity tls-rsa-with-null-sha { 3136 base cipher-suite-alg-base; 3137 status deprecated; 3138 description 3139 "TLS-RSA-WITH-NULL-SHA"; 3140 reference 3141 "RFC 5246: 3142 The Transport Layer Security (TLS) Protocol Version 1.2"; 3143 } 3145 identity tls-rsa-export-with-rc4-40-md5 { 3146 base cipher-suite-alg-base; 3147 status deprecated; 3148 description 3149 "TLS-RSA-EXPORT-WITH-RC4-40-MD5"; 3150 reference 3151 "RFC 4346: 3152 The TLS Protocol Version 1.1 3153 RFC 6347: 3154 Datagram Transport Layer Security version 1.2"; 3155 } 3157 identity tls-rsa-with-rc4-128-md5 { 3158 base cipher-suite-alg-base; 3159 status deprecated; 3160 description 3161 "TLS-RSA-WITH-RC4-128-MD5"; 3162 reference 3163 "RFC 5246: 3164 The Transport Layer Security (TLS) Protocol Version 1.2 3165 RFC 6347: 3166 Datagram Transport Layer Security version 1.2"; 3167 } 3169 identity tls-rsa-with-rc4-128-sha { 3170 base cipher-suite-alg-base; 3171 status deprecated; 3172 description 3173 "TLS-RSA-WITH-RC4-128-SHA"; 3174 reference 3175 "RFC 5246: 3176 The Transport Layer Security (TLS) Protocol Version 1.2 3177 RFC 6347: 3178 Datagram Transport Layer Security version 1.2"; 3179 } 3181 identity tls-rsa-export-with-rc2-cbc-40-md5 { 3182 base cipher-suite-alg-base; 3183 status deprecated; 3184 description 3185 "TLS-RSA-EXPORT-WITH-RC2-CBC-40-MD5"; 3186 reference 3187 "RFC 4346: 3188 The TLS Protocol Version 1.1"; 3189 } 3191 identity tls-rsa-with-idea-cbc-sha { 3192 base cipher-suite-alg-base; 3193 status obsolete; 3194 description 3195 "TLS-RSA-WITH-IDEA-CBC-SHA"; 3196 reference 3197 "RFC 5469: 3198 DES and IDEA Cipher Suites for 3199 Transport Layer Security (TLS) 3200 RFC 5469: 3201 DES and IDEA Cipher Suites for 3202 Transport Layer Security (TLS)"; 3203 } 3205 identity tls-rsa-export-with-des40-cbc-sha { 3206 base cipher-suite-alg-base; 3207 status deprecated; 3208 description 3209 "TLS-RSA-EXPORT-WITH-DES40-CBC-SHA"; 3210 reference 3211 "RFC 4346: 3212 The TLS Protocol Version 1.1"; 3213 } 3215 identity tls-rsa-with-des-cbc-sha { 3216 base cipher-suite-alg-base; 3217 status obsolete; 3218 description 3219 "TLS-RSA-WITH-DES-CBC-SHA"; 3220 reference 3221 "RFC 5469: 3222 DES and IDEA Cipher Suites for 3223 Transport Layer Security (TLS) 3224 RFC 5469: 3225 DES and IDEA Cipher Suites for 3226 Transport Layer Security (TLS)"; 3227 } 3229 identity tls-rsa-with-3des-ede-cbc-sha { 3230 base cipher-suite-alg-base; 3231 status deprecated; 3232 description 3233 "TLS-RSA-WITH-3DES-EDE-CBC-SHA"; 3234 reference 3235 "RFC 5246: 3236 The Transport Layer Security (TLS) Protocol Version 1.2"; 3237 } 3239 identity tls-dh-dss-export-with-des40-cbc-sha { 3240 base cipher-suite-alg-base; 3241 status deprecated; 3242 description 3243 "TLS-DH-DSS-EXPORT-WITH-DES40-CBC-SHA"; 3244 reference 3245 "RFC 4346: 3246 The TLS Protocol Version 1.1"; 3247 } 3249 identity tls-dh-dss-with-des-cbc-sha { 3250 base cipher-suite-alg-base; 3251 status obsolete; 3252 description 3253 "TLS-DH-DSS-WITH-DES-CBC-SHA"; 3254 reference 3255 "RFC 5469: 3257 DES and IDEA Cipher Suites for 3258 Transport Layer Security (TLS) 3259 RFC 5469: 3260 DES and IDEA Cipher Suites for 3261 Transport Layer Security (TLS)"; 3262 } 3264 identity tls-dh-dss-with-3des-ede-cbc-sha { 3265 base cipher-suite-alg-base; 3266 status deprecated; 3267 description 3268 "TLS-DH-DSS-WITH-3DES-EDE-CBC-SHA"; 3269 reference 3270 "RFC 5246: 3271 The Transport Layer Security (TLS) Protocol Version 1.2"; 3272 } 3274 identity tls-dh-rsa-export-with-des40-cbc-sha { 3275 base cipher-suite-alg-base; 3276 status deprecated; 3277 description 3278 "TLS-DH-RSA-EXPORT-WITH-DES40-CBC-SHA"; 3279 reference 3280 "RFC 4346: 3281 The TLS Protocol Version 1.1"; 3282 } 3284 identity tls-dh-rsa-with-des-cbc-sha { 3285 base cipher-suite-alg-base; 3286 status obsolete; 3287 description 3288 "TLS-DH-RSA-WITH-DES-CBC-SHA"; 3289 reference 3290 "RFC 5469: 3291 DES and IDEA Cipher Suites for 3292 Transport Layer Security (TLS) 3293 RFC 5469: 3294 DES and IDEA Cipher Suites for 3295 Transport Layer Security (TLS)"; 3296 } 3298 identity tls-dh-rsa-with-3des-ede-cbc-sha { 3299 base cipher-suite-alg-base; 3300 status deprecated; 3301 description 3302 "TLS-DH-RSA-WITH-3DES-EDE-CBC-SHA"; 3303 reference 3304 "RFC 5246: 3306 The Transport Layer Security (TLS) Protocol Version 1.2"; 3307 } 3309 identity tls-dhe-dss-export-with-des40-cbc-sha { 3310 base cipher-suite-alg-base; 3311 status deprecated; 3312 description 3313 "TLS-DHE-DSS-EXPORT-WITH-DES40-CBC-SHA"; 3314 reference 3315 "RFC 4346: 3316 The TLS Protocol Version 1.1"; 3317 } 3319 identity tls-dhe-dss-with-des-cbc-sha { 3320 base cipher-suite-alg-base; 3321 status obsolete; 3322 description 3323 "TLS-DHE-DSS-WITH-DES-CBC-SHA"; 3324 reference 3325 "RFC 5469: 3326 DES and IDEA Cipher Suites for 3327 Transport Layer Security (TLS) 3328 RFC 5469: 3329 DES and IDEA Cipher Suites for 3330 Transport Layer Security (TLS)"; 3331 } 3333 identity tls-dhe-dss-with-3des-ede-cbc-sha { 3334 base cipher-suite-alg-base; 3335 status deprecated; 3336 description 3337 "TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA"; 3338 reference 3339 "RFC 5246: 3340 The Transport Layer Security (TLS) Protocol Version 1.2"; 3341 } 3343 identity tls-dhe-rsa-export-with-des40-cbc-sha { 3344 base cipher-suite-alg-base; 3345 status deprecated; 3346 description 3347 "TLS-DHE-RSA-EXPORT-WITH-DES40-CBC-SHA"; 3348 reference 3349 "RFC 4346: 3350 The TLS Protocol Version 1.1"; 3351 } 3353 identity tls-dhe-rsa-with-des-cbc-sha { 3354 base cipher-suite-alg-base; 3355 status obsolete; 3356 description 3357 "TLS-DHE-RSA-WITH-DES-CBC-SHA"; 3358 reference 3359 "RFC 5469: 3360 DES and IDEA Cipher Suites for 3361 Transport Layer Security (TLS) 3362 RFC 5469: 3363 DES and IDEA Cipher Suites for 3364 Transport Layer Security (TLS)"; 3365 } 3367 identity tls-dhe-rsa-with-3des-ede-cbc-sha { 3368 base cipher-suite-alg-base; 3369 status deprecated; 3370 description 3371 "TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA"; 3372 reference 3373 "RFC 5246: 3374 The Transport Layer Security (TLS) Protocol Version 1.2"; 3375 } 3377 identity tls-dh-anon-export-with-rc4-40-md5 { 3378 base cipher-suite-alg-base; 3379 status deprecated; 3380 description 3381 "TLS-DH-ANON-EXPORT-WITH-RC4-40-MD5"; 3382 reference 3383 "RFC 4346: 3384 The TLS Protocol Version 1.1 3385 RFC 6347: 3386 Datagram Transport Layer Security version 1.2"; 3387 } 3389 identity tls-dh-anon-with-rc4-128-md5 { 3390 base cipher-suite-alg-base; 3391 status deprecated; 3392 description 3393 "TLS-DH-ANON-WITH-RC4-128-MD5"; 3394 reference 3395 "RFC 5246: 3396 The Transport Layer Security (TLS) Protocol Version 1.2 3397 RFC 6347: 3398 Datagram Transport Layer Security version 1.2"; 3399 } 3401 identity tls-dh-anon-export-with-des40-cbc-sha { 3402 base cipher-suite-alg-base; 3403 status deprecated; 3404 description 3405 "TLS-DH-ANON-EXPORT-WITH-DES40-CBC-SHA"; 3406 reference 3407 "RFC 4346: 3408 The TLS Protocol Version 1.1"; 3409 } 3411 identity tls-dh-anon-with-des-cbc-sha { 3412 base cipher-suite-alg-base; 3413 status obsolete; 3414 description 3415 "TLS-DH-ANON-WITH-DES-CBC-SHA"; 3416 reference 3417 "RFC 5469: 3418 DES and IDEA Cipher Suites for 3419 Transport Layer Security (TLS) 3420 RFC 5469: 3421 DES and IDEA Cipher Suites for 3422 Transport Layer Security (TLS)"; 3423 } 3425 identity tls-dh-anon-with-3des-ede-cbc-sha { 3426 base cipher-suite-alg-base; 3427 status deprecated; 3428 description 3429 "TLS-DH-ANON-WITH-3DES-EDE-CBC-SHA"; 3430 reference 3431 "RFC 5246: 3432 The Transport Layer Security (TLS) Protocol Version 1.2"; 3433 } 3435 identity tls-krb5-with-des-cbc-sha { 3436 base cipher-suite-alg-base; 3437 status deprecated; 3438 description 3439 "TLS-KRB5-WITH-DES-CBC-SHA"; 3440 reference 3441 "RFC 2712: 3442 Addition of Kerberos Cipher Suites to 3443 Transport Layer Security (TLS)"; 3444 } 3446 identity tls-krb5-with-3des-ede-cbc-sha { 3447 base cipher-suite-alg-base; 3448 status deprecated; 3449 description 3450 "TLS-KRB5-WITH-3DES-EDE-CBC-SHA"; 3451 reference 3452 "RFC 2712: 3453 Addition of Kerberos Cipher Suites to 3454 Transport Layer Security (TLS)"; 3455 } 3457 identity tls-krb5-with-rc4-128-sha { 3458 base cipher-suite-alg-base; 3459 status deprecated; 3460 description 3461 "TLS-KRB5-WITH-RC4-128-SHA"; 3462 reference 3463 "RFC 2712: 3464 Addition of Kerberos Cipher Suites to 3465 Transport Layer Security (TLS) 3466 RFC 6347: 3467 Datagram Transport Layer Security version 1.2"; 3468 } 3470 identity tls-krb5-with-idea-cbc-sha { 3471 base cipher-suite-alg-base; 3472 status deprecated; 3473 description 3474 "TLS-KRB5-WITH-IDEA-CBC-SHA"; 3475 reference 3476 "RFC 2712: 3477 Addition of Kerberos Cipher Suites to 3478 Transport Layer Security (TLS)"; 3479 } 3481 identity tls-krb5-with-des-cbc-md5 { 3482 base cipher-suite-alg-base; 3483 status deprecated; 3484 description 3485 "TLS-KRB5-WITH-DES-CBC-MD5"; 3486 reference 3487 "RFC 2712: 3488 Addition of Kerberos Cipher Suites to 3489 Transport Layer Security (TLS)"; 3490 } 3492 identity tls-krb5-with-3des-ede-cbc-md5 { 3493 base cipher-suite-alg-base; 3494 status deprecated; 3495 description 3496 "TLS-KRB5-WITH-3DES-EDE-CBC-MD5"; 3497 reference 3498 "RFC 2712: 3499 Addition of Kerberos Cipher Suites to 3500 Transport Layer Security (TLS)"; 3501 } 3503 identity tls-krb5-with-rc4-128-md5 { 3504 base cipher-suite-alg-base; 3505 status deprecated; 3506 description 3507 "TLS-KRB5-WITH-RC4-128-MD5"; 3508 reference 3509 "RFC 2712: 3510 Addition of Kerberos Cipher Suites to 3511 Transport Layer Security (TLS) 3512 RFC 6347: 3513 Datagram Transport Layer Security version 1.2"; 3514 } 3516 identity tls-krb5-with-idea-cbc-md5 { 3517 base cipher-suite-alg-base; 3518 status deprecated; 3519 description 3520 "TLS-KRB5-WITH-IDEA-CBC-MD5"; 3521 reference 3522 "RFC 2712: 3523 Addition of Kerberos Cipher Suites to 3524 Transport Layer Security (TLS)"; 3525 } 3527 identity tls-krb5-export-with-des-cbc-40-sha { 3528 base cipher-suite-alg-base; 3529 status deprecated; 3530 description 3531 "TLS-KRB5-EXPORT-WITH-DES-CBC-40-SHA"; 3532 reference 3533 "RFC 2712: 3534 Addition of Kerberos Cipher Suites to 3535 Transport Layer Security (TLS)"; 3536 } 3538 identity tls-krb5-export-with-rc2-cbc-40-sha { 3539 base cipher-suite-alg-base; 3540 status deprecated; 3541 description 3542 "TLS-KRB5-EXPORT-WITH-RC2-CBC-40-SHA"; 3543 reference 3544 "RFC 2712: 3545 Addition of Kerberos Cipher Suites to 3546 Transport Layer Security (TLS)"; 3547 } 3549 identity tls-krb5-export-with-rc4-40-sha { 3550 base cipher-suite-alg-base; 3551 status deprecated; 3552 description 3553 "TLS-KRB5-EXPORT-WITH-RC4-40-SHA"; 3554 reference 3555 "RFC 2712: 3556 Addition of Kerberos Cipher Suites to 3557 Transport Layer Security (TLS) 3558 RFC 6347: 3559 Datagram Transport Layer Security version 1.2"; 3560 } 3562 identity tls-krb5-export-with-des-cbc-40-md5 { 3563 base cipher-suite-alg-base; 3564 status deprecated; 3565 description 3566 "TLS-KRB5-EXPORT-WITH-DES-CBC-40-MD5"; 3567 reference 3568 "RFC 2712: 3569 Addition of Kerberos Cipher Suites to 3570 Transport Layer Security (TLS)"; 3571 } 3573 identity tls-krb5-export-with-rc2-cbc-40-md5 { 3574 base cipher-suite-alg-base; 3575 status deprecated; 3576 description 3577 "TLS-KRB5-EXPORT-WITH-RC2-CBC-40-MD5"; 3578 reference 3579 "RFC 2712: 3580 Addition of Kerberos Cipher Suites to 3581 Transport Layer Security (TLS)"; 3582 } 3584 identity tls-krb5-export-with-rc4-40-md5 { 3585 base cipher-suite-alg-base; 3586 status deprecated; 3587 description 3588 "TLS-KRB5-EXPORT-WITH-RC4-40-MD5"; 3589 reference 3590 "RFC 2712: 3591 Addition of Kerberos Cipher Suites to 3592 Transport Layer Security (TLS) 3593 RFC 6347: 3595 Datagram Transport Layer Security version 1.2"; 3596 } 3598 identity tls-psk-with-null-sha { 3599 base cipher-suite-alg-base; 3600 status deprecated; 3601 description 3602 "TLS-PSK-WITH-NULL-SHA"; 3603 reference 3604 "RFC 4785: 3605 Pre-Shared Key Cipher Suites with NULL Encryption for 3606 Transport Layer Security (TLS)"; 3607 } 3609 identity tls-dhe-psk-with-null-sha { 3610 base cipher-suite-alg-base; 3611 status deprecated; 3612 description 3613 "TLS-DHE-PSK-WITH-NULL-SHA"; 3614 reference 3615 "RFC 4785: 3616 Pre-Shared Key Cipher Suites with NULL Encryption for 3617 Transport Layer Security (TLS)"; 3618 } 3620 identity tls-rsa-psk-with-null-sha { 3621 base cipher-suite-alg-base; 3622 status deprecated; 3623 description 3624 "TLS-RSA-PSK-WITH-NULL-SHA"; 3625 reference 3626 "RFC 4785: 3627 Pre-Shared Key Cipher Suites with NULL Encryption for 3628 Transport Layer Security (TLS)"; 3629 } 3631 identity tls-rsa-with-aes-128-cbc-sha { 3632 base cipher-suite-alg-base; 3633 status deprecated; 3634 description 3635 "TLS-RSA-WITH-AES-128-CBC-SHA"; 3636 reference 3637 "RFC 5246: 3638 The Transport Layer Security (TLS) Protocol Version 1.2"; 3639 } 3641 identity tls-dh-dss-with-aes-128-cbc-sha { 3642 base cipher-suite-alg-base; 3643 status deprecated; 3644 description 3645 "TLS-DH-DSS-WITH-AES-128-CBC-SHA"; 3646 reference 3647 "RFC 5246: 3648 The Transport Layer Security (TLS) Protocol Version 1.2"; 3649 } 3651 identity tls-dh-rsa-with-aes-128-cbc-sha { 3652 base cipher-suite-alg-base; 3653 status deprecated; 3654 description 3655 "TLS-DH-RSA-WITH-AES-128-CBC-SHA"; 3656 reference 3657 "RFC 5246: 3658 The Transport Layer Security (TLS) Protocol Version 1.2"; 3659 } 3661 identity tls-dhe-dss-with-aes-128-cbc-sha { 3662 base cipher-suite-alg-base; 3663 status deprecated; 3664 description 3665 "TLS-DHE-DSS-WITH-AES-128-CBC-SHA"; 3666 reference 3667 "RFC 5246: 3668 The Transport Layer Security (TLS) Protocol Version 1.2"; 3669 } 3671 identity tls-dhe-rsa-with-aes-128-cbc-sha { 3672 base cipher-suite-alg-base; 3673 status deprecated; 3674 description 3675 "TLS-DHE-RSA-WITH-AES-128-CBC-SHA"; 3676 reference 3677 "RFC 5246: 3678 The Transport Layer Security (TLS) Protocol Version 1.2"; 3679 } 3681 identity tls-dh-anon-with-aes-128-cbc-sha { 3682 base cipher-suite-alg-base; 3683 status deprecated; 3684 description 3685 "TLS-DH-ANON-WITH-AES-128-CBC-SHA"; 3686 reference 3687 "RFC 5246: 3688 The Transport Layer Security (TLS) Protocol Version 1.2"; 3689 } 3690 identity tls-rsa-with-aes-256-cbc-sha { 3691 base cipher-suite-alg-base; 3692 status deprecated; 3693 description 3694 "TLS-RSA-WITH-AES-256-CBC-SHA"; 3695 reference 3696 "RFC 5246: 3697 The Transport Layer Security (TLS) Protocol Version 1.2"; 3698 } 3700 identity tls-dh-dss-with-aes-256-cbc-sha { 3701 base cipher-suite-alg-base; 3702 status deprecated; 3703 description 3704 "TLS-DH-DSS-WITH-AES-256-CBC-SHA"; 3705 reference 3706 "RFC 5246: 3707 The Transport Layer Security (TLS) Protocol Version 1.2"; 3708 } 3710 identity tls-dh-rsa-with-aes-256-cbc-sha { 3711 base cipher-suite-alg-base; 3712 status deprecated; 3713 description 3714 "TLS-DH-RSA-WITH-AES-256-CBC-SHA"; 3715 reference 3716 "RFC 5246: 3717 The Transport Layer Security (TLS) Protocol Version 1.2"; 3718 } 3720 identity tls-dhe-dss-with-aes-256-cbc-sha { 3721 base cipher-suite-alg-base; 3722 status deprecated; 3723 description 3724 "TLS-DHE-DSS-WITH-AES-256-CBC-SHA"; 3725 reference 3726 "RFC 5246: 3727 The Transport Layer Security (TLS) Protocol Version 1.2"; 3728 } 3730 identity tls-dhe-rsa-with-aes-256-cbc-sha { 3731 base cipher-suite-alg-base; 3732 status deprecated; 3733 description 3734 "TLS-DHE-RSA-WITH-AES-256-CBC-SHA"; 3735 reference 3736 "RFC 5246: 3737 The Transport Layer Security (TLS) Protocol Version 1.2"; 3739 } 3741 identity tls-dh-anon-with-aes-256-cbc-sha { 3742 base cipher-suite-alg-base; 3743 status deprecated; 3744 description 3745 "TLS-DH-ANON-WITH-AES-256-CBC-SHA"; 3746 reference 3747 "RFC 5246: 3748 The Transport Layer Security (TLS) Protocol Version 1.2"; 3749 } 3751 identity tls-rsa-with-null-sha256 { 3752 base cipher-suite-alg-base; 3753 status deprecated; 3754 description 3755 "TLS-RSA-WITH-NULL-SHA256"; 3756 reference 3757 "RFC 5246: 3758 The Transport Layer Security (TLS) Protocol Version 1.2"; 3759 } 3761 identity tls-rsa-with-aes-128-cbc-sha256 { 3762 base cipher-suite-alg-base; 3763 status deprecated; 3764 description 3765 "TLS-RSA-WITH-AES-128-CBC-SHA256"; 3766 reference 3767 "RFC 5246: 3768 The Transport Layer Security (TLS) Protocol Version 1.2"; 3769 } 3771 identity tls-rsa-with-aes-256-cbc-sha256 { 3772 base cipher-suite-alg-base; 3773 status deprecated; 3774 description 3775 "TLS-RSA-WITH-AES-256-CBC-SHA256"; 3776 reference 3777 "RFC 5246: 3778 The Transport Layer Security (TLS) Protocol Version 1.2"; 3779 } 3781 identity tls-dh-dss-with-aes-128-cbc-sha256 { 3782 base cipher-suite-alg-base; 3783 status deprecated; 3784 description 3785 "TLS-DH-DSS-WITH-AES-128-CBC-SHA256"; 3786 reference 3787 "RFC 5246: 3788 The Transport Layer Security (TLS) Protocol Version 1.2"; 3789 } 3791 identity tls-dh-rsa-with-aes-128-cbc-sha256 { 3792 base cipher-suite-alg-base; 3793 status deprecated; 3794 description 3795 "TLS-DH-RSA-WITH-AES-128-CBC-SHA256"; 3796 reference 3797 "RFC 5246: 3798 The Transport Layer Security (TLS) Protocol Version 1.2"; 3799 } 3801 identity tls-dhe-dss-with-aes-128-cbc-sha256 { 3802 base cipher-suite-alg-base; 3803 status deprecated; 3804 description 3805 "TLS-DHE-DSS-WITH-AES-128-CBC-SHA256"; 3806 reference 3807 "RFC 5246: 3808 The Transport Layer Security (TLS) Protocol Version 1.2"; 3809 } 3811 identity tls-rsa-with-camellia-128-cbc-sha { 3812 base cipher-suite-alg-base; 3813 status deprecated; 3814 description 3815 "TLS-RSA-WITH-CAMELLIA-128-CBC-SHA"; 3816 reference 3817 "RFC 5932: 3818 Camellia Cipher Suites for TLS"; 3819 } 3821 identity tls-dh-dss-with-camellia-128-cbc-sha { 3822 base cipher-suite-alg-base; 3823 status deprecated; 3824 description 3825 "TLS-DH-DSS-WITH-CAMELLIA-128-CBC-SHA"; 3826 reference 3827 "RFC 5932: 3828 Camellia Cipher Suites for TLS"; 3829 } 3831 identity tls-dh-rsa-with-camellia-128-cbc-sha { 3832 base cipher-suite-alg-base; 3833 status deprecated; 3834 description 3835 "TLS-DH-RSA-WITH-CAMELLIA-128-CBC-SHA"; 3836 reference 3837 "RFC 5932: 3838 Camellia Cipher Suites for TLS"; 3839 } 3841 identity tls-dhe-dss-with-camellia-128-cbc-sha { 3842 base cipher-suite-alg-base; 3843 status deprecated; 3844 description 3845 "TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA"; 3846 reference 3847 "RFC 5932: 3848 Camellia Cipher Suites for TLS"; 3849 } 3851 identity tls-dhe-rsa-with-camellia-128-cbc-sha { 3852 base cipher-suite-alg-base; 3853 status deprecated; 3854 description 3855 "TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA"; 3856 reference 3857 "RFC 5932: 3858 Camellia Cipher Suites for TLS"; 3859 } 3861 identity tls-dh-anon-with-camellia-128-cbc-sha { 3862 base cipher-suite-alg-base; 3863 status deprecated; 3864 description 3865 "TLS-DH-ANON-WITH-CAMELLIA-128-CBC-SHA"; 3866 reference 3867 "RFC 5932: 3868 Camellia Cipher Suites for TLS"; 3869 } 3871 identity tls-dhe-rsa-with-aes-128-cbc-sha256 { 3872 base cipher-suite-alg-base; 3873 status deprecated; 3874 description 3875 "TLS-DHE-RSA-WITH-AES-128-CBC-SHA256"; 3876 reference 3877 "RFC 5246: 3878 The Transport Layer Security (TLS) Protocol Version 1.2"; 3879 } 3881 identity tls-dh-dss-with-aes-256-cbc-sha256 { 3882 base cipher-suite-alg-base; 3883 status deprecated; 3884 description 3885 "TLS-DH-DSS-WITH-AES-256-CBC-SHA256"; 3886 reference 3887 "RFC 5246: 3888 The Transport Layer Security (TLS) Protocol Version 1.2"; 3889 } 3891 identity tls-dh-rsa-with-aes-256-cbc-sha256 { 3892 base cipher-suite-alg-base; 3893 status deprecated; 3894 description 3895 "TLS-DH-RSA-WITH-AES-256-CBC-SHA256"; 3896 reference 3897 "RFC 5246: 3898 The Transport Layer Security (TLS) Protocol Version 1.2"; 3899 } 3901 identity tls-dhe-dss-with-aes-256-cbc-sha256 { 3902 base cipher-suite-alg-base; 3903 status deprecated; 3904 description 3905 "TLS-DHE-DSS-WITH-AES-256-CBC-SHA256"; 3906 reference 3907 "RFC 5246: 3908 The Transport Layer Security (TLS) Protocol Version 1.2"; 3909 } 3911 identity tls-dhe-rsa-with-aes-256-cbc-sha256 { 3912 base cipher-suite-alg-base; 3913 status deprecated; 3914 description 3915 "TLS-DHE-RSA-WITH-AES-256-CBC-SHA256"; 3916 reference 3917 "RFC 5246: 3918 The Transport Layer Security (TLS) Protocol Version 1.2"; 3919 } 3921 identity tls-dh-anon-with-aes-128-cbc-sha256 { 3922 base cipher-suite-alg-base; 3923 status deprecated; 3924 description 3925 "TLS-DH-ANON-WITH-AES-128-CBC-SHA256"; 3926 reference 3927 "RFC 5246: 3928 The Transport Layer Security (TLS) Protocol Version 1.2"; 3929 } 3930 identity tls-dh-anon-with-aes-256-cbc-sha256 { 3931 base cipher-suite-alg-base; 3932 status deprecated; 3933 description 3934 "TLS-DH-ANON-WITH-AES-256-CBC-SHA256"; 3935 reference 3936 "RFC 5246: 3937 The Transport Layer Security (TLS) Protocol Version 1.2"; 3938 } 3940 identity tls-rsa-with-camellia-256-cbc-sha { 3941 base cipher-suite-alg-base; 3942 status deprecated; 3943 description 3944 "TLS-RSA-WITH-CAMELLIA-256-CBC-SHA"; 3945 reference 3946 "RFC 5932: 3947 Camellia Cipher Suites for TLS"; 3948 } 3950 identity tls-dh-dss-with-camellia-256-cbc-sha { 3951 base cipher-suite-alg-base; 3952 status deprecated; 3953 description 3954 "TLS-DH-DSS-WITH-CAMELLIA-256-CBC-SHA"; 3955 reference 3956 "RFC 5932: 3957 Camellia Cipher Suites for TLS"; 3958 } 3960 identity tls-dh-rsa-with-camellia-256-cbc-sha { 3961 base cipher-suite-alg-base; 3962 status deprecated; 3963 description 3964 "TLS-DH-RSA-WITH-CAMELLIA-256-CBC-SHA"; 3965 reference 3966 "RFC 5932: 3967 Camellia Cipher Suites for TLS"; 3968 } 3970 identity tls-dhe-dss-with-camellia-256-cbc-sha { 3971 base cipher-suite-alg-base; 3972 status deprecated; 3973 description 3974 "TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA"; 3975 reference 3976 "RFC 5932: 3977 Camellia Cipher Suites for TLS"; 3979 } 3981 identity tls-dhe-rsa-with-camellia-256-cbc-sha { 3982 base cipher-suite-alg-base; 3983 status deprecated; 3984 description 3985 "TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA"; 3986 reference 3987 "RFC 5932: 3988 Camellia Cipher Suites for TLS"; 3989 } 3991 identity tls-dh-anon-with-camellia-256-cbc-sha { 3992 base cipher-suite-alg-base; 3993 status deprecated; 3994 description 3995 "TLS-DH-ANON-WITH-CAMELLIA-256-CBC-SHA"; 3996 reference 3997 "RFC 5932: 3998 Camellia Cipher Suites for TLS"; 3999 } 4001 identity tls-psk-with-rc4-128-sha { 4002 base cipher-suite-alg-base; 4003 status deprecated; 4004 description 4005 "TLS-PSK-WITH-RC4-128-SHA"; 4006 reference 4007 "RFC 4279: 4008 Pre-Shared Key Ciphersuites for 4009 Transport Layer Security (TLS) 4010 RFC 6347: 4011 Datagram Transport Layer Security version 1.2"; 4012 } 4014 identity tls-psk-with-3des-ede-cbc-sha { 4015 base cipher-suite-alg-base; 4016 status deprecated; 4017 description 4018 "TLS-PSK-WITH-3DES-EDE-CBC-SHA"; 4019 reference 4020 "RFC 4279: 4021 Pre-Shared Key Ciphersuites for 4022 Transport Layer Security (TLS)"; 4023 } 4025 identity tls-psk-with-aes-128-cbc-sha { 4026 base cipher-suite-alg-base; 4027 status deprecated; 4028 description 4029 "TLS-PSK-WITH-AES-128-CBC-SHA"; 4030 reference 4031 "RFC 4279: 4032 Pre-Shared Key Ciphersuites for 4033 Transport Layer Security (TLS)"; 4034 } 4036 identity tls-psk-with-aes-256-cbc-sha { 4037 base cipher-suite-alg-base; 4038 status deprecated; 4039 description 4040 "TLS-PSK-WITH-AES-256-CBC-SHA"; 4041 reference 4042 "RFC 4279: 4043 Pre-Shared Key Ciphersuites for 4044 Transport Layer Security (TLS)"; 4045 } 4047 identity tls-dhe-psk-with-rc4-128-sha { 4048 base cipher-suite-alg-base; 4049 status deprecated; 4050 description 4051 "TLS-DHE-PSK-WITH-RC4-128-SHA"; 4052 reference 4053 "RFC 4279: 4054 Pre-Shared Key Ciphersuites for 4055 Transport Layer Security (TLS) 4056 RFC 6347: 4057 Datagram Transport Layer Security version 1.2"; 4058 } 4060 identity tls-dhe-psk-with-3des-ede-cbc-sha { 4061 base cipher-suite-alg-base; 4062 status deprecated; 4063 description 4064 "TLS-DHE-PSK-WITH-3DES-EDE-CBC-SHA"; 4065 reference 4066 "RFC 4279: 4067 Pre-Shared Key Ciphersuites for 4068 Transport Layer Security (TLS)"; 4069 } 4071 identity tls-dhe-psk-with-aes-128-cbc-sha { 4072 base cipher-suite-alg-base; 4073 status deprecated; 4074 description 4075 "TLS-DHE-PSK-WITH-AES-128-CBC-SHA"; 4076 reference 4077 "RFC 4279: 4078 Pre-Shared Key Ciphersuites for 4079 Transport Layer Security (TLS)"; 4080 } 4082 identity tls-dhe-psk-with-aes-256-cbc-sha { 4083 base cipher-suite-alg-base; 4084 status deprecated; 4085 description 4086 "TLS-DHE-PSK-WITH-AES-256-CBC-SHA"; 4087 reference 4088 "RFC 4279: 4089 Pre-Shared Key Ciphersuites for 4090 Transport Layer Security (TLS)"; 4091 } 4093 identity tls-rsa-psk-with-rc4-128-sha { 4094 base cipher-suite-alg-base; 4095 status deprecated; 4096 description 4097 "TLS-RSA-PSK-WITH-RC4-128-SHA"; 4098 reference 4099 "RFC 4279: 4100 Pre-Shared Key Ciphersuites for 4101 Transport Layer Security (TLS) 4102 RFC 6347: 4103 Datagram Transport Layer Security version 1.2"; 4104 } 4106 identity tls-rsa-psk-with-3des-ede-cbc-sha { 4107 base cipher-suite-alg-base; 4108 status deprecated; 4109 description 4110 "TLS-RSA-PSK-WITH-3DES-EDE-CBC-SHA"; 4111 reference 4112 "RFC 4279: 4113 Pre-Shared Key Ciphersuites for 4114 Transport Layer Security (TLS)"; 4115 } 4117 identity tls-rsa-psk-with-aes-128-cbc-sha { 4118 base cipher-suite-alg-base; 4119 status deprecated; 4120 description 4121 "TLS-RSA-PSK-WITH-AES-128-CBC-SHA"; 4122 reference 4123 "RFC 4279: 4124 Pre-Shared Key Ciphersuites for 4125 Transport Layer Security (TLS)"; 4126 } 4128 identity tls-rsa-psk-with-aes-256-cbc-sha { 4129 base cipher-suite-alg-base; 4130 status deprecated; 4131 description 4132 "TLS-RSA-PSK-WITH-AES-256-CBC-SHA"; 4133 reference 4134 "RFC 4279: 4135 Pre-Shared Key Ciphersuites for 4136 Transport Layer Security (TLS)"; 4137 } 4139 identity tls-rsa-with-seed-cbc-sha { 4140 base cipher-suite-alg-base; 4141 status deprecated; 4142 description 4143 "TLS-RSA-WITH-SEED-CBC-SHA"; 4144 reference 4145 "RFC 4162: 4146 Addition of SEED Ciphersuites to 4147 Transport Layer Security (TLS)"; 4148 } 4150 identity tls-dh-dss-with-seed-cbc-sha { 4151 base cipher-suite-alg-base; 4152 status deprecated; 4153 description 4154 "TLS-DH-DSS-WITH-SEED-CBC-SHA"; 4155 reference 4156 "RFC 4162: 4157 Addition of SEED Ciphersuites to 4158 Transport Layer Security (TLS)"; 4159 } 4161 identity tls-dh-rsa-with-seed-cbc-sha { 4162 base cipher-suite-alg-base; 4163 status deprecated; 4164 description 4165 "TLS-DH-RSA-WITH-SEED-CBC-SHA"; 4166 reference 4167 "RFC 4162: 4168 Addition of SEED Ciphersuites to 4169 Transport Layer Security (TLS)"; 4170 } 4171 identity tls-dhe-dss-with-seed-cbc-sha { 4172 base cipher-suite-alg-base; 4173 status deprecated; 4174 description 4175 "TLS-DHE-DSS-WITH-SEED-CBC-SHA"; 4176 reference 4177 "RFC 4162: 4178 Addition of SEED Ciphersuites to 4179 Transport Layer Security (TLS)"; 4180 } 4182 identity tls-dhe-rsa-with-seed-cbc-sha { 4183 base cipher-suite-alg-base; 4184 status deprecated; 4185 description 4186 "TLS-DHE-RSA-WITH-SEED-CBC-SHA"; 4187 reference 4188 "RFC 4162: 4189 Addition of SEED Ciphersuites to 4190 Transport Layer Security (TLS)"; 4191 } 4193 identity tls-dh-anon-with-seed-cbc-sha { 4194 base cipher-suite-alg-base; 4195 status deprecated; 4196 description 4197 "TLS-DH-ANON-WITH-SEED-CBC-SHA"; 4198 reference 4199 "RFC 4162: 4200 Addition of SEED Ciphersuites to 4201 Transport Layer Security (TLS)"; 4202 } 4204 identity tls-rsa-with-aes-128-gcm-sha256 { 4205 base cipher-suite-alg-base; 4206 status deprecated; 4207 description 4208 "TLS-RSA-WITH-AES-128-GCM-SHA256"; 4209 reference 4210 "RFC 5288: 4211 AES-GCM Cipher Suites for TLS"; 4212 } 4214 identity tls-rsa-with-aes-256-gcm-sha384 { 4215 base cipher-suite-alg-base; 4216 status deprecated; 4217 description 4218 "TLS-RSA-WITH-AES-256-GCM-SHA384"; 4220 reference 4221 "RFC 5288: 4222 AES-GCM Cipher Suites for TLS"; 4223 } 4225 identity tls-dhe-rsa-with-aes-128-gcm-sha256 { 4226 base cipher-suite-alg-base; 4227 description 4228 "TLS-DHE-RSA-WITH-AES-128-GCM-SHA256"; 4229 reference 4230 "RFC 5288: 4231 AES-GCM Cipher Suites for TLS"; 4232 } 4234 identity tls-dhe-rsa-with-aes-256-gcm-sha384 { 4235 base cipher-suite-alg-base; 4236 description 4237 "TLS-DHE-RSA-WITH-AES-256-GCM-SHA384"; 4238 reference 4239 "RFC 5288: 4240 AES-GCM Cipher Suites for TLS"; 4241 } 4243 identity tls-dh-rsa-with-aes-128-gcm-sha256 { 4244 base cipher-suite-alg-base; 4245 status deprecated; 4246 description 4247 "TLS-DH-RSA-WITH-AES-128-GCM-SHA256"; 4248 reference 4249 "RFC 5288: 4250 AES-GCM Cipher Suites for TLS"; 4251 } 4253 identity tls-dh-rsa-with-aes-256-gcm-sha384 { 4254 base cipher-suite-alg-base; 4255 status deprecated; 4256 description 4257 "TLS-DH-RSA-WITH-AES-256-GCM-SHA384"; 4258 reference 4259 "RFC 5288: 4260 AES-GCM Cipher Suites for TLS"; 4261 } 4263 identity tls-dhe-dss-with-aes-128-gcm-sha256 { 4264 base cipher-suite-alg-base; 4265 status deprecated; 4266 description 4267 "TLS-DHE-DSS-WITH-AES-128-GCM-SHA256"; 4269 reference 4270 "RFC 5288: 4271 AES-GCM Cipher Suites for TLS"; 4272 } 4274 identity tls-dhe-dss-with-aes-256-gcm-sha384 { 4275 base cipher-suite-alg-base; 4276 status deprecated; 4277 description 4278 "TLS-DHE-DSS-WITH-AES-256-GCM-SHA384"; 4279 reference 4280 "RFC 5288: 4281 AES-GCM Cipher Suites for TLS"; 4282 } 4284 identity tls-dh-dss-with-aes-128-gcm-sha256 { 4285 base cipher-suite-alg-base; 4286 status deprecated; 4287 description 4288 "TLS-DH-DSS-WITH-AES-128-GCM-SHA256"; 4289 reference 4290 "RFC 5288: 4291 AES-GCM Cipher Suites for TLS"; 4292 } 4294 identity tls-dh-dss-with-aes-256-gcm-sha384 { 4295 base cipher-suite-alg-base; 4296 status deprecated; 4297 description 4298 "TLS-DH-DSS-WITH-AES-256-GCM-SHA384"; 4299 reference 4300 "RFC 5288: 4301 AES-GCM Cipher Suites for TLS"; 4302 } 4304 identity tls-dh-anon-with-aes-128-gcm-sha256 { 4305 base cipher-suite-alg-base; 4306 status deprecated; 4307 description 4308 "TLS-DH-ANON-WITH-AES-128-GCM-SHA256"; 4309 reference 4310 "RFC 5288: 4311 AES-GCM Cipher Suites for TLS"; 4312 } 4314 identity tls-dh-anon-with-aes-256-gcm-sha384 { 4315 base cipher-suite-alg-base; 4316 status deprecated; 4317 description 4318 "TLS-DH-ANON-WITH-AES-256-GCM-SHA384"; 4319 reference 4320 "RFC 5288: 4321 AES-GCM Cipher Suites for TLS"; 4322 } 4324 identity tls-psk-with-aes-128-gcm-sha256 { 4325 base cipher-suite-alg-base; 4326 status deprecated; 4327 description 4328 "TLS-PSK-WITH-AES-128-GCM-SHA256"; 4329 reference 4330 "RFC 5487: 4331 Pre-Shared Key Cipher Suites for Transport Layer Security 4332 (TLS) with SHA-256/384 and AES Galois Counter Mode"; 4333 } 4335 identity tls-psk-with-aes-256-gcm-sha384 { 4336 base cipher-suite-alg-base; 4337 status deprecated; 4338 description 4339 "TLS-PSK-WITH-AES-256-GCM-SHA384"; 4340 reference 4341 "RFC 5487: 4342 Pre-Shared Key Cipher Suites for Transport Layer Security 4343 (TLS) with SHA-256/384 and AES Galois Counter Mode"; 4344 } 4346 identity tls-dhe-psk-with-aes-128-gcm-sha256 { 4347 base cipher-suite-alg-base; 4348 description 4349 "TLS-DHE-PSK-WITH-AES-128-GCM-SHA256"; 4350 reference 4351 "RFC 5487: 4352 Pre-Shared Key Cipher Suites for Transport Layer Security 4353 (TLS) with SHA-256/384 and AES Galois Counter Mode"; 4354 } 4356 identity tls-dhe-psk-with-aes-256-gcm-sha384 { 4357 base cipher-suite-alg-base; 4358 description 4359 "TLS-DHE-PSK-WITH-AES-256-GCM-SHA384"; 4360 reference 4361 "RFC 5487: 4362 Pre-Shared Key Cipher Suites for Transport Layer Security 4363 (TLS) with SHA-256/384 and AES Galois Counter Mode"; 4364 } 4365 identity tls-rsa-psk-with-aes-128-gcm-sha256 { 4366 base cipher-suite-alg-base; 4367 status deprecated; 4368 description 4369 "TLS-RSA-PSK-WITH-AES-128-GCM-SHA256"; 4370 reference 4371 "RFC 5487: 4372 Pre-Shared Key Cipher Suites for Transport Layer Security 4373 (TLS) with SHA-256/384 and AES Galois Counter Mode"; 4374 } 4376 identity tls-rsa-psk-with-aes-256-gcm-sha384 { 4377 base cipher-suite-alg-base; 4378 status deprecated; 4379 description 4380 "TLS-RSA-PSK-WITH-AES-256-GCM-SHA384"; 4381 reference 4382 "RFC 5487: 4383 Pre-Shared Key Cipher Suites for Transport Layer Security 4384 (TLS) with SHA-256/384 and AES Galois Counter Mode"; 4385 } 4387 identity tls-psk-with-aes-128-cbc-sha256 { 4388 base cipher-suite-alg-base; 4389 status deprecated; 4390 description 4391 "TLS-PSK-WITH-AES-128-CBC-SHA256"; 4392 reference 4393 "RFC 5487: 4394 Pre-Shared Key Cipher Suites for Transport Layer Security 4395 (TLS) with SHA-256/384 and AES Galois Counter Mode"; 4396 } 4398 identity tls-psk-with-aes-256-cbc-sha384 { 4399 base cipher-suite-alg-base; 4400 status deprecated; 4401 description 4402 "TLS-PSK-WITH-AES-256-CBC-SHA384"; 4403 reference 4404 "RFC 5487: 4405 Pre-Shared Key Cipher Suites for Transport Layer Security 4406 (TLS) with SHA-256/384 and AES Galois Counter Mode"; 4407 } 4409 identity tls-psk-with-null-sha256 { 4410 base cipher-suite-alg-base; 4411 status deprecated; 4412 description 4413 "TLS-PSK-WITH-NULL-SHA256"; 4414 reference 4415 "RFC 5487: 4416 Pre-Shared Key Cipher Suites for Transport Layer Security 4417 (TLS) with SHA-256/384 and AES Galois Counter Mode"; 4418 } 4420 identity tls-psk-with-null-sha384 { 4421 base cipher-suite-alg-base; 4422 status deprecated; 4423 description 4424 "TLS-PSK-WITH-NULL-SHA384"; 4425 reference 4426 "RFC 5487: 4427 Pre-Shared Key Cipher Suites for Transport Layer Security 4428 (TLS) with SHA-256/384 and AES Galois Counter Mode"; 4429 } 4431 identity tls-dhe-psk-with-aes-128-cbc-sha256 { 4432 base cipher-suite-alg-base; 4433 status deprecated; 4434 description 4435 "TLS-DHE-PSK-WITH-AES-128-CBC-SHA256"; 4436 reference 4437 "RFC 5487: 4438 Pre-Shared Key Cipher Suites for Transport Layer Security 4439 (TLS) with SHA-256/384 and AES Galois Counter Mode"; 4440 } 4442 identity tls-dhe-psk-with-aes-256-cbc-sha384 { 4443 base cipher-suite-alg-base; 4444 status deprecated; 4445 description 4446 "TLS-DHE-PSK-WITH-AES-256-CBC-SHA384"; 4447 reference 4448 "RFC 5487: 4449 Pre-Shared Key Cipher Suites for Transport Layer Security 4450 (TLS) with SHA-256/384 and AES Galois Counter Mode"; 4451 } 4453 identity tls-dhe-psk-with-null-sha256 { 4454 base cipher-suite-alg-base; 4455 status deprecated; 4456 description 4457 "TLS-DHE-PSK-WITH-NULL-SHA256"; 4458 reference 4459 "RFC 5487: 4460 Pre-Shared Key Cipher Suites for Transport Layer Security 4461 (TLS) with SHA-256/384 and AES Galois Counter Mode"; 4462 } 4464 identity tls-dhe-psk-with-null-sha384 { 4465 base cipher-suite-alg-base; 4466 status deprecated; 4467 description 4468 "TLS-DHE-PSK-WITH-NULL-SHA384"; 4469 reference 4470 "RFC 5487: 4471 Pre-Shared Key Cipher Suites for Transport Layer Security 4472 (TLS) with SHA-256/384 and AES Galois Counter Mode"; 4473 } 4475 identity tls-rsa-psk-with-aes-128-cbc-sha256 { 4476 base cipher-suite-alg-base; 4477 status deprecated; 4478 description 4479 "TLS-RSA-PSK-WITH-AES-128-CBC-SHA256"; 4480 reference 4481 "RFC 5487: 4482 Pre-Shared Key Cipher Suites for Transport Layer Security 4483 (TLS) with SHA-256/384 and AES Galois Counter Mode"; 4484 } 4486 identity tls-rsa-psk-with-aes-256-cbc-sha384 { 4487 base cipher-suite-alg-base; 4488 status deprecated; 4489 description 4490 "TLS-RSA-PSK-WITH-AES-256-CBC-SHA384"; 4491 reference 4492 "RFC 5487: 4493 Pre-Shared Key Cipher Suites for Transport Layer Security 4494 (TLS) with SHA-256/384 and AES Galois Counter Mode"; 4495 } 4497 identity tls-rsa-psk-with-null-sha256 { 4498 base cipher-suite-alg-base; 4499 status deprecated; 4500 description 4501 "TLS-RSA-PSK-WITH-NULL-SHA256"; 4502 reference 4503 "RFC 5487: 4504 Pre-Shared Key Cipher Suites for Transport Layer Security 4505 (TLS) with SHA-256/384 and AES Galois Counter Mode"; 4506 } 4508 identity tls-rsa-psk-with-null-sha384 { 4509 base cipher-suite-alg-base; 4510 status deprecated; 4511 description 4512 "TLS-RSA-PSK-WITH-NULL-SHA384"; 4513 reference 4514 "RFC 5487: 4515 Pre-Shared Key Cipher Suites for Transport Layer Security 4516 (TLS) with SHA-256/384 and AES Galois Counter Mode"; 4517 } 4519 identity tls-rsa-with-camellia-128-cbc-sha256 { 4520 base cipher-suite-alg-base; 4521 status deprecated; 4522 description 4523 "TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256"; 4524 reference 4525 "RFC 5932: 4526 Camellia Cipher Suites for TLS"; 4527 } 4529 identity tls-dh-dss-with-camellia-128-cbc-sha256 { 4530 base cipher-suite-alg-base; 4531 status deprecated; 4532 description 4533 "TLS-DH-DSS-WITH-CAMELLIA-128-CBC-SHA256"; 4534 reference 4535 "RFC 5932: 4536 Camellia Cipher Suites for TLS"; 4537 } 4539 identity tls-dh-rsa-with-camellia-128-cbc-sha256 { 4540 base cipher-suite-alg-base; 4541 status deprecated; 4542 description 4543 "TLS-DH-RSA-WITH-CAMELLIA-128-CBC-SHA256"; 4544 reference 4545 "RFC 5932: 4546 Camellia Cipher Suites for TLS"; 4547 } 4549 identity tls-dhe-dss-with-camellia-128-cbc-sha256 { 4550 base cipher-suite-alg-base; 4551 status deprecated; 4552 description 4553 "TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256"; 4554 reference 4555 "RFC 5932: 4556 Camellia Cipher Suites for TLS"; 4558 } 4560 identity tls-dhe-rsa-with-camellia-128-cbc-sha256 { 4561 base cipher-suite-alg-base; 4562 status deprecated; 4563 description 4564 "TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256"; 4565 reference 4566 "RFC 5932: 4567 Camellia Cipher Suites for TLS"; 4568 } 4570 identity tls-dh-anon-with-camellia-128-cbc-sha256 { 4571 base cipher-suite-alg-base; 4572 status deprecated; 4573 description 4574 "TLS-DH-ANON-WITH-CAMELLIA-128-CBC-SHA256"; 4575 reference 4576 "RFC 5932: 4577 Camellia Cipher Suites for TLS"; 4578 } 4580 identity tls-rsa-with-camellia-256-cbc-sha256 { 4581 base cipher-suite-alg-base; 4582 status deprecated; 4583 description 4584 "TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256"; 4585 reference 4586 "RFC 5932: 4587 Camellia Cipher Suites for TLS"; 4588 } 4590 identity tls-dh-dss-with-camellia-256-cbc-sha256 { 4591 base cipher-suite-alg-base; 4592 status deprecated; 4593 description 4594 "TLS-DH-DSS-WITH-CAMELLIA-256-CBC-SHA256"; 4595 reference 4596 "RFC 5932: 4597 Camellia Cipher Suites for TLS"; 4598 } 4600 identity tls-dh-rsa-with-camellia-256-cbc-sha256 { 4601 base cipher-suite-alg-base; 4602 status deprecated; 4603 description 4604 "TLS-DH-RSA-WITH-CAMELLIA-256-CBC-SHA256"; 4605 reference 4606 "RFC 5932: 4607 Camellia Cipher Suites for TLS"; 4608 } 4610 identity tls-dhe-dss-with-camellia-256-cbc-sha256 { 4611 base cipher-suite-alg-base; 4612 status deprecated; 4613 description 4614 "TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256"; 4615 reference 4616 "RFC 5932: 4617 Camellia Cipher Suites for TLS"; 4618 } 4620 identity tls-dhe-rsa-with-camellia-256-cbc-sha256 { 4621 base cipher-suite-alg-base; 4622 status deprecated; 4623 description 4624 "TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256"; 4625 reference 4626 "RFC 5932: 4627 Camellia Cipher Suites for TLS"; 4628 } 4630 identity tls-dh-anon-with-camellia-256-cbc-sha256 { 4631 base cipher-suite-alg-base; 4632 status deprecated; 4633 description 4634 "TLS-DH-ANON-WITH-CAMELLIA-256-CBC-SHA256"; 4635 reference 4636 "RFC 5932: 4637 Camellia Cipher Suites for TLS"; 4638 } 4640 identity tls-sm4-gcm-sm3 { 4641 base cipher-suite-alg-base; 4642 status deprecated; 4643 description 4644 "TLS-SM4-GCM-SM3"; 4645 reference 4646 "RFC 8998: 4647 ShangMi (SM) Cipher Suites for Transport Layer Security 4648 (TLS) Protocol Version 1.3"; 4649 } 4651 identity tls-sm4-ccm-sm3 { 4652 base cipher-suite-alg-base; 4653 status deprecated; 4654 description 4655 "TLS-SM4-CCM-SM3"; 4656 reference 4657 "RFC 8998: 4658 ShangMi (SM) Cipher Suites for Transport Layer Security 4659 (TLS) Protocol Version 1.3"; 4660 } 4662 identity tls-empty-renegotiation-info-scsv { 4663 base cipher-suite-alg-base; 4664 status deprecated; 4665 description 4666 "TLS-EMPTY-RENEGOTIATION-INFO-SCSV"; 4667 reference 4668 "RFC 5746: 4669 Transport Layer Security (TLS) 4670 Renegotiation Indication Extension"; 4671 } 4673 identity tls-aes-128-gcm-sha256 { 4674 base cipher-suite-alg-base; 4675 description 4676 "TLS-AES-128-GCM-SHA256"; 4677 reference 4678 "RFC 8446: 4679 The Transport Layer Security (TLS) Protocol Version 1.3"; 4680 } 4682 identity tls-aes-256-gcm-sha384 { 4683 base cipher-suite-alg-base; 4684 description 4685 "TLS-AES-256-GCM-SHA384"; 4686 reference 4687 "RFC 8446: 4688 The Transport Layer Security (TLS) Protocol Version 1.3"; 4689 } 4691 identity tls-chacha20-poly1305-sha256 { 4692 base cipher-suite-alg-base; 4693 description 4694 "TLS-CHACHA20-POLY1305-SHA256"; 4695 reference 4696 "RFC 8446: 4697 The Transport Layer Security (TLS) Protocol Version 1.3"; 4698 } 4700 identity tls-aes-128-ccm-sha256 { 4701 base cipher-suite-alg-base; 4702 description 4703 "TLS-AES-128-CCM-SHA256"; 4704 reference 4705 "RFC 8446: 4706 The Transport Layer Security (TLS) Protocol Version 1.3"; 4707 } 4709 identity tls-aes-128-ccm-8-sha256 { 4710 base cipher-suite-alg-base; 4711 status deprecated; 4712 description 4713 "TLS-AES-128-CCM-8-SHA256"; 4714 reference 4715 "RFC 8446: 4716 The Transport Layer Security (TLS) Protocol Version 1.3"; 4717 } 4719 identity tls-fallback-scsv { 4720 base cipher-suite-alg-base; 4721 status deprecated; 4722 description 4723 "TLS-FALLBACK-SCSV"; 4724 reference 4725 "RFC 7507: 4726 TLS Fallback Signaling Cipher Suite Value (SCSV) 4727 for Preventing Protocol Downgrade Attacks"; 4728 } 4730 identity tls-ecdh-ecdsa-with-null-sha { 4731 base cipher-suite-alg-base; 4732 status deprecated; 4733 description 4734 "TLS-ECDH-ECDSA-WITH-NULL-SHA"; 4735 reference 4736 "RFC 8422: 4737 Elliptic Curve Cryptography (ECC) Cipher Suites for 4738 Transport Layer Security (TLS) Versions 1.2 and Earlier"; 4739 } 4741 identity tls-ecdh-ecdsa-with-rc4-128-sha { 4742 base cipher-suite-alg-base; 4743 status deprecated; 4744 description 4745 "TLS-ECDH-ECDSA-WITH-RC4-128-SHA"; 4746 reference 4747 "RFC 8422: 4748 Elliptic Curve Cryptography (ECC) Cipher Suites for 4749 Transport Layer Security (TLS) Versions 1.2 and Earlier 4751 RFC 6347: 4752 Datagram Transport Layer Security version 1.2"; 4753 } 4755 identity tls-ecdh-ecdsa-with-3des-ede-cbc-sha { 4756 base cipher-suite-alg-base; 4757 status deprecated; 4758 description 4759 "TLS-ECDH-ECDSA-WITH-3DES-EDE-CBC-SHA"; 4760 reference 4761 "RFC 8422: 4762 Elliptic Curve Cryptography (ECC) Cipher Suites for 4763 Transport Layer Security (TLS) Versions 1.2 and Earlier"; 4764 } 4766 identity tls-ecdh-ecdsa-with-aes-128-cbc-sha { 4767 base cipher-suite-alg-base; 4768 status deprecated; 4769 description 4770 "TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA"; 4771 reference 4772 "RFC 8422: 4773 Elliptic Curve Cryptography (ECC) Cipher Suites for 4774 Transport Layer Security (TLS) Versions 1.2 and Earlier"; 4775 } 4777 identity tls-ecdh-ecdsa-with-aes-256-cbc-sha { 4778 base cipher-suite-alg-base; 4779 status deprecated; 4780 description 4781 "TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA"; 4782 reference 4783 "RFC 8422: 4784 Elliptic Curve Cryptography (ECC) Cipher Suites for 4785 Transport Layer Security (TLS) Versions 1.2 and Earlier"; 4786 } 4788 identity tls-ecdhe-ecdsa-with-null-sha { 4789 base cipher-suite-alg-base; 4790 status deprecated; 4791 description 4792 "TLS-ECDHE-ECDSA-WITH-NULL-SHA"; 4793 reference 4794 "RFC 8422: 4795 Elliptic Curve Cryptography (ECC) Cipher Suites for 4796 Transport Layer Security (TLS) Versions 1.2 and Earlier"; 4797 } 4798 identity tls-ecdhe-ecdsa-with-rc4-128-sha { 4799 base cipher-suite-alg-base; 4800 status deprecated; 4801 description 4802 "TLS-ECDHE-ECDSA-WITH-RC4-128-SHA"; 4803 reference 4804 "RFC 8422: 4805 Elliptic Curve Cryptography (ECC) Cipher Suites for 4806 Transport Layer Security (TLS) Versions 1.2 and Earlier 4807 RFC 6347: 4808 Datagram Transport Layer Security version 1.2"; 4809 } 4811 identity tls-ecdhe-ecdsa-with-3des-ede-cbc-sha { 4812 base cipher-suite-alg-base; 4813 status deprecated; 4814 description 4815 "TLS-ECDHE-ECDSA-WITH-3DES-EDE-CBC-SHA"; 4816 reference 4817 "RFC 8422: 4818 Elliptic Curve Cryptography (ECC) Cipher Suites for 4819 Transport Layer Security (TLS) Versions 1.2 and Earlier"; 4820 } 4822 identity tls-ecdhe-ecdsa-with-aes-128-cbc-sha { 4823 base cipher-suite-alg-base; 4824 status deprecated; 4825 description 4826 "TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA"; 4827 reference 4828 "RFC 8422: 4829 Elliptic Curve Cryptography (ECC) Cipher Suites for 4830 Transport Layer Security (TLS) Versions 1.2 and Earlier"; 4831 } 4833 identity tls-ecdhe-ecdsa-with-aes-256-cbc-sha { 4834 base cipher-suite-alg-base; 4835 status deprecated; 4836 description 4837 "TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA"; 4838 reference 4839 "RFC 8422: 4840 Elliptic Curve Cryptography (ECC) Cipher Suites for 4841 Transport Layer Security (TLS) Versions 1.2 and Earlier"; 4842 } 4844 identity tls-ecdh-rsa-with-null-sha { 4845 base cipher-suite-alg-base; 4846 status deprecated; 4847 description 4848 "TLS-ECDH-RSA-WITH-NULL-SHA"; 4849 reference 4850 "RFC 8422: 4851 Elliptic Curve Cryptography (ECC) Cipher Suites for 4852 Transport Layer Security (TLS) Versions 1.2 and Earlier"; 4853 } 4855 identity tls-ecdh-rsa-with-rc4-128-sha { 4856 base cipher-suite-alg-base; 4857 status deprecated; 4858 description 4859 "TLS-ECDH-RSA-WITH-RC4-128-SHA"; 4860 reference 4861 "RFC 8422: 4862 Elliptic Curve Cryptography (ECC) Cipher Suites for 4863 Transport Layer Security (TLS) Versions 1.2 and Earlier 4864 RFC 6347: 4865 Datagram Transport Layer Security version 1.2"; 4866 } 4868 identity tls-ecdh-rsa-with-3des-ede-cbc-sha { 4869 base cipher-suite-alg-base; 4870 status deprecated; 4871 description 4872 "TLS-ECDH-RSA-WITH-3DES-EDE-CBC-SHA"; 4873 reference 4874 "RFC 8422: 4875 Elliptic Curve Cryptography (ECC) Cipher Suites for 4876 Transport Layer Security (TLS) Versions 1.2 and Earlier"; 4877 } 4879 identity tls-ecdh-rsa-with-aes-128-cbc-sha { 4880 base cipher-suite-alg-base; 4881 status deprecated; 4882 description 4883 "TLS-ECDH-RSA-WITH-AES-128-CBC-SHA"; 4884 reference 4885 "RFC 8422: 4886 Elliptic Curve Cryptography (ECC) Cipher Suites for 4887 Transport Layer Security (TLS) Versions 1.2 and Earlier"; 4888 } 4890 identity tls-ecdh-rsa-with-aes-256-cbc-sha { 4891 base cipher-suite-alg-base; 4892 status deprecated; 4893 description 4894 "TLS-ECDH-RSA-WITH-AES-256-CBC-SHA"; 4895 reference 4896 "RFC 8422: 4897 Elliptic Curve Cryptography (ECC) Cipher Suites for 4898 Transport Layer Security (TLS) Versions 1.2 and Earlier"; 4899 } 4901 identity tls-ecdhe-rsa-with-null-sha { 4902 base cipher-suite-alg-base; 4903 status deprecated; 4904 description 4905 "TLS-ECDHE-RSA-WITH-NULL-SHA"; 4906 reference 4907 "RFC 8422: 4908 Elliptic Curve Cryptography (ECC) Cipher Suites for 4909 Transport Layer Security (TLS) Versions 1.2 and Earlier"; 4910 } 4912 identity tls-ecdhe-rsa-with-rc4-128-sha { 4913 base cipher-suite-alg-base; 4914 status deprecated; 4915 description 4916 "TLS-ECDHE-RSA-WITH-RC4-128-SHA"; 4917 reference 4918 "RFC 8422: 4919 Elliptic Curve Cryptography (ECC) Cipher Suites for 4920 Transport Layer Security (TLS) Versions 1.2 and Earlier 4921 RFC 6347: 4922 Datagram Transport Layer Security version 1.2"; 4923 } 4925 identity tls-ecdhe-rsa-with-3des-ede-cbc-sha { 4926 base cipher-suite-alg-base; 4927 status deprecated; 4928 description 4929 "TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA"; 4930 reference 4931 "RFC 8422: 4932 Elliptic Curve Cryptography (ECC) Cipher Suites for 4933 Transport Layer Security (TLS) Versions 1.2 and Earlier"; 4934 } 4936 identity tls-ecdhe-rsa-with-aes-128-cbc-sha { 4937 base cipher-suite-alg-base; 4938 status deprecated; 4939 description 4940 "TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA"; 4941 reference 4942 "RFC 8422: 4943 Elliptic Curve Cryptography (ECC) Cipher Suites for 4944 Transport Layer Security (TLS) Versions 1.2 and Earlier"; 4945 } 4947 identity tls-ecdhe-rsa-with-aes-256-cbc-sha { 4948 base cipher-suite-alg-base; 4949 status deprecated; 4950 description 4951 "TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA"; 4952 reference 4953 "RFC 8422: 4954 Elliptic Curve Cryptography (ECC) Cipher Suites for 4955 Transport Layer Security (TLS) Versions 1.2 and Earlier"; 4956 } 4958 identity tls-ecdh-anon-with-null-sha { 4959 base cipher-suite-alg-base; 4960 status deprecated; 4961 description 4962 "TLS-ECDH-ANON-WITH-NULL-SHA"; 4963 reference 4964 "RFC 8422: 4965 Elliptic Curve Cryptography (ECC) Cipher Suites for 4966 Transport Layer Security (TLS) Versions 1.2 and Earlier"; 4967 } 4969 identity tls-ecdh-anon-with-rc4-128-sha { 4970 base cipher-suite-alg-base; 4971 status deprecated; 4972 description 4973 "TLS-ECDH-ANON-WITH-RC4-128-SHA"; 4974 reference 4975 "RFC 8422: 4976 Elliptic Curve Cryptography (ECC) Cipher Suites for 4977 Transport Layer Security (TLS) Versions 1.2 and Earlier 4978 RFC 6347: 4979 Datagram Transport Layer Security version 1.2"; 4980 } 4982 identity tls-ecdh-anon-with-3des-ede-cbc-sha { 4983 base cipher-suite-alg-base; 4984 status deprecated; 4985 description 4986 "TLS-ECDH-ANON-WITH-3DES-EDE-CBC-SHA"; 4987 reference 4988 "RFC 8422: 4989 Elliptic Curve Cryptography (ECC) Cipher Suites for 4990 Transport Layer Security (TLS) Versions 1.2 and Earlier"; 4991 } 4993 identity tls-ecdh-anon-with-aes-128-cbc-sha { 4994 base cipher-suite-alg-base; 4995 status deprecated; 4996 description 4997 "TLS-ECDH-ANON-WITH-AES-128-CBC-SHA"; 4998 reference 4999 "RFC 8422: 5000 Elliptic Curve Cryptography (ECC) Cipher Suites for 5001 Transport Layer Security (TLS) Versions 1.2 and Earlier"; 5002 } 5004 identity tls-ecdh-anon-with-aes-256-cbc-sha { 5005 base cipher-suite-alg-base; 5006 status deprecated; 5007 description 5008 "TLS-ECDH-ANON-WITH-AES-256-CBC-SHA"; 5009 reference 5010 "RFC 8422: 5011 Elliptic Curve Cryptography (ECC) Cipher Suites for 5012 Transport Layer Security (TLS) Versions 1.2 and Earlier"; 5013 } 5015 identity tls-srp-sha-with-3des-ede-cbc-sha { 5016 base cipher-suite-alg-base; 5017 status deprecated; 5018 description 5019 "TLS-SRP-SHA-WITH-3DES-EDE-CBC-SHA"; 5020 reference 5021 "RFC 5054: 5022 Using SRP for TLS Authentication"; 5023 } 5025 identity tls-srp-sha-rsa-with-3des-ede-cbc-sha { 5026 base cipher-suite-alg-base; 5027 status deprecated; 5028 description 5029 "TLS-SRP-SHA-RSA-WITH-3DES-EDE-CBC-SHA"; 5030 reference 5031 "RFC 5054: 5032 Using SRP for TLS Authentication"; 5033 } 5035 identity tls-srp-sha-dss-with-3des-ede-cbc-sha { 5036 base cipher-suite-alg-base; 5037 status deprecated; 5038 description 5039 "TLS-SRP-SHA-DSS-WITH-3DES-EDE-CBC-SHA"; 5040 reference 5041 "RFC 5054: 5042 Using SRP for TLS Authentication"; 5043 } 5045 identity tls-srp-sha-with-aes-128-cbc-sha { 5046 base cipher-suite-alg-base; 5047 status deprecated; 5048 description 5049 "TLS-SRP-SHA-WITH-AES-128-CBC-SHA"; 5050 reference 5051 "RFC 5054: 5052 Using SRP for TLS Authentication"; 5053 } 5055 identity tls-srp-sha-rsa-with-aes-128-cbc-sha { 5056 base cipher-suite-alg-base; 5057 status deprecated; 5058 description 5059 "TLS-SRP-SHA-RSA-WITH-AES-128-CBC-SHA"; 5060 reference 5061 "RFC 5054: 5062 Using SRP for TLS Authentication"; 5063 } 5065 identity tls-srp-sha-dss-with-aes-128-cbc-sha { 5066 base cipher-suite-alg-base; 5067 status deprecated; 5068 description 5069 "TLS-SRP-SHA-DSS-WITH-AES-128-CBC-SHA"; 5070 reference 5071 "RFC 5054: 5072 Using SRP for TLS Authentication"; 5073 } 5075 identity tls-srp-sha-with-aes-256-cbc-sha { 5076 base cipher-suite-alg-base; 5077 status deprecated; 5078 description 5079 "TLS-SRP-SHA-WITH-AES-256-CBC-SHA"; 5080 reference 5081 "RFC 5054: 5082 Using SRP for TLS Authentication"; 5083 } 5085 identity tls-srp-sha-rsa-with-aes-256-cbc-sha { 5086 base cipher-suite-alg-base; 5087 status deprecated; 5088 description 5089 "TLS-SRP-SHA-RSA-WITH-AES-256-CBC-SHA"; 5090 reference 5091 "RFC 5054: 5092 Using SRP for TLS Authentication"; 5093 } 5095 identity tls-srp-sha-dss-with-aes-256-cbc-sha { 5096 base cipher-suite-alg-base; 5097 status deprecated; 5098 description 5099 "TLS-SRP-SHA-DSS-WITH-AES-256-CBC-SHA"; 5100 reference 5101 "RFC 5054: 5102 Using SRP for TLS Authentication"; 5103 } 5105 identity tls-ecdhe-ecdsa-with-aes-128-cbc-sha256 { 5106 base cipher-suite-alg-base; 5107 status deprecated; 5108 description 5109 "TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256"; 5110 reference 5111 "RFC 5289: 5112 TLS Elliptic Curve Cipher Suites with SHA-256/384 5113 and AES Galois Counter Mode"; 5114 } 5116 identity tls-ecdhe-ecdsa-with-aes-256-cbc-sha384 { 5117 base cipher-suite-alg-base; 5118 status deprecated; 5119 description 5120 "TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384"; 5121 reference 5122 "RFC 5289: 5123 TLS Elliptic Curve Cipher Suites with SHA-256/384 5124 and AES Galois Counter Mode"; 5125 } 5127 identity tls-ecdh-ecdsa-with-aes-128-cbc-sha256 { 5128 base cipher-suite-alg-base; 5129 status deprecated; 5130 description 5131 "TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA256"; 5132 reference 5133 "RFC 5289: 5135 TLS Elliptic Curve Cipher Suites with SHA-256/384 5136 and AES Galois Counter Mode"; 5137 } 5139 identity tls-ecdh-ecdsa-with-aes-256-cbc-sha384 { 5140 base cipher-suite-alg-base; 5141 status deprecated; 5142 description 5143 "TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA384"; 5144 reference 5145 "RFC 5289: 5146 TLS Elliptic Curve Cipher Suites with SHA-256/384 5147 and AES Galois Counter Mode"; 5148 } 5150 identity tls-ecdhe-rsa-with-aes-128-cbc-sha256 { 5151 base cipher-suite-alg-base; 5152 status deprecated; 5153 description 5154 "TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256"; 5155 reference 5156 "RFC 5289: 5157 TLS Elliptic Curve Cipher Suites with SHA-256/384 5158 and AES Galois Counter Mode"; 5159 } 5161 identity tls-ecdhe-rsa-with-aes-256-cbc-sha384 { 5162 base cipher-suite-alg-base; 5163 status deprecated; 5164 description 5165 "TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384"; 5166 reference 5167 "RFC 5289: 5168 TLS Elliptic Curve Cipher Suites with SHA-256/384 5169 and AES Galois Counter Mode"; 5170 } 5172 identity tls-ecdh-rsa-with-aes-128-cbc-sha256 { 5173 base cipher-suite-alg-base; 5174 status deprecated; 5175 description 5176 "TLS-ECDH-RSA-WITH-AES-128-CBC-SHA256"; 5177 reference 5178 "RFC 5289: 5179 TLS Elliptic Curve Cipher Suites with SHA-256/384 5180 and AES Galois Counter Mode"; 5181 } 5182 identity tls-ecdh-rsa-with-aes-256-cbc-sha384 { 5183 base cipher-suite-alg-base; 5184 status deprecated; 5185 description 5186 "TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384"; 5187 reference 5188 "RFC 5289: 5189 TLS Elliptic Curve Cipher Suites with SHA-256/384 5190 and AES Galois Counter Mode"; 5191 } 5193 identity tls-ecdhe-ecdsa-with-aes-128-gcm-sha256 { 5194 base cipher-suite-alg-base; 5195 description 5196 "TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256"; 5197 reference 5198 "RFC 5289: 5199 TLS Elliptic Curve Cipher Suites with SHA-256/384 5200 and AES Galois Counter Mode"; 5201 } 5203 identity tls-ecdhe-ecdsa-with-aes-256-gcm-sha384 { 5204 base cipher-suite-alg-base; 5205 description 5206 "TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384"; 5207 reference 5208 "RFC 5289: 5209 TLS Elliptic Curve Cipher Suites with SHA-256/384 5210 and AES Galois Counter Mode"; 5211 } 5213 identity tls-ecdh-ecdsa-with-aes-128-gcm-sha256 { 5214 base cipher-suite-alg-base; 5215 status deprecated; 5216 description 5217 "TLS-ECDH-ECDSA-WITH-AES-128-GCM-SHA256"; 5218 reference 5219 "RFC 5289: 5220 TLS Elliptic Curve Cipher Suites with SHA-256/384 5221 and AES Galois Counter Mode"; 5222 } 5224 identity tls-ecdh-ecdsa-with-aes-256-gcm-sha384 { 5225 base cipher-suite-alg-base; 5226 status deprecated; 5227 description 5228 "TLS-ECDH-ECDSA-WITH-AES-256-GCM-SHA384"; 5229 reference 5230 "RFC 5289: 5231 TLS Elliptic Curve Cipher Suites with SHA-256/384 5232 and AES Galois Counter Mode"; 5233 } 5235 identity tls-ecdhe-rsa-with-aes-128-gcm-sha256 { 5236 base cipher-suite-alg-base; 5237 description 5238 "TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256"; 5239 reference 5240 "RFC 5289: 5241 TLS Elliptic Curve Cipher Suites with SHA-256/384 5242 and AES Galois Counter Mode"; 5243 } 5245 identity tls-ecdhe-rsa-with-aes-256-gcm-sha384 { 5246 base cipher-suite-alg-base; 5247 description 5248 "TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384"; 5249 reference 5250 "RFC 5289: 5251 TLS Elliptic Curve Cipher Suites with SHA-256/384 5252 and AES Galois Counter Mode"; 5253 } 5255 identity tls-ecdh-rsa-with-aes-128-gcm-sha256 { 5256 base cipher-suite-alg-base; 5257 status deprecated; 5258 description 5259 "TLS-ECDH-RSA-WITH-AES-128-GCM-SHA256"; 5260 reference 5261 "RFC 5289: 5262 TLS Elliptic Curve Cipher Suites with SHA-256/384 5263 and AES Galois Counter Mode"; 5264 } 5266 identity tls-ecdh-rsa-with-aes-256-gcm-sha384 { 5267 base cipher-suite-alg-base; 5268 status deprecated; 5269 description 5270 "TLS-ECDH-RSA-WITH-AES-256-GCM-SHA384"; 5271 reference 5272 "RFC 5289: 5273 TLS Elliptic Curve Cipher Suites with SHA-256/384 5274 and AES Galois Counter Mode"; 5275 } 5277 identity tls-ecdhe-psk-with-rc4-128-sha { 5278 base cipher-suite-alg-base; 5279 status deprecated; 5280 description 5281 "TLS-ECDHE-PSK-WITH-RC4-128-SHA"; 5282 reference 5283 "RFC 5489: 5284 ECDHE_PSK Ciphersuites for Transport Layer Security (TLS) 5285 RFC 6347: 5286 Datagram Transport Layer Security version 1.2"; 5287 } 5289 identity tls-ecdhe-psk-with-3des-ede-cbc-sha { 5290 base cipher-suite-alg-base; 5291 status deprecated; 5292 description 5293 "TLS-ECDHE-PSK-WITH-3DES-EDE-CBC-SHA"; 5294 reference 5295 "RFC 5489: 5296 ECDHE_PSK Ciphersuites for Transport Layer Security (TLS)"; 5297 } 5299 identity tls-ecdhe-psk-with-aes-128-cbc-sha { 5300 base cipher-suite-alg-base; 5301 status deprecated; 5302 description 5303 "TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA"; 5304 reference 5305 "RFC 5489: 5306 ECDHE_PSK Ciphersuites for Transport Layer Security (TLS)"; 5307 } 5309 identity tls-ecdhe-psk-with-aes-256-cbc-sha { 5310 base cipher-suite-alg-base; 5311 status deprecated; 5312 description 5313 "TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA"; 5314 reference 5315 "RFC 5489: 5316 ECDHE_PSK Ciphersuites for Transport Layer Security (TLS)"; 5317 } 5319 identity tls-ecdhe-psk-with-aes-128-cbc-sha256 { 5320 base cipher-suite-alg-base; 5321 status deprecated; 5322 description 5323 "TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA256"; 5324 reference 5325 "RFC 5489: 5327 ECDHE_PSK Ciphersuites for Transport Layer Security (TLS)"; 5328 } 5330 identity tls-ecdhe-psk-with-aes-256-cbc-sha384 { 5331 base cipher-suite-alg-base; 5332 status deprecated; 5333 description 5334 "TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA384"; 5335 reference 5336 "RFC 5489: 5337 ECDHE_PSK Ciphersuites for Transport Layer Security (TLS)"; 5338 } 5340 identity tls-ecdhe-psk-with-null-sha { 5341 base cipher-suite-alg-base; 5342 status deprecated; 5343 description 5344 "TLS-ECDHE-PSK-WITH-NULL-SHA"; 5345 reference 5346 "RFC 5489: 5347 ECDHE_PSK Ciphersuites for Transport Layer Security (TLS)"; 5348 } 5350 identity tls-ecdhe-psk-with-null-sha256 { 5351 base cipher-suite-alg-base; 5352 status deprecated; 5353 description 5354 "TLS-ECDHE-PSK-WITH-NULL-SHA256"; 5355 reference 5356 "RFC 5489: 5357 ECDHE_PSK Ciphersuites for Transport Layer Security (TLS)"; 5358 } 5360 identity tls-ecdhe-psk-with-null-sha384 { 5361 base cipher-suite-alg-base; 5362 status deprecated; 5363 description 5364 "TLS-ECDHE-PSK-WITH-NULL-SHA384"; 5365 reference 5366 "RFC 5489: 5367 ECDHE_PSK Ciphersuites for Transport Layer Security (TLS)"; 5368 } 5370 identity tls-rsa-with-aria-128-cbc-sha256 { 5371 base cipher-suite-alg-base; 5372 status deprecated; 5373 description 5374 "TLS-RSA-WITH-ARIA-128-CBC-SHA256"; 5376 reference 5377 "RFC 6209: 5378 Addition of the ARIA Cipher Suites to 5379 Transport Layer Security (TLS)"; 5380 } 5382 identity tls-rsa-with-aria-256-cbc-sha384 { 5383 base cipher-suite-alg-base; 5384 status deprecated; 5385 description 5386 "TLS-RSA-WITH-ARIA-256-CBC-SHA384"; 5387 reference 5388 "RFC 6209: 5389 Addition of the ARIA Cipher Suites to 5390 Transport Layer Security (TLS)"; 5391 } 5393 identity tls-dh-dss-with-aria-128-cbc-sha256 { 5394 base cipher-suite-alg-base; 5395 status deprecated; 5396 description 5397 "TLS-DH-DSS-WITH-ARIA-128-CBC-SHA256"; 5398 reference 5399 "RFC 6209: 5400 Addition of the ARIA Cipher Suites to 5401 Transport Layer Security (TLS)"; 5402 } 5404 identity tls-dh-dss-with-aria-256-cbc-sha384 { 5405 base cipher-suite-alg-base; 5406 status deprecated; 5407 description 5408 "TLS-DH-DSS-WITH-ARIA-256-CBC-SHA384"; 5409 reference 5410 "RFC 6209: 5411 Addition of the ARIA Cipher Suites to 5412 Transport Layer Security (TLS)"; 5413 } 5415 identity tls-dh-rsa-with-aria-128-cbc-sha256 { 5416 base cipher-suite-alg-base; 5417 status deprecated; 5418 description 5419 "TLS-DH-RSA-WITH-ARIA-128-CBC-SHA256"; 5420 reference 5421 "RFC 6209: 5422 Addition of the ARIA Cipher Suites to 5423 Transport Layer Security (TLS)"; 5425 } 5427 identity tls-dh-rsa-with-aria-256-cbc-sha384 { 5428 base cipher-suite-alg-base; 5429 status deprecated; 5430 description 5431 "TLS-DH-RSA-WITH-ARIA-256-CBC-SHA384"; 5432 reference 5433 "RFC 6209: 5434 Addition of the ARIA Cipher Suites to 5435 Transport Layer Security (TLS)"; 5436 } 5438 identity tls-dhe-dss-with-aria-128-cbc-sha256 { 5439 base cipher-suite-alg-base; 5440 status deprecated; 5441 description 5442 "TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256"; 5443 reference 5444 "RFC 6209: 5445 Addition of the ARIA Cipher Suites to 5446 Transport Layer Security (TLS)"; 5447 } 5449 identity tls-dhe-dss-with-aria-256-cbc-sha384 { 5450 base cipher-suite-alg-base; 5451 status deprecated; 5452 description 5453 "TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384"; 5454 reference 5455 "RFC 6209: 5456 Addition of the ARIA Cipher Suites to 5457 Transport Layer Security (TLS)"; 5458 } 5460 identity tls-dhe-rsa-with-aria-128-cbc-sha256 { 5461 base cipher-suite-alg-base; 5462 status deprecated; 5463 description 5464 "TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256"; 5465 reference 5466 "RFC 6209: 5467 Addition of the ARIA Cipher Suites to 5468 Transport Layer Security (TLS)"; 5469 } 5471 identity tls-dhe-rsa-with-aria-256-cbc-sha384 { 5472 base cipher-suite-alg-base; 5473 status deprecated; 5474 description 5475 "TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384"; 5476 reference 5477 "RFC 6209: 5478 Addition of the ARIA Cipher Suites to 5479 Transport Layer Security (TLS)"; 5480 } 5482 identity tls-dh-anon-with-aria-128-cbc-sha256 { 5483 base cipher-suite-alg-base; 5484 status deprecated; 5485 description 5486 "TLS-DH-ANON-WITH-ARIA-128-CBC-SHA256"; 5487 reference 5488 "RFC 6209: 5489 Addition of the ARIA Cipher Suites to 5490 Transport Layer Security (TLS)"; 5491 } 5493 identity tls-dh-anon-with-aria-256-cbc-sha384 { 5494 base cipher-suite-alg-base; 5495 status deprecated; 5496 description 5497 "TLS-DH-ANON-WITH-ARIA-256-CBC-SHA384"; 5498 reference 5499 "RFC 6209: 5500 Addition of the ARIA Cipher Suites to 5501 Transport Layer Security (TLS)"; 5502 } 5504 identity tls-ecdhe-ecdsa-with-aria-128-cbc-sha256 { 5505 base cipher-suite-alg-base; 5506 status deprecated; 5507 description 5508 "TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC-SHA256"; 5509 reference 5510 "RFC 6209: 5511 Addition of the ARIA Cipher Suites to 5512 Transport Layer Security (TLS)"; 5513 } 5515 identity tls-ecdhe-ecdsa-with-aria-256-cbc-sha384 { 5516 base cipher-suite-alg-base; 5517 status deprecated; 5518 description 5519 "TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC-SHA384"; 5520 reference 5521 "RFC 6209: 5522 Addition of the ARIA Cipher Suites to 5523 Transport Layer Security (TLS)"; 5524 } 5526 identity tls-ecdh-ecdsa-with-aria-128-cbc-sha256 { 5527 base cipher-suite-alg-base; 5528 status deprecated; 5529 description 5530 "TLS-ECDH-ECDSA-WITH-ARIA-128-CBC-SHA256"; 5531 reference 5532 "RFC 6209: 5533 Addition of the ARIA Cipher Suites to 5534 Transport Layer Security (TLS)"; 5535 } 5537 identity tls-ecdh-ecdsa-with-aria-256-cbc-sha384 { 5538 base cipher-suite-alg-base; 5539 status deprecated; 5540 description 5541 "TLS-ECDH-ECDSA-WITH-ARIA-256-CBC-SHA384"; 5542 reference 5543 "RFC 6209: 5544 Addition of the ARIA Cipher Suites to 5545 Transport Layer Security (TLS)"; 5546 } 5548 identity tls-ecdhe-rsa-with-aria-128-cbc-sha256 { 5549 base cipher-suite-alg-base; 5550 status deprecated; 5551 description 5552 "TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256"; 5553 reference 5554 "RFC 6209: 5555 Addition of the ARIA Cipher Suites to 5556 Transport Layer Security (TLS)"; 5557 } 5559 identity tls-ecdhe-rsa-with-aria-256-cbc-sha384 { 5560 base cipher-suite-alg-base; 5561 status deprecated; 5562 description 5563 "TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384"; 5564 reference 5565 "RFC 6209: 5566 Addition of the ARIA Cipher Suites to 5567 Transport Layer Security (TLS)"; 5568 } 5569 identity tls-ecdh-rsa-with-aria-128-cbc-sha256 { 5570 base cipher-suite-alg-base; 5571 status deprecated; 5572 description 5573 "TLS-ECDH-RSA-WITH-ARIA-128-CBC-SHA256"; 5574 reference 5575 "RFC 6209: 5576 Addition of the ARIA Cipher Suites to 5577 Transport Layer Security (TLS)"; 5578 } 5580 identity tls-ecdh-rsa-with-aria-256-cbc-sha384 { 5581 base cipher-suite-alg-base; 5582 status deprecated; 5583 description 5584 "TLS-ECDH-RSA-WITH-ARIA-256-CBC-SHA384"; 5585 reference 5586 "RFC 6209: 5587 Addition of the ARIA Cipher Suites to 5588 Transport Layer Security (TLS)"; 5589 } 5591 identity tls-rsa-with-aria-128-gcm-sha256 { 5592 base cipher-suite-alg-base; 5593 status deprecated; 5594 description 5595 "TLS-RSA-WITH-ARIA-128-GCM-SHA256"; 5596 reference 5597 "RFC 6209: 5598 Addition of the ARIA Cipher Suites to 5599 Transport Layer Security (TLS)"; 5600 } 5602 identity tls-rsa-with-aria-256-gcm-sha384 { 5603 base cipher-suite-alg-base; 5604 status deprecated; 5605 description 5606 "TLS-RSA-WITH-ARIA-256-GCM-SHA384"; 5607 reference 5608 "RFC 6209: 5609 Addition of the ARIA Cipher Suites to 5610 Transport Layer Security (TLS)"; 5611 } 5613 identity tls-dhe-rsa-with-aria-128-gcm-sha256 { 5614 base cipher-suite-alg-base; 5615 status deprecated; 5616 description 5617 "TLS-DHE-RSA-WITH-ARIA-128-GCM-SHA256"; 5618 reference 5619 "RFC 6209: 5620 Addition of the ARIA Cipher Suites to 5621 Transport Layer Security (TLS)"; 5622 } 5624 identity tls-dhe-rsa-with-aria-256-gcm-sha384 { 5625 base cipher-suite-alg-base; 5626 status deprecated; 5627 description 5628 "TLS-DHE-RSA-WITH-ARIA-256-GCM-SHA384"; 5629 reference 5630 "RFC 6209: 5631 Addition of the ARIA Cipher Suites to 5632 Transport Layer Security (TLS)"; 5633 } 5635 identity tls-dh-rsa-with-aria-128-gcm-sha256 { 5636 base cipher-suite-alg-base; 5637 status deprecated; 5638 description 5639 "TLS-DH-RSA-WITH-ARIA-128-GCM-SHA256"; 5640 reference 5641 "RFC 6209: 5642 Addition of the ARIA Cipher Suites to 5643 Transport Layer Security (TLS)"; 5644 } 5646 identity tls-dh-rsa-with-aria-256-gcm-sha384 { 5647 base cipher-suite-alg-base; 5648 status deprecated; 5649 description 5650 "TLS-DH-RSA-WITH-ARIA-256-GCM-SHA384"; 5651 reference 5652 "RFC 6209: 5653 Addition of the ARIA Cipher Suites to 5654 Transport Layer Security (TLS)"; 5655 } 5657 identity tls-dhe-dss-with-aria-128-gcm-sha256 { 5658 base cipher-suite-alg-base; 5659 status deprecated; 5660 description 5661 "TLS-DHE-DSS-WITH-ARIA-128-GCM-SHA256"; 5662 reference 5663 "RFC 6209: 5664 Addition of the ARIA Cipher Suites to 5665 Transport Layer Security (TLS)"; 5666 } 5668 identity tls-dhe-dss-with-aria-256-gcm-sha384 { 5669 base cipher-suite-alg-base; 5670 status deprecated; 5671 description 5672 "TLS-DHE-DSS-WITH-ARIA-256-GCM-SHA384"; 5673 reference 5674 "RFC 6209: 5675 Addition of the ARIA Cipher Suites to 5676 Transport Layer Security (TLS)"; 5677 } 5679 identity tls-dh-dss-with-aria-128-gcm-sha256 { 5680 base cipher-suite-alg-base; 5681 status deprecated; 5682 description 5683 "TLS-DH-DSS-WITH-ARIA-128-GCM-SHA256"; 5684 reference 5685 "RFC 6209: 5686 Addition of the ARIA Cipher Suites to 5687 Transport Layer Security (TLS)"; 5688 } 5690 identity tls-dh-dss-with-aria-256-gcm-sha384 { 5691 base cipher-suite-alg-base; 5692 status deprecated; 5693 description 5694 "TLS-DH-DSS-WITH-ARIA-256-GCM-SHA384"; 5695 reference 5696 "RFC 6209: 5697 Addition of the ARIA Cipher Suites to 5698 Transport Layer Security (TLS)"; 5699 } 5701 identity tls-dh-anon-with-aria-128-gcm-sha256 { 5702 base cipher-suite-alg-base; 5703 status deprecated; 5704 description 5705 "TLS-DH-ANON-WITH-ARIA-128-GCM-SHA256"; 5706 reference 5707 "RFC 6209: 5708 Addition of the ARIA Cipher Suites to 5709 Transport Layer Security (TLS)"; 5710 } 5712 identity tls-dh-anon-with-aria-256-gcm-sha384 { 5713 base cipher-suite-alg-base; 5714 status deprecated; 5715 description 5716 "TLS-DH-ANON-WITH-ARIA-256-GCM-SHA384"; 5717 reference 5718 "RFC 6209: 5719 Addition of the ARIA Cipher Suites to 5720 Transport Layer Security (TLS)"; 5721 } 5723 identity tls-ecdhe-ecdsa-with-aria-128-gcm-sha256 { 5724 base cipher-suite-alg-base; 5725 status deprecated; 5726 description 5727 "TLS-ECDHE-ECDSA-WITH-ARIA-128-GCM-SHA256"; 5728 reference 5729 "RFC 6209: 5730 Addition of the ARIA Cipher Suites to 5731 Transport Layer Security (TLS)"; 5732 } 5734 identity tls-ecdhe-ecdsa-with-aria-256-gcm-sha384 { 5735 base cipher-suite-alg-base; 5736 status deprecated; 5737 description 5738 "TLS-ECDHE-ECDSA-WITH-ARIA-256-GCM-SHA384"; 5739 reference 5740 "RFC 6209: 5741 Addition of the ARIA Cipher Suites to 5742 Transport Layer Security (TLS)"; 5743 } 5745 identity tls-ecdh-ecdsa-with-aria-128-gcm-sha256 { 5746 base cipher-suite-alg-base; 5747 status deprecated; 5748 description 5749 "TLS-ECDH-ECDSA-WITH-ARIA-128-GCM-SHA256"; 5750 reference 5751 "RFC 6209: 5752 Addition of the ARIA Cipher Suites to 5753 Transport Layer Security (TLS)"; 5754 } 5756 identity tls-ecdh-ecdsa-with-aria-256-gcm-sha384 { 5757 base cipher-suite-alg-base; 5758 status deprecated; 5759 description 5760 "TLS-ECDH-ECDSA-WITH-ARIA-256-GCM-SHA384"; 5762 reference 5763 "RFC 6209: 5764 Addition of the ARIA Cipher Suites to 5765 Transport Layer Security (TLS)"; 5766 } 5768 identity tls-ecdhe-rsa-with-aria-128-gcm-sha256 { 5769 base cipher-suite-alg-base; 5770 status deprecated; 5771 description 5772 "TLS-ECDHE-RSA-WITH-ARIA-128-GCM-SHA256"; 5773 reference 5774 "RFC 6209: 5775 Addition of the ARIA Cipher Suites to 5776 Transport Layer Security (TLS)"; 5777 } 5779 identity tls-ecdhe-rsa-with-aria-256-gcm-sha384 { 5780 base cipher-suite-alg-base; 5781 status deprecated; 5782 description 5783 "TLS-ECDHE-RSA-WITH-ARIA-256-GCM-SHA384"; 5784 reference 5785 "RFC 6209: 5786 Addition of the ARIA Cipher Suites to 5787 Transport Layer Security (TLS)"; 5788 } 5790 identity tls-ecdh-rsa-with-aria-128-gcm-sha256 { 5791 base cipher-suite-alg-base; 5792 status deprecated; 5793 description 5794 "TLS-ECDH-RSA-WITH-ARIA-128-GCM-SHA256"; 5795 reference 5796 "RFC 6209: 5797 Addition of the ARIA Cipher Suites to 5798 Transport Layer Security (TLS)"; 5799 } 5801 identity tls-ecdh-rsa-with-aria-256-gcm-sha384 { 5802 base cipher-suite-alg-base; 5803 status deprecated; 5804 description 5805 "TLS-ECDH-RSA-WITH-ARIA-256-GCM-SHA384"; 5806 reference 5807 "RFC 6209: 5808 Addition of the ARIA Cipher Suites to 5809 Transport Layer Security (TLS)"; 5811 } 5813 identity tls-psk-with-aria-128-cbc-sha256 { 5814 base cipher-suite-alg-base; 5815 status deprecated; 5816 description 5817 "TLS-PSK-WITH-ARIA-128-CBC-SHA256"; 5818 reference 5819 "RFC 6209: 5820 Addition of the ARIA Cipher Suites to 5821 Transport Layer Security (TLS)"; 5822 } 5824 identity tls-psk-with-aria-256-cbc-sha384 { 5825 base cipher-suite-alg-base; 5826 status deprecated; 5827 description 5828 "TLS-PSK-WITH-ARIA-256-CBC-SHA384"; 5829 reference 5830 "RFC 6209: 5831 Addition of the ARIA Cipher Suites to 5832 Transport Layer Security (TLS)"; 5833 } 5835 identity tls-dhe-psk-with-aria-128-cbc-sha256 { 5836 base cipher-suite-alg-base; 5837 status deprecated; 5838 description 5839 "TLS-DHE-PSK-WITH-ARIA-128-CBC-SHA256"; 5840 reference 5841 "RFC 6209: 5842 Addition of the ARIA Cipher Suites to 5843 Transport Layer Security (TLS)"; 5844 } 5846 identity tls-dhe-psk-with-aria-256-cbc-sha384 { 5847 base cipher-suite-alg-base; 5848 status deprecated; 5849 description 5850 "TLS-DHE-PSK-WITH-ARIA-256-CBC-SHA384"; 5851 reference 5852 "RFC 6209: 5853 Addition of the ARIA Cipher Suites to 5854 Transport Layer Security (TLS)"; 5855 } 5857 identity tls-rsa-psk-with-aria-128-cbc-sha256 { 5858 base cipher-suite-alg-base; 5859 status deprecated; 5860 description 5861 "TLS-RSA-PSK-WITH-ARIA-128-CBC-SHA256"; 5862 reference 5863 "RFC 6209: 5864 Addition of the ARIA Cipher Suites to 5865 Transport Layer Security (TLS)"; 5866 } 5868 identity tls-rsa-psk-with-aria-256-cbc-sha384 { 5869 base cipher-suite-alg-base; 5870 status deprecated; 5871 description 5872 "TLS-RSA-PSK-WITH-ARIA-256-CBC-SHA384"; 5873 reference 5874 "RFC 6209: 5875 Addition of the ARIA Cipher Suites to 5876 Transport Layer Security (TLS)"; 5877 } 5879 identity tls-psk-with-aria-128-gcm-sha256 { 5880 base cipher-suite-alg-base; 5881 status deprecated; 5882 description 5883 "TLS-PSK-WITH-ARIA-128-GCM-SHA256"; 5884 reference 5885 "RFC 6209: 5886 Addition of the ARIA Cipher Suites to 5887 Transport Layer Security (TLS)"; 5888 } 5890 identity tls-psk-with-aria-256-gcm-sha384 { 5891 base cipher-suite-alg-base; 5892 status deprecated; 5893 description 5894 "TLS-PSK-WITH-ARIA-256-GCM-SHA384"; 5895 reference 5896 "RFC 6209: 5897 Addition of the ARIA Cipher Suites to 5898 Transport Layer Security (TLS)"; 5899 } 5901 identity tls-dhe-psk-with-aria-128-gcm-sha256 { 5902 base cipher-suite-alg-base; 5903 status deprecated; 5904 description 5905 "TLS-DHE-PSK-WITH-ARIA-128-GCM-SHA256"; 5906 reference 5907 "RFC 6209: 5908 Addition of the ARIA Cipher Suites to 5909 Transport Layer Security (TLS)"; 5910 } 5912 identity tls-dhe-psk-with-aria-256-gcm-sha384 { 5913 base cipher-suite-alg-base; 5914 status deprecated; 5915 description 5916 "TLS-DHE-PSK-WITH-ARIA-256-GCM-SHA384"; 5917 reference 5918 "RFC 6209: 5919 Addition of the ARIA Cipher Suites to 5920 Transport Layer Security (TLS)"; 5921 } 5923 identity tls-rsa-psk-with-aria-128-gcm-sha256 { 5924 base cipher-suite-alg-base; 5925 status deprecated; 5926 description 5927 "TLS-RSA-PSK-WITH-ARIA-128-GCM-SHA256"; 5928 reference 5929 "RFC 6209: 5930 Addition of the ARIA Cipher Suites to 5931 Transport Layer Security (TLS)"; 5932 } 5934 identity tls-rsa-psk-with-aria-256-gcm-sha384 { 5935 base cipher-suite-alg-base; 5936 status deprecated; 5937 description 5938 "TLS-RSA-PSK-WITH-ARIA-256-GCM-SHA384"; 5939 reference 5940 "RFC 6209: 5941 Addition of the ARIA Cipher Suites to 5942 Transport Layer Security (TLS)"; 5943 } 5945 identity tls-ecdhe-psk-with-aria-128-cbc-sha256 { 5946 base cipher-suite-alg-base; 5947 status deprecated; 5948 description 5949 "TLS-ECDHE-PSK-WITH-ARIA-128-CBC-SHA256"; 5950 reference 5951 "RFC 6209: 5952 Addition of the ARIA Cipher Suites to 5953 Transport Layer Security (TLS)"; 5954 } 5955 identity tls-ecdhe-psk-with-aria-256-cbc-sha384 { 5956 base cipher-suite-alg-base; 5957 status deprecated; 5958 description 5959 "TLS-ECDHE-PSK-WITH-ARIA-256-CBC-SHA384"; 5960 reference 5961 "RFC 6209: 5962 Addition of the ARIA Cipher Suites to 5963 Transport Layer Security (TLS)"; 5964 } 5966 identity tls-ecdhe-ecdsa-with-camellia-128-cbc-sha256 { 5967 base cipher-suite-alg-base; 5968 status deprecated; 5969 description 5970 "TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-CBC-SHA256"; 5971 reference 5972 "RFC 6367: 5973 Addition of the Camellia Cipher Suites to 5974 Transport Layer Security (TLS)"; 5975 } 5977 identity tls-ecdhe-ecdsa-with-camellia-256-cbc-sha384 { 5978 base cipher-suite-alg-base; 5979 status deprecated; 5980 description 5981 "TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-CBC-SHA384"; 5982 reference 5983 "RFC 6367: 5984 Addition of the Camellia Cipher Suites to 5985 Transport Layer Security (TLS)"; 5986 } 5988 identity tls-ecdh-ecdsa-with-camellia-128-cbc-sha256 { 5989 base cipher-suite-alg-base; 5990 status deprecated; 5991 description 5992 "TLS-ECDH-ECDSA-WITH-CAMELLIA-128-CBC-SHA256"; 5993 reference 5994 "RFC 6367: 5995 Addition of the Camellia Cipher Suites to 5996 Transport Layer Security (TLS)"; 5997 } 5999 identity tls-ecdh-ecdsa-with-camellia-256-cbc-sha384 { 6000 base cipher-suite-alg-base; 6001 status deprecated; 6002 description 6003 "TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384"; 6004 reference 6005 "RFC 6367: 6006 Addition of the Camellia Cipher Suites to 6007 Transport Layer Security (TLS)"; 6008 } 6010 identity tls-ecdhe-rsa-with-camellia-128-cbc-sha256 { 6011 base cipher-suite-alg-base; 6012 status deprecated; 6013 description 6014 "TLS-ECDHE-RSA-WITH-CAMELLIA-128-CBC-SHA256"; 6015 reference 6016 "RFC 6367: 6017 Addition of the Camellia Cipher Suites to 6018 Transport Layer Security (TLS)"; 6019 } 6021 identity tls-ecdhe-rsa-with-camellia-256-cbc-sha384 { 6022 base cipher-suite-alg-base; 6023 status deprecated; 6024 description 6025 "TLS-ECDHE-RSA-WITH-CAMELLIA-256-CBC-SHA384"; 6026 reference 6027 "RFC 6367: 6028 Addition of the Camellia Cipher Suites to 6029 Transport Layer Security (TLS)"; 6030 } 6032 identity tls-ecdh-rsa-with-camellia-128-cbc-sha256 { 6033 base cipher-suite-alg-base; 6034 status deprecated; 6035 description 6036 "TLS-ECDH-RSA-WITH-CAMELLIA-128-CBC-SHA256"; 6037 reference 6038 "RFC 6367: 6039 Addition of the Camellia Cipher Suites to 6040 Transport Layer Security (TLS)"; 6041 } 6043 identity tls-ecdh-rsa-with-camellia-256-cbc-sha384 { 6044 base cipher-suite-alg-base; 6045 status deprecated; 6046 description 6047 "TLS-ECDH-RSA-WITH-CAMELLIA-256-CBC-SHA384"; 6048 reference 6049 "RFC 6367: 6050 Addition of the Camellia Cipher Suites to 6051 Transport Layer Security (TLS)"; 6052 } 6054 identity tls-rsa-with-camellia-128-gcm-sha256 { 6055 base cipher-suite-alg-base; 6056 status deprecated; 6057 description 6058 "TLS-RSA-WITH-CAMELLIA-128-GCM-SHA256"; 6059 reference 6060 "RFC 6367: 6061 Addition of the Camellia Cipher Suites to 6062 Transport Layer Security (TLS)"; 6063 } 6065 identity tls-rsa-with-camellia-256-gcm-sha384 { 6066 base cipher-suite-alg-base; 6067 status deprecated; 6068 description 6069 "TLS-RSA-WITH-CAMELLIA-256-GCM-SHA384"; 6070 reference 6071 "RFC 6367: 6072 Addition of the Camellia Cipher Suites to 6073 Transport Layer Security (TLS)"; 6074 } 6076 identity tls-dhe-rsa-with-camellia-128-gcm-sha256 { 6077 base cipher-suite-alg-base; 6078 status deprecated; 6079 description 6080 "TLS-DHE-RSA-WITH-CAMELLIA-128-GCM-SHA256"; 6081 reference 6082 "RFC 6367: 6083 Addition of the Camellia Cipher Suites to 6084 Transport Layer Security (TLS)"; 6085 } 6087 identity tls-dhe-rsa-with-camellia-256-gcm-sha384 { 6088 base cipher-suite-alg-base; 6089 status deprecated; 6090 description 6091 "TLS-DHE-RSA-WITH-CAMELLIA-256-GCM-SHA384"; 6092 reference 6093 "RFC 6367: 6094 Addition of the Camellia Cipher Suites to 6095 Transport Layer Security (TLS)"; 6096 } 6098 identity tls-dh-rsa-with-camellia-128-gcm-sha256 { 6099 base cipher-suite-alg-base; 6100 status deprecated; 6101 description 6102 "TLS-DH-RSA-WITH-CAMELLIA-128-GCM-SHA256"; 6103 reference 6104 "RFC 6367: 6105 Addition of the Camellia Cipher Suites to 6106 Transport Layer Security (TLS)"; 6107 } 6109 identity tls-dh-rsa-with-camellia-256-gcm-sha384 { 6110 base cipher-suite-alg-base; 6111 status deprecated; 6112 description 6113 "TLS-DH-RSA-WITH-CAMELLIA-256-GCM-SHA384"; 6114 reference 6115 "RFC 6367: 6116 Addition of the Camellia Cipher Suites to 6117 Transport Layer Security (TLS)"; 6118 } 6120 identity tls-dhe-dss-with-camellia-128-gcm-sha256 { 6121 base cipher-suite-alg-base; 6122 status deprecated; 6123 description 6124 "TLS-DHE-DSS-WITH-CAMELLIA-128-GCM-SHA256"; 6125 reference 6126 "RFC 6367: 6127 Addition of the Camellia Cipher Suites to 6128 Transport Layer Security (TLS)"; 6129 } 6131 identity tls-dhe-dss-with-camellia-256-gcm-sha384 { 6132 base cipher-suite-alg-base; 6133 status deprecated; 6134 description 6135 "TLS-DHE-DSS-WITH-CAMELLIA-256-GCM-SHA384"; 6136 reference 6137 "RFC 6367: 6138 Addition of the Camellia Cipher Suites to 6139 Transport Layer Security (TLS)"; 6140 } 6142 identity tls-dh-dss-with-camellia-128-gcm-sha256 { 6143 base cipher-suite-alg-base; 6144 status deprecated; 6145 description 6146 "TLS-DH-DSS-WITH-CAMELLIA-128-GCM-SHA256"; 6148 reference 6149 "RFC 6367: 6150 Addition of the Camellia Cipher Suites to 6151 Transport Layer Security (TLS)"; 6152 } 6154 identity tls-dh-dss-with-camellia-256-gcm-sha384 { 6155 base cipher-suite-alg-base; 6156 status deprecated; 6157 description 6158 "TLS-DH-DSS-WITH-CAMELLIA-256-GCM-SHA384"; 6159 reference 6160 "RFC 6367: 6161 Addition of the Camellia Cipher Suites to 6162 Transport Layer Security (TLS)"; 6163 } 6165 identity tls-dh-anon-with-camellia-128-gcm-sha256 { 6166 base cipher-suite-alg-base; 6167 status deprecated; 6168 description 6169 "TLS-DH-ANON-WITH-CAMELLIA-128-GCM-SHA256"; 6170 reference 6171 "RFC 6367: 6172 Addition of the Camellia Cipher Suites to 6173 Transport Layer Security (TLS)"; 6174 } 6176 identity tls-dh-anon-with-camellia-256-gcm-sha384 { 6177 base cipher-suite-alg-base; 6178 status deprecated; 6179 description 6180 "TLS-DH-ANON-WITH-CAMELLIA-256-GCM-SHA384"; 6181 reference 6182 "RFC 6367: 6183 Addition of the Camellia Cipher Suites to 6184 Transport Layer Security (TLS)"; 6185 } 6187 identity tls-ecdhe-ecdsa-with-camellia-128-gcm-sha256 { 6188 base cipher-suite-alg-base; 6189 status deprecated; 6190 description 6191 "TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-GCM-SHA256"; 6192 reference 6193 "RFC 6367: 6194 Addition of the Camellia Cipher Suites to 6195 Transport Layer Security (TLS)"; 6197 } 6199 identity tls-ecdhe-ecdsa-with-camellia-256-gcm-sha384 { 6200 base cipher-suite-alg-base; 6201 status deprecated; 6202 description 6203 "TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-GCM-SHA384"; 6204 reference 6205 "RFC 6367: 6206 Addition of the Camellia Cipher Suites to 6207 Transport Layer Security (TLS)"; 6208 } 6210 identity tls-ecdh-ecdsa-with-camellia-128-gcm-sha256 { 6211 base cipher-suite-alg-base; 6212 status deprecated; 6213 description 6214 "TLS-ECDH-ECDSA-WITH-CAMELLIA-128-GCM-SHA256"; 6215 reference 6216 "RFC 6367: 6217 Addition of the Camellia Cipher Suites to 6218 Transport Layer Security (TLS)"; 6219 } 6221 identity tls-ecdh-ecdsa-with-camellia-256-gcm-sha384 { 6222 base cipher-suite-alg-base; 6223 status deprecated; 6224 description 6225 "TLS-ECDH-ECDSA-WITH-CAMELLIA-256-GCM-SHA384"; 6226 reference 6227 "RFC 6367: 6228 Addition of the Camellia Cipher Suites to 6229 Transport Layer Security (TLS)"; 6230 } 6232 identity tls-ecdhe-rsa-with-camellia-128-gcm-sha256 { 6233 base cipher-suite-alg-base; 6234 status deprecated; 6235 description 6236 "TLS-ECDHE-RSA-WITH-CAMELLIA-128-GCM-SHA256"; 6237 reference 6238 "RFC 6367: 6239 Addition of the Camellia Cipher Suites to 6240 Transport Layer Security (TLS)"; 6241 } 6243 identity tls-ecdhe-rsa-with-camellia-256-gcm-sha384 { 6244 base cipher-suite-alg-base; 6245 status deprecated; 6246 description 6247 "TLS-ECDHE-RSA-WITH-CAMELLIA-256-GCM-SHA384"; 6248 reference 6249 "RFC 6367: 6250 Addition of the Camellia Cipher Suites to 6251 Transport Layer Security (TLS)"; 6252 } 6254 identity tls-ecdh-rsa-with-camellia-128-gcm-sha256 { 6255 base cipher-suite-alg-base; 6256 status deprecated; 6257 description 6258 "TLS-ECDH-RSA-WITH-CAMELLIA-128-GCM-SHA256"; 6259 reference 6260 "RFC 6367: 6261 Addition of the Camellia Cipher Suites to 6262 Transport Layer Security (TLS)"; 6263 } 6265 identity tls-ecdh-rsa-with-camellia-256-gcm-sha384 { 6266 base cipher-suite-alg-base; 6267 status deprecated; 6268 description 6269 "TLS-ECDH-RSA-WITH-CAMELLIA-256-GCM-SHA384"; 6270 reference 6271 "RFC 6367: 6272 Addition of the Camellia Cipher Suites to 6273 Transport Layer Security (TLS)"; 6274 } 6276 identity tls-psk-with-camellia-128-gcm-sha256 { 6277 base cipher-suite-alg-base; 6278 status deprecated; 6279 description 6280 "TLS-PSK-WITH-CAMELLIA-128-GCM-SHA256"; 6281 reference 6282 "RFC 6367: 6283 Addition of the Camellia Cipher Suites to 6284 Transport Layer Security (TLS)"; 6285 } 6287 identity tls-psk-with-camellia-256-gcm-sha384 { 6288 base cipher-suite-alg-base; 6289 status deprecated; 6290 description 6291 "TLS-PSK-WITH-CAMELLIA-256-GCM-SHA384"; 6292 reference 6293 "RFC 6367: 6294 Addition of the Camellia Cipher Suites to 6295 Transport Layer Security (TLS)"; 6296 } 6298 identity tls-dhe-psk-with-camellia-128-gcm-sha256 { 6299 base cipher-suite-alg-base; 6300 status deprecated; 6301 description 6302 "TLS-DHE-PSK-WITH-CAMELLIA-128-GCM-SHA256"; 6303 reference 6304 "RFC 6367: 6305 Addition of the Camellia Cipher Suites to 6306 Transport Layer Security (TLS)"; 6307 } 6309 identity tls-dhe-psk-with-camellia-256-gcm-sha384 { 6310 base cipher-suite-alg-base; 6311 status deprecated; 6312 description 6313 "TLS-DHE-PSK-WITH-CAMELLIA-256-GCM-SHA384"; 6314 reference 6315 "RFC 6367: 6316 Addition of the Camellia Cipher Suites to 6317 Transport Layer Security (TLS)"; 6318 } 6320 identity tls-rsa-psk-with-camellia-128-gcm-sha256 { 6321 base cipher-suite-alg-base; 6322 status deprecated; 6323 description 6324 "TLS-RSA-PSK-WITH-CAMELLIA-128-GCM-SHA256"; 6325 reference 6326 "RFC 6367: 6327 Addition of the Camellia Cipher Suites to 6328 Transport Layer Security (TLS)"; 6329 } 6331 identity tls-rsa-psk-with-camellia-256-gcm-sha384 { 6332 base cipher-suite-alg-base; 6333 status deprecated; 6334 description 6335 "TLS-RSA-PSK-WITH-CAMELLIA-256-GCM-SHA384"; 6336 reference 6337 "RFC 6367: 6338 Addition of the Camellia Cipher Suites to 6339 Transport Layer Security (TLS)"; 6340 } 6341 identity tls-psk-with-camellia-128-cbc-sha256 { 6342 base cipher-suite-alg-base; 6343 status deprecated; 6344 description 6345 "TLS-PSK-WITH-CAMELLIA-128-CBC-SHA256"; 6346 reference 6347 "RFC 6367: 6348 Addition of the Camellia Cipher Suites to 6349 Transport Layer Security (TLS)"; 6350 } 6352 identity tls-psk-with-camellia-256-cbc-sha384 { 6353 base cipher-suite-alg-base; 6354 status deprecated; 6355 description 6356 "TLS-PSK-WITH-CAMELLIA-256-CBC-SHA384"; 6357 reference 6358 "RFC 6367: 6359 Addition of the Camellia Cipher Suites to 6360 Transport Layer Security (TLS)"; 6361 } 6363 identity tls-dhe-psk-with-camellia-128-cbc-sha256 { 6364 base cipher-suite-alg-base; 6365 status deprecated; 6366 description 6367 "TLS-DHE-PSK-WITH-CAMELLIA-128-CBC-SHA256"; 6368 reference 6369 "RFC 6367: 6370 Addition of the Camellia Cipher Suites to 6371 Transport Layer Security (TLS)"; 6372 } 6374 identity tls-dhe-psk-with-camellia-256-cbc-sha384 { 6375 base cipher-suite-alg-base; 6376 status deprecated; 6377 description 6378 "TLS-DHE-PSK-WITH-CAMELLIA-256-CBC-SHA384"; 6379 reference 6380 "RFC 6367: 6381 Addition of the Camellia Cipher Suites to 6382 Transport Layer Security (TLS)"; 6383 } 6385 identity tls-rsa-psk-with-camellia-128-cbc-sha256 { 6386 base cipher-suite-alg-base; 6387 status deprecated; 6388 description 6389 "TLS-RSA-PSK-WITH-CAMELLIA-128-CBC-SHA256"; 6390 reference 6391 "RFC 6367: 6392 Addition of the Camellia Cipher Suites to 6393 Transport Layer Security (TLS)"; 6394 } 6396 identity tls-rsa-psk-with-camellia-256-cbc-sha384 { 6397 base cipher-suite-alg-base; 6398 status deprecated; 6399 description 6400 "TLS-RSA-PSK-WITH-CAMELLIA-256-CBC-SHA384"; 6401 reference 6402 "RFC 6367: 6403 Addition of the Camellia Cipher Suites to 6404 Transport Layer Security (TLS)"; 6405 } 6407 identity tls-ecdhe-psk-with-camellia-128-cbc-sha256 { 6408 base cipher-suite-alg-base; 6409 status deprecated; 6410 description 6411 "TLS-ECDHE-PSK-WITH-CAMELLIA-128-CBC-SHA256"; 6412 reference 6413 "RFC 6367: 6414 Addition of the Camellia Cipher Suites to 6415 Transport Layer Security (TLS)"; 6416 } 6418 identity tls-ecdhe-psk-with-camellia-256-cbc-sha384 { 6419 base cipher-suite-alg-base; 6420 status deprecated; 6421 description 6422 "TLS-ECDHE-PSK-WITH-CAMELLIA-256-CBC-SHA384"; 6423 reference 6424 "RFC 6367: 6425 Addition of the Camellia Cipher Suites to 6426 Transport Layer Security (TLS)"; 6427 } 6429 identity tls-rsa-with-aes-128-ccm { 6430 base cipher-suite-alg-base; 6431 status deprecated; 6432 description 6433 "TLS-RSA-WITH-AES-128-CCM"; 6434 reference 6435 "RFC 6655: 6436 AES-CCM Cipher Suites for TLS"; 6438 } 6440 identity tls-rsa-with-aes-256-ccm { 6441 base cipher-suite-alg-base; 6442 status deprecated; 6443 description 6444 "TLS-RSA-WITH-AES-256-CCM"; 6445 reference 6446 "RFC 6655: 6447 AES-CCM Cipher Suites for TLS"; 6448 } 6450 identity tls-dhe-rsa-with-aes-128-ccm { 6451 base cipher-suite-alg-base; 6452 description 6453 "TLS-DHE-RSA-WITH-AES-128-CCM"; 6454 reference 6455 "RFC 6655: 6456 AES-CCM Cipher Suites for TLS"; 6457 } 6459 identity tls-dhe-rsa-with-aes-256-ccm { 6460 base cipher-suite-alg-base; 6461 description 6462 "TLS-DHE-RSA-WITH-AES-256-CCM"; 6463 reference 6464 "RFC 6655: 6465 AES-CCM Cipher Suites for TLS"; 6466 } 6468 identity tls-rsa-with-aes-128-ccm-8 { 6469 base cipher-suite-alg-base; 6470 status deprecated; 6471 description 6472 "TLS-RSA-WITH-AES-128-CCM-8"; 6473 reference 6474 "RFC 6655: 6475 AES-CCM Cipher Suites for TLS"; 6476 } 6478 identity tls-rsa-with-aes-256-ccm-8 { 6479 base cipher-suite-alg-base; 6480 status deprecated; 6481 description 6482 "TLS-RSA-WITH-AES-256-CCM-8"; 6483 reference 6484 "RFC 6655: 6485 AES-CCM Cipher Suites for TLS"; 6487 } 6489 identity tls-dhe-rsa-with-aes-128-ccm-8 { 6490 base cipher-suite-alg-base; 6491 status deprecated; 6492 description 6493 "TLS-DHE-RSA-WITH-AES-128-CCM-8"; 6494 reference 6495 "RFC 6655: 6496 AES-CCM Cipher Suites for TLS"; 6497 } 6499 identity tls-dhe-rsa-with-aes-256-ccm-8 { 6500 base cipher-suite-alg-base; 6501 status deprecated; 6502 description 6503 "TLS-DHE-RSA-WITH-AES-256-CCM-8"; 6504 reference 6505 "RFC 6655: 6506 AES-CCM Cipher Suites for TLS"; 6507 } 6509 identity tls-psk-with-aes-128-ccm { 6510 base cipher-suite-alg-base; 6511 status deprecated; 6512 description 6513 "TLS-PSK-WITH-AES-128-CCM"; 6514 reference 6515 "RFC 6655: 6516 AES-CCM Cipher Suites for TLS"; 6517 } 6519 identity tls-psk-with-aes-256-ccm { 6520 base cipher-suite-alg-base; 6521 status deprecated; 6522 description 6523 "TLS-PSK-WITH-AES-256-CCM"; 6524 reference 6525 "RFC 6655: 6526 AES-CCM Cipher Suites for TLS"; 6527 } 6529 identity tls-dhe-psk-with-aes-128-ccm { 6530 base cipher-suite-alg-base; 6531 description 6532 "TLS-DHE-PSK-WITH-AES-128-CCM"; 6533 reference 6534 "RFC 6655: 6536 AES-CCM Cipher Suites for TLS"; 6537 } 6539 identity tls-dhe-psk-with-aes-256-ccm { 6540 base cipher-suite-alg-base; 6541 description 6542 "TLS-DHE-PSK-WITH-AES-256-CCM"; 6543 reference 6544 "RFC 6655: 6545 AES-CCM Cipher Suites for TLS"; 6546 } 6548 identity tls-psk-with-aes-128-ccm-8 { 6549 base cipher-suite-alg-base; 6550 status deprecated; 6551 description 6552 "TLS-PSK-WITH-AES-128-CCM-8"; 6553 reference 6554 "RFC 6655: 6555 AES-CCM Cipher Suites for TLS"; 6556 } 6558 identity tls-psk-with-aes-256-ccm-8 { 6559 base cipher-suite-alg-base; 6560 status deprecated; 6561 description 6562 "TLS-PSK-WITH-AES-256-CCM-8"; 6563 reference 6564 "RFC 6655: 6565 AES-CCM Cipher Suites for TLS"; 6566 } 6568 identity tls-psk-dhe-with-aes-128-ccm-8 { 6569 base cipher-suite-alg-base; 6570 status deprecated; 6571 description 6572 "TLS-PSK-DHE-WITH-AES-128-CCM-8"; 6573 reference 6574 "RFC 6655: 6575 AES-CCM Cipher Suites for TLS"; 6576 } 6578 identity tls-psk-dhe-with-aes-256-ccm-8 { 6579 base cipher-suite-alg-base; 6580 status deprecated; 6581 description 6582 "TLS-PSK-DHE-WITH-AES-256-CCM-8"; 6583 reference 6584 "RFC 6655: 6585 AES-CCM Cipher Suites for TLS"; 6586 } 6588 identity tls-ecdhe-ecdsa-with-aes-128-ccm { 6589 base cipher-suite-alg-base; 6590 status deprecated; 6591 description 6592 "TLS-ECDHE-ECDSA-WITH-AES-128-CCM"; 6593 reference 6594 "RFC 7251: 6595 AES-CCM ECC Cipher Suites for TLS"; 6596 } 6598 identity tls-ecdhe-ecdsa-with-aes-256-ccm { 6599 base cipher-suite-alg-base; 6600 status deprecated; 6601 description 6602 "TLS-ECDHE-ECDSA-WITH-AES-256-CCM"; 6603 reference 6604 "RFC 7251: 6605 AES-CCM ECC Cipher Suites for TLS"; 6606 } 6608 identity tls-ecdhe-ecdsa-with-aes-128-ccm-8 { 6609 base cipher-suite-alg-base; 6610 status deprecated; 6611 description 6612 "TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8"; 6613 reference 6614 "RFC 7251: 6615 AES-CCM ECC Cipher Suites for TLS"; 6616 } 6618 identity tls-ecdhe-ecdsa-with-aes-256-ccm-8 { 6619 base cipher-suite-alg-base; 6620 status deprecated; 6621 description 6622 "TLS-ECDHE-ECDSA-WITH-AES-256-CCM-8"; 6623 reference 6624 "RFC 7251: 6625 AES-CCM ECC Cipher Suites for TLS"; 6626 } 6628 identity tls-eccpwd-with-aes-128-gcm-sha256 { 6629 base cipher-suite-alg-base; 6630 status deprecated; 6631 description 6632 "TLS-ECCPWD-WITH-AES-128-GCM-SHA256"; 6633 reference 6634 "RFC 8492: 6635 Secure Password Ciphersuites for 6636 Transport Layer Security (TLS)"; 6637 } 6639 identity tls-eccpwd-with-aes-256-gcm-sha384 { 6640 base cipher-suite-alg-base; 6641 status deprecated; 6642 description 6643 "TLS-ECCPWD-WITH-AES-256-GCM-SHA384"; 6644 reference 6645 "RFC 8492: 6646 Secure Password Ciphersuites for 6647 Transport Layer Security (TLS)"; 6648 } 6650 identity tls-eccpwd-with-aes-128-ccm-sha256 { 6651 base cipher-suite-alg-base; 6652 status deprecated; 6653 description 6654 "TLS-ECCPWD-WITH-AES-128-CCM-SHA256"; 6655 reference 6656 "RFC 8492: 6657 Secure Password Ciphersuites for 6658 Transport Layer Security (TLS)"; 6659 } 6661 identity tls-eccpwd-with-aes-256-ccm-sha384 { 6662 base cipher-suite-alg-base; 6663 status deprecated; 6664 description 6665 "TLS-ECCPWD-WITH-AES-256-CCM-SHA384"; 6666 reference 6667 "RFC 8492: 6668 Secure Password Ciphersuites for 6669 Transport Layer Security (TLS)"; 6670 } 6672 identity tls-ecdhe-rsa-with-chacha20-poly1305-sha256 { 6673 base cipher-suite-alg-base; 6674 description 6675 "TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256"; 6676 reference 6677 "RFC 7905: 6678 ChaCha20-Poly1305 Cipher Suites for 6679 Transport Layer Security (TLS)"; 6681 } 6683 identity tls-ecdhe-ecdsa-with-chacha20-poly1305-sha256 { 6684 base cipher-suite-alg-base; 6685 description 6686 "TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256"; 6687 reference 6688 "RFC 7905: 6689 ChaCha20-Poly1305 Cipher Suites for 6690 Transport Layer Security (TLS)"; 6691 } 6693 identity tls-dhe-rsa-with-chacha20-poly1305-sha256 { 6694 base cipher-suite-alg-base; 6695 description 6696 "TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256"; 6697 reference 6698 "RFC 7905: 6699 ChaCha20-Poly1305 Cipher Suites for 6700 Transport Layer Security (TLS)"; 6701 } 6703 identity tls-psk-with-chacha20-poly1305-sha256 { 6704 base cipher-suite-alg-base; 6705 status deprecated; 6706 description 6707 "TLS-PSK-WITH-CHACHA20-POLY1305-SHA256"; 6708 reference 6709 "RFC 7905: 6710 ChaCha20-Poly1305 Cipher Suites for 6711 Transport Layer Security (TLS)"; 6712 } 6714 identity tls-ecdhe-psk-with-chacha20-poly1305-sha256 { 6715 base cipher-suite-alg-base; 6716 description 6717 "TLS-ECDHE-PSK-WITH-CHACHA20-POLY1305-SHA256"; 6718 reference 6719 "RFC 7905: 6720 ChaCha20-Poly1305 Cipher Suites for 6721 Transport Layer Security (TLS)"; 6722 } 6724 identity tls-dhe-psk-with-chacha20-poly1305-sha256 { 6725 base cipher-suite-alg-base; 6726 description 6727 "TLS-DHE-PSK-WITH-CHACHA20-POLY1305-SHA256"; 6728 reference 6729 "RFC 7905: 6730 ChaCha20-Poly1305 Cipher Suites for 6731 Transport Layer Security (TLS)"; 6732 } 6734 identity tls-rsa-psk-with-chacha20-poly1305-sha256 { 6735 base cipher-suite-alg-base; 6736 status deprecated; 6737 description 6738 "TLS-RSA-PSK-WITH-CHACHA20-POLY1305-SHA256"; 6739 reference 6740 "RFC 7905: 6741 ChaCha20-Poly1305 Cipher Suites for 6742 Transport Layer Security (TLS)"; 6743 } 6745 identity tls-ecdhe-psk-with-aes-128-gcm-sha256 { 6746 base cipher-suite-alg-base; 6747 description 6748 "TLS-ECDHE-PSK-WITH-AES-128-GCM-SHA256"; 6749 reference 6750 "RFC 8442: 6751 ECDHE_PSK with AES-GCM and AES-CCM Cipher Suites"; 6752 } 6754 identity tls-ecdhe-psk-with-aes-256-gcm-sha384 { 6755 base cipher-suite-alg-base; 6756 description 6757 "TLS-ECDHE-PSK-WITH-AES-256-GCM-SHA384"; 6758 reference 6759 "RFC 8442: 6760 ECDHE_PSK with AES-GCM and AES-CCM Cipher Suites"; 6761 } 6763 identity tls-ecdhe-psk-with-aes-128-ccm-8-sha256 { 6764 base cipher-suite-alg-base; 6765 status deprecated; 6766 description 6767 "TLS-ECDHE-PSK-WITH-AES-128-CCM-8-SHA256"; 6768 reference 6769 "RFC 8442: 6770 ECDHE_PSK with AES-GCM and AES-CCM Cipher Suites"; 6771 } 6773 identity tls-ecdhe-psk-with-aes-128-ccm-sha256 { 6774 base cipher-suite-alg-base; 6775 description 6776 "TLS-ECDHE-PSK-WITH-AES-128-CCM-SHA256"; 6778 reference 6779 "RFC 8442: 6780 ECDHE_PSK with AES-GCM and AES-CCM Cipher Suites"; 6781 } 6783 // Protocol-accessible Nodes 6785 container supported-algorithms { 6786 config false; 6787 description 6788 "A container for a list of cipher suite algorithms supported 6789 by the server."; 6790 leaf-list supported-algorithm { 6791 type cipher-suite-algorithm-ref; 6792 description 6793 "A cipher suite algorithm supported by the server."; 6794 } 6795 } 6797 } 6799 6801 Appendix B. Change Log 6803 This section is to be removed before publishing as an RFC. 6805 B.1. 00 to 01 6807 * Noted that '0.0.0.0' and '::' might have special meanings. 6809 * Renamed "keychain" to "keystore". 6811 B.2. 01 to 02 6813 * Removed the groupings containing transport-level configuration. 6814 Now modules contain only the transport-independent groupings. 6816 * Filled in previously incomplete 'ietf-tls-client' module. 6818 * Added cipher suites for various algorithms into new 'ietf-tls- 6819 common' module. 6821 B.3. 02 to 03 6823 * Added a 'must' statement to container 'server-auth' asserting that 6824 at least one of the various auth mechanisms must be specified. 6826 * Fixed description statement for leaf 'trusted-ca-certs'. 6828 B.4. 03 to 04 6830 * Updated title to "YANG Groupings for TLS Clients and TLS Servers" 6832 * Updated leafref paths to point to new keystore path 6834 * Changed the YANG prefix for ietf-tls-common from 'tlscom' to 6835 'tlscmn'. 6837 * Added TLS protocol verions 1.0 and 1.1. 6839 * Made author lists consistent 6841 * Now tree diagrams reference ietf-netmod-yang-tree-diagrams 6843 * Updated YANG to use typedefs around leafrefs to common keystore 6844 paths 6846 * Now inlines key and certificates (no longer a leafref to keystore) 6848 B.5. 04 to 05 6850 * Merged changes from co-author. 6852 B.6. 05 to 06 6854 * Updated to use trust anchors from trust-anchors draft (was 6855 keystore draft) 6857 * Now Uses new keystore grouping enabling asymmetric key to be 6858 either locally defined or a reference to the keystore. 6860 B.7. 06 to 07 6862 * factored the tls-[client|server]-groupings into more reusable 6863 groupings. 6865 * added if-feature statements for the new "x509-certificates" 6866 feature defined in draft-ietf-netconf-trust-anchors. 6868 B.8. 07 to 08 6870 * Added a number of compatibility matrices to Section 5 (thanks 6871 Frank!) 6873 * Clarified that any configured "cipher-suite" values need to be 6874 compatible with the configured private key. 6876 B.9. 08 to 09 6878 * Updated examples to reflect update to groupings defined in the 6879 keystore draft. 6881 * Add TLS keepalives features and groupings. 6883 * Prefixed top-level TLS grouping nodes with 'tls-' and support 6884 mashups. 6886 * Updated copyright date, boilerplate template, affiliation, and 6887 folding algorithm. 6889 B.10. 09 to 10 6891 * Reformatted the YANG modules. 6893 B.11. 10 to 11 6895 * Collapsed all the inner groupings into the top-level grouping. 6897 * Added a top-level "demux container" inside the top-level grouping. 6899 * Added NACM statements and updated the Security Considerations 6900 section. 6902 * Added "presence" statements on the "keepalive" containers, as was 6903 needed to address a validation error that appeared after adding 6904 the "must" statements into the NETCONF/RESTCONF client/server 6905 modules. 6907 * Updated the boilerplate text in module-level "description" 6908 statement to match copyeditor convention. 6910 B.12. 11 to 12 6912 * In server model, made 'client-authentication' a 'presence' node 6913 indicating that the server supports client authentication. 6915 * In the server model, added a 'required-or-optional' choice to 6916 'client-authentication' to better support protocols such as 6917 RESTCONF. 6919 * In the server model, added a 'local-or-external' choice to 6920 'client-authentication' to better support consuming data models 6921 that prefer to keep client auth with client definitions than in a 6922 model principally concerned with the "transport". 6924 * In both models, removed the "demux containers", floating the 6925 nacm:default-deny-write to each descendant node, and adding a note 6926 to model designers regarding the potential need to add their own 6927 demux containers. 6929 * Fixed a couple references (section 2 --> section 3) 6931 B.13. 12 to 13 6933 * Updated to reflect changes in trust-anchors drafts (e.g., s/trust- 6934 anchors/truststore/g + s/pinned.//) 6936 B.14. 12 to 13 6938 * Removed 'container' under 'client-identity' to match server model. 6940 * Updated examples to reflect change grouping in keystore module. 6942 B.15. 13 to 14 6944 * Removed the "certificate" container from "client-identity" in the 6945 ietf-tls-client module. 6947 * Updated examples to reflect ietf-crypto-types change (e.g., 6948 identities --> enumerations) 6950 B.16. 14 to 15 6952 * Updated "server-authentication" and "client-authentication" nodes 6953 from being a leaf of type "ts:certificates-ref" to a container 6954 that uses "ts:local-or-truststore-certs-grouping". 6956 B.17. 15 to 16 6958 * Removed unnecessary if-feature statements in the -client and 6959 -server modules. 6961 * Cleaned up some description statements in the -client and -server 6962 modules. 6964 * Fixed a canonical ordering issue in ietf-tls-common detected by 6965 new pyang. 6967 B.18. 16 to 17 6969 * Removed choice local-or-external by removing the 'external' case 6970 and flattening the 'local' case and adding a "client-auth- 6971 supported" feature. 6973 * Removed choice required-or-optional. 6975 * Updated examples to include the "*-key-format" nodes. 6977 * Augmented-in "must" expressions ensuring that locally-defined 6978 public-key-format are "ct:tls-public-key-format" (must expr for 6979 ref'ed keys are TBD). 6981 B.19. 17 to 18 6983 * Removed the unused "external-client-auth-supported" feature. 6985 * Made client-indentity optional, as there may be over-the-top auth 6986 instead. 6988 * Added augment to uses of local-or-keystore-symmetric-key-grouping 6989 for a psk "id" node. 6991 * Added missing presence container "psks" to ietf-tls-server's 6992 "client-authentication" container. 6994 * Updated examples to reflect new "bag" addition to truststore. 6996 * Removed feature-limited caseless 'case' statements to improve tree 6997 diagram rendering. 6999 * Refined truststore/keystore groupings to ensure the key formats 7000 "must" be particular values. 7002 * Switched to using truststore's new "public-key" bag (instead of 7003 separate "ssh-public-key" and "raw-public-key" bags). 7005 * Updated client/server examples to cover ALL cases (local/ref x 7006 cert/raw-key/psk). 7008 B.20. 18 to 19 7010 * Updated the "keepalives" containers in part to address Michal 7011 Vasko's request to align with RFC 8071, and in part to better 7012 align to RFC 6520. 7014 * Removed algorithm-mapping tables from the "TLS Common Model" 7015 section 7017 * Removed the 'algorithm' node from the examples. 7019 * Renamed both "client-certs" and "server-certs" to "ee-certs" 7021 * Added a "Note to Reviewers" note to first page. 7023 B.21. 19 to 20 7025 * Modified the 'must' expression in the "ietf-tls-client:server- 7026 authention" node to cover the "raw-public-keys" and "psks" nodes 7027 also. 7029 * Added a "must 'ca-certs or ee-certs or raw-public-keys or psks'" 7030 statement to the ietf-tls-server:client-authentication" node. 7032 * Added "mandatory true" to "choice auth-type" and a "presence" 7033 statement to its ancestor. 7035 * Expanded "Data Model Overview section(s) [remove "wall" of tree 7036 diagrams]. 7038 * Moved the "ietf-tls-common" module section to proceed the other 7039 two module sections. 7041 * Updated the Security Considerations section. 7043 B.22. 20 to 21 7045 * Updated examples to reflect new "cleartext-" prefix in the crypto- 7046 types draft. 7048 B.23. 21 to 22 7050 * In both the "client-authentication" and "server-authentication" 7051 subtrees, replaced the "psks" node from being a P-container to a 7052 leaf of type "empty". 7054 * Cleaned up examples (e.g., removed FIXMEs) 7056 * Fixed issues found by the SecDir review of the "keystore" draft. 7058 * Updated the "psk" sections in the "ietf-tls-client" and "ietf-tls- 7059 server" modules to more correctly reflect RFC 4279. 7061 B.24. 22 to 23 7063 * Addressed comments raised by YANG Doctor in the ct/ts/ks drafts. 7065 B.25. 23 to 24 7067 * Added missing reference to "FIPS PUB 180-4". 7069 * Added identity "tls-1.3" and updated description statement in 7070 other identities indicating that the protocol version is obsolete 7071 and enabling the feature is NOT RECOMMENDED. 7073 * Added XML-comment above examples explaining the reason for the 7074 unexpected top-most element's presence. 7076 * Added missing "client-ident-raw-public-key" and "client-ident-psk" 7077 featutes. 7079 * Aligned modules with `pyang -f` formatting. 7081 * Fixed nits found by YANG Doctor reviews. 7083 * Added a 'Contributors' section. 7085 B.26. 24 to 25 7087 * Added TLS 1.3 references. 7089 * Clarified support for various TLS protocol versions. 7091 * Moved algorithms in ietf-tls-common (plus more) to IANA-maintained 7092 modules 7094 * Added "config false" lists for algorithms supported by the server. 7096 * Fixed issues found during YANG Doctor review. 7098 B.27. 25 to 26 7100 * Replaced "base64encodedvalue==" with "BASE64VALUE=" in examples. 7102 * Minor editorial nits 7104 B.28. 26 to 27 7106 * Fixed up the 'WG Web' and 'WG List' lines in YANG module(s) 7108 * Fixed up copyright (i.e., s/Simplified/Revised/) in YANG module(s) 7109 * Created identityref-based typedef for the IANA alg identity base. 7111 * Major update to support TLS 1.3. 7113 B.29. 27 to 28 7115 * Fixed draft text to refer to new "identity" values (e.g., s/tls- 7116 1.3/tls13). 7118 * Added ietf-tls-common:generate-public-key() RPC. 7120 Acknowledgements 7122 The authors would like to thank for following for lively discussions 7123 on list and in the halls (ordered by first name): Alan Luchuk, Andy 7124 Bierman, Balazs Kovacs, Benoit Claise, Bert Wijnen, David Lamparter, 7125 Dhruv Dhody, Gary Wu, Henk Birkholz, Juergen Schoenwaelder, Ladislav 7126 Lhotka, Liang Xia, Martin Bjoerklund, Mehmet Ersue, Michal Vasko, 7127 Phil Shafer, Radek Krejci, Sean Turner, and Tom Petch. 7129 Contributors 7131 Special acknowledgement goes to Gary Wu who contributed the "ietf- 7132 tls-common" module, and Tom Petch who carefully ensured that 7133 references were set correctly throughout. 7135 Author's Address 7137 Kent Watsen 7138 Watsen Networks 7139 Email: kent+ietf@watsen.net