SFR or Section of cPP/SD in question:
FCS_TLSS_EXT.1.3 test 1ii for TLS 1.3 use case (paragraph 496 in the current SD PDF).
I think this test case might also be referred to as FCS_TLSS_EXT.1.3 test 1b in the ASCII doc.
"The evaluator shall attempt a connection using a supported ECDHE ciphersuite (TLS 1.2) or group (TLS 1.3) and a single unsupported elliptic curve (e.g. secp192r1 (0x13)) specified in RFC4492, chap. 5.1.1. The evaluator shall verify that the TOE does not send a Server Hello message and the connection is not successfully established."
Issue:
When using TLS 1.3, it is unclear what it means to use "...a supported ECDHE ... group (TLS 1.3) and a single unsupported elliptic curve..." In TLS 1.3 there are two portions to the Client Hello which use group information: the key_share extension and the supported_groups extension. If we set both to a supported group/curve (eg. P-256) (i.e. test 1i), then the connection works as expected. If we try to set both to an unsupported group/curve, then the client will send a Client Hello, and the TOE server will NOT return a Server Hello (which is the desired response). If we try to manipulate the Client Hello to set (for example) the key_share to a supported value and the supported_groups extension to another, then it isn't clear this is actually testing the intent of the test case (test for unsupported TLS 1.3 groups).
Proposed Resolution:
I believe that the test should be modified lightly for the purposes of TLS 1.3 to get the desired outcome.
"For TLS 1.2, the evaluator shall attempt a connection using a supported ECDHE ciphersuite and a single unsupported elliptic curve (e.g. secp192r1 (0x13)) specified in RFC4492, chap. 5.1.1. The evaluator shall verify that the TOE does not send a Server Hello message and the connection is not successfully established.
For TLS 1.3, the evaluator shall attempt a connection using a supported ciphersuite and a single unsupported group. Both the key_share and supported_groups extensions must be set to the same unsupported group. The evaluator shall verify that the TOE does not send a Server Hello message and the connection is not successfully established."
Rationale:
The proposed resolution covers several main things:
1) Fixes the ambiguity between a "supported group" and an "unsupported elliptic curve".
2) Decouples the idea of ciphersuites and curves/groups from the protocol versions.
3) Realizes that groups in TLS 1.3 can be FFC or EC and permits the use of either for this negative test case.
Requesting Organization: Lightship Security
Status: [ ] On-going certification [X] Preparatory/Other
Certification Deadline Dates: N/A
SFR or Section of cPP/SD in question: FCS_TLSS_EXT.1.3 test 1ii for TLS 1.3 use case (paragraph 496 in the current SD PDF). I think this test case might also be referred to as FCS_TLSS_EXT.1.3 test 1b in the ASCII doc.
"The evaluator shall attempt a connection using a supported ECDHE ciphersuite (TLS 1.2) or group (TLS 1.3) and a single unsupported elliptic curve (e.g. secp192r1 (0x13)) specified in RFC4492, chap. 5.1.1. The evaluator shall verify that the TOE does not send a Server Hello message and the connection is not successfully established."
Issue: When using TLS 1.3, it is unclear what it means to use "...a supported ECDHE ... group (TLS 1.3) and a single unsupported elliptic curve..." In TLS 1.3 there are two portions to the Client Hello which use group information: the
key_share
extension and thesupported_groups
extension. If we set both to a supported group/curve (eg. P-256) (i.e. test 1i), then the connection works as expected. If we try to set both to an unsupported group/curve, then the client will send a Client Hello, and the TOE server will NOT return a Server Hello (which is the desired response). If we try to manipulate the Client Hello to set (for example) thekey_share
to a supported value and thesupported_groups
extension to another, then it isn't clear this is actually testing the intent of the test case (test for unsupported TLS 1.3 groups).Proposed Resolution: I believe that the test should be modified lightly for the purposes of TLS 1.3 to get the desired outcome.
"For TLS 1.2, the evaluator shall attempt a connection using a supported ECDHE ciphersuite and a single unsupported elliptic curve (e.g. secp192r1 (0x13)) specified in RFC4492, chap. 5.1.1. The evaluator shall verify that the TOE does not send a Server Hello message and the connection is not successfully established.
For TLS 1.3, the evaluator shall attempt a connection using a supported ciphersuite and a single unsupported group. Both the key_share and supported_groups extensions must be set to the same unsupported group. The evaluator shall verify that the TOE does not send a Server Hello message and the connection is not successfully established."
Rationale: The proposed resolution covers several main things: 1) Fixes the ambiguity between a "supported group" and an "unsupported elliptic curve". 2) Decouples the idea of ciphersuites and curves/groups from the protocol versions. 3) Realizes that groups in TLS 1.3 can be FFC or EC and permits the use of either for this negative test case.