2015
2019
Ericsson AB, All Rights Reserved
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
The Initial Developer of the Original Code is Ericsson AB.
Standards Compliance
OTP team
2019-03-20
A
standards_compliance.xml
Purpose
This section describes the current state of standards compliance of the ssl application.
Common (pre TLS 1.3)
- For security reasons RSA key exchange cipher suites are no longer supported by default,
but can be configured. (OTP 21)
- For security reasons DES cipher suites are no longer supported by default,
but can be configured. (OTP 20)
- For security reasons 3DES cipher suites are no longer supported by default,
but can be configured. (OTP 21)
- Renegotiation Indication Extension RFC 5746 is supported
- Ephemeral Diffie-Hellman cipher suites are supported,
but not Diffie Hellman Certificates cipher suites.
- Elliptic Curve cipher suites are supported if the Crypto
application supports it and named curves are used.
- Export cipher suites are not supported as the
U.S. lifted its export restrictions in early 2000.
- IDEA cipher suites are not supported as they have
become deprecated by the TLS 1.2 specification so it is not
motivated to implement them.
- Compression is not supported.
Common
- CRL validation is supported.
- Policy certificate extensions are not supported.
- 'Server Name Indication' extension
(RFC 6066) is supported.
- Application Layer Protocol Negotiation (ALPN) and its successor Next Protocol Negotiation (NPN) are supported.
- It is possible to use Pre-Shared Key (PSK) and Secure Remote Password (SRP)
cipher suites, but they are not enabled by default.
SSL 2.0
For security reasons SSL-2.0 is not supported. Interoperability with SSL-2.0 enabled clients dropped. (OTP 21)
SSL 3.0
For security reasons SSL-3.0 is no longer supported by default, but can be configured. (OTP 19)
TLS 1.0
For security reasons TLS-1.0 is no longer supported by default, but can be configured. (OTP 22)
TLS 1.1
For security reasons TLS-1.1 is no longer supported by default, but can be configured. (OTP 22)
DTLS 1.0
For security reasons DTLS-1.0 (based on TLS 1.1) is no longer supported by default, but can be configured. (OTP 22)
DTLS 1.2
Supported (based on TLS 1.2)
DTLS 1.3
Not yet supported
TLS 1.3
OTP-22 introduces basic support for TLS 1.3 on the server side. Basic functionality
covers a simple TLS 1.3 handshake with support of the mandatory extensions
(supported_groups, signature_algorithms, key_share, supported_versions and
signature_algorithms_cert). The server supports a selective set of cryptographic algorithms:
- Key Exchange: ECDHE
- Groups: all standard groups supported for the Diffie-Hellman key exchange
- Ciphers: TLS_AES_128_GCM_SHA256 and TLS_AES_256_GCM_SHA384
- Signature Algorithms: RSA and RSA PSS
- Certificates: currently only certificates with RSA keys are supported
Other notable features:
- The server supports the HelloRetryRequest mechanism
- PSK and session resumption not supported
- Early data and 0-RTT not supported
- Key and Initialization Vector Update not supported
For more detailed information see the
Standards Compliance below.
Note that the client side is not yet functional. It is planned to be released
later in OTP-22.
The following table describes the current state of standards compliance for TLS 1.3.
(C = Compliant, NC = Non-Compliant, PC = Partially-Compliant,
NA = Not Applicable)
| Section |
Feature |
State |
Since |
|
1.3. Updates Affecting TLS 1.2
|
|
C |
22 |
|
Version downgrade protection mechanism |
C |
22 |
|
RSASSA-PSS signature schemes |
PC |
22 |
|
supported_versions (ClientHello) extension |
C |
22 |
|
signature_algorithms_cert extension |
C |
22 |
|
2. Protocol Overview
|
|
PC |
22 |
|
(EC)DHE |
C |
22 |
|
PSK-only |
NC |
|
|
PSK with (EC)DHE |
NC |
|
|
2.1. Incorrect DHE share
|
HelloRetryRequest |
C |
22 |
|
2.2. Resumption and Pre-Shared Key (PSK)
|
|
NC |
|
|
2.3. 0-RTT Data
|
|
NC |
|
|
4.1.1. Cryptographic Negotiation
|
|
PC |
22 |
|
supported_groups extension |
C |
|
|
signature_algorithms extension |
C |
|
|
pre_shared_key extension |
NC |
|
|
4.1.2. Client Hello
|
Client |
NC |
|
|
server_name (RFC6066) |
NC |
|
|
max_fragment_length (RFC6066) |
NC |
|
|
status_request (RFC6066) |
NC |
|
|
supported_groups (RFC7919) |
NC |
|
|
signature_algorithms (RFC8446) |
NC |
|
|
use_srtp (RFC5764) |
NC |
|
|
heartbeat (RFC6520) |
NC |
|
|
application_layer_protocol_negotiation (RFC7301) |
NC |
|
|
signed_certificate_timestamp (RFC6962) |
NC |
|
|
client_certificate_type (RFC7250) |
NC |
|
|
server_certificate_type (RFC7250) |
NC |
|
|
padding (RFC7685) |
NC |
|
|
key_share (RFC8446) |
NC |
|
|
pre_shared_key (RFC8446) |
NC |
|
|
psk_key_exchange_modes (RFC8446) |
NC |
|
|
early_data (RFC8446) |
NC |
|
|
cookie (RFC8446) |
NC |
|
|
supported_versions (RFC8446) |
NC |
|
|
certificate_authorities (RFC8446) |
NC |
|
|
oid_filters (RFC8446) |
NC |
|
|
post_handshake_auth (RFC8446) |
NC |
|
|
signature_algorithms_cert (RFC8446) |
NC |
|
|
Server |
PC |
22 |
|
server_name (RFC6066) |
NC |
|
|
max_fragment_length (RFC6066) |
NC |
|
|
status_request (RFC6066) |
NC |
|
|
supported_groups (RFC7919) |
C |
22 |
|
signature_algorithms (RFC8446) |
C |
22 |
|
use_srtp (RFC5764) |
NC |
|
|
heartbeat (RFC6520) |
NC |
|
|
application_layer_protocol_negotiation (RFC7301) |
NC |
|
|
signed_certificate_timestamp (RFC6962) |
NC |
|
|
client_certificate_type (RFC7250) |
NC |
|
|
server_certificate_type (RFC7250) |
NC |
|
|
padding (RFC7685) |
NC |
|
|
key_share (RFC8446) |
C |
22 |
|
pre_shared_key (RFC8446) |
NC |
|
|
psk_key_exchange_modes (RFC8446) |
NC |
|
|
early_data (RFC8446) |
NC |
|
|
cookie (RFC8446) |
NC |
|
|
supported_versions (RFC8446) |
C |
22 |
|
certificate_authorities (RFC8446) |
NC |
|
|
oid_filters (RFC8446) |
NC |
|
|
post_handshake_auth (RFC8446) |
NC |
|
|
signature_algorithms_cert (RFC8446) |
C |
22 |
|
4.1.3. Server Hello
|
Client |
NC |
|
|
Version downgrade protection |
NC |
|
|
key_share (RFC8446) |
NC |
|
|
pre_shared_key (RFC8446) |
NC |
|
|
supported_versions (RFC8446) |
NC |
|
|
Server |
PC |
22 |
|
Version downgrade protection |
C |
22 |
|
key_share (RFC8446) |
C |
22 |
|
pre_shared_key (RFC8446) |
NC |
|
|
supported_versions (RFC8446) |
C |
22 |
|
4.1.4. Hello Retry Request
|
Server |
PC |
22 |
|
key_share (RFC8446) |
C |
22 |
|
cookie (RFC8446) |
NC |
|
|
supported_versions (RFC8446) |
C |
22 |
|
4.2.1. Supported Versions
|
Client |
NC |
|
|
Server |
C |
22 |
|
4.2.2. Cookie
|
Client |
NC |
|
|
Server |
NC |
|
|
4.2.3. Signature Algorithms
|
Client |
NC |
|
|
rsa_pkcs1_sha256 |
NC |
|
|
rsa_pkcs1_sha384 |
NC |
|
|
rsa_pkcs1_sha512 |
NC |
|
|
ecdsa_secp256r1_sha256 |
NC |
|
|
ecdsa_secp384r1_sha384 |
NC |
|
|
ecdsa_secp521r1_sha512 |
NC |
|
|
rsa_pss_rsae_sha256 |
NC |
|
|
rsa_pss_rsae_sha384 |
NC |
|
|
rsa_pss_rsae_sha512 |
NC |
|
|
ed25519 |
NC |
|
|
ed448 |
NC |
|
|
rsa_pss_pss_sha256 |
NC |
|
|
rsa_pss_pss_sha384 |
NC |
|
|
rsa_pss_pss_sha512 |
NC |
|
|
rsa_pkcs1_sha1 |
NC |
|
|
ecdsa_sha1 |
NC |
|
|
Server |
PC |
22 |
|
rsa_pkcs1_sha256 |
C |
22 |
|
rsa_pkcs1_sha384 |
C |
22 |
|
rsa_pkcs1_sha512 |
C |
22 |
|
ecdsa_secp256r1_sha256 |
NC |
|
|
ecdsa_secp384r1_sha384 |
NC |
|
|
ecdsa_secp521r1_sha512 |
NC |
|
|
rsa_pss_rsae_sha256 |
C |
22 |
|
rsa_pss_rsae_sha384 |
C |
22 |
|
rsa_pss_rsae_sha512 |
C |
22 |
|
ed25519 |
NC |
|
|
ed448 |
NC |
|
|
rsa_pss_pss_sha256 |
NC |
|
|
rsa_pss_pss_sha384 |
NC |
|
|
rsa_pss_pss_sha512 |
NC |
|
|
rsa_pkcs1_sha1 |
C |
22 |
|
ecdsa_sha1 |
C |
22 |
|
4.2.4. Certificate Authorities
|
Client |
NC |
|
|
Server |
NC |
|
|
4.2.5. OID Filters
|
Client |
NC |
|
|
Server |
NC |
|
|
4.2.6. Post-Handshake Client Authentication
|
Client |
NC |
|
|
Server |
NC |
|
|
4.2.7. Supported Groups
|
Client |
NC |
|
|
secp256r1 |
NC |
|
|
secp384r1 |
NC |
|
|
secp521r1 |
NC |
|
|
x25519 |
NC |
|
|
x448 |
NC |
|
|
ffdhe2048 |
NC |
|
|
ffdhe3072 |
NC |
|
|
ffdhe4096 |
NC |
|
|
ffdhe6144 |
NC |
|
|
ffdhe8192 |
NC |
|
|
Server |
C |
22 |
|
secp256r1 |
C |
22 |
|
secp384r1 |
C |
22 |
|
secp521r1 |
C |
22 |
|
x25519 |
C |
22 |
|
x448 |
C |
22 |
|
ffdhe2048 |
C |
22 |
|
ffdhe3072 |
C |
22 |
|
ffdhe4096 |
C |
22 |
|
ffdhe6144 |
C |
22 |
|
ffdhe8192 |
C |
22 |
|
4.2.8. Key Share
|
Client |
NC |
|
|
Server |
C |
22 |
|
4.2.9. Pre-Shared Key Exchange Modes
|
Client |
NC |
|
|
Server |
NC |
|
|
4.2.10. Early Data Indication
|
Client |
NC |
|
|
Server |
NC |
|
|
4.2.11. Pre-Shared Key Extension
|
Client |
NC |
|
|
Server |
NC |
|
|
4.2.11.1. Ticket Age
|
Client |
NC |
|
|
Server |
NC |
|
|
4.2.11.2. PSK Binder
|
Client |
NC |
|
|
Server |
NC |
|
|
4.2.11.3. Processing Order
|
Client |
NC |
|
|
Server |
NC |
|
|
4.3.1. Encrypted Extensions
|
Client |
NC |
|
|
server_name (RFC6066) |
NC |
|
|
max_fragment_length (RFC6066) |
NC |
|
|
supported_groups (RFC7919) |
NC |
|
|
use_srtp (RFC5764) |
NC |
|
|
heartbeat (RFC6520) |
NC |
|
|
application_layer_protocol_negotiation (RFC7301) |
NC |
|
|
client_certificate_type (RFC7250) |
NC |
|
|
server_certificate_type (RFC7250) |
NC |
|
|
early_data (RFC8446) |
NC |
|
|
supported_versions (RFC8446) |
NC |
|
|
Server |
PC |
22 |
|
server_name (RFC6066) |
NC |
|
|
max_fragment_length (RFC6066) |
NC |
|
|
supported_groups (RFC7919) |
NC |
|
|
use_srtp (RFC5764) |
NC |
|
|
heartbeat (RFC6520) |
NC |
|
|
application_layer_protocol_negotiation (RFC7301) |
NC |
|
|
client_certificate_type (RFC7250) |
NC |
|
|
server_certificate_type (RFC7250) |
NC |
|
|
early_data (RFC8446) |
NC |
|
|
supported_versions (RFC8446) |
NC |
|
|
4.3.2. Certificate Request
|
Client |
NC |
|
|
status_request (RFC6066) |
NC |
|
|
signature_algorithms (RFC8446) |
NC |
|
|
signed_certificate_timestamp (RFC6962) |
NC |
|
|
certificate_authorities (RFC8446) |
NC |
|
|
oid_filters (RFC8446) |
NC |
|
|
signature_algorithms_cert (RFC8446) |
NC |
|
|
Server |
PC |
22 |
|
status_request (RFC6066) |
NC |
|
|
signature_algorithms (RFC8446) |
NC |
|
|
signed_certificate_timestamp (RFC6962) |
NC |
|
|
certificate_authorities (RFC8446) |
NC |
|
|
oid_filters (RFC8446) |
NC |
|
|
signature_algorithms_cert (RFC8446) |
NC |
|
|
4.4.1. The Transcript Hash
|
|
C |
22 |
|
4.4.2. Certificate
|
Client |
NC |
|
|
status_request (RFC6066) |
NC |
|
|
signed_certificate_timestamp (RFC6962) |
NC |
|
|
Server |
PC |
22 |
|
status_request (RFC6066) |
NC |
|
|
signed_certificate_timestamp (RFC6962) |
NC |
|
|
4.4.2.1. OCSP Status and SCT Extensions
|
Client |
NC |
|
|
Server |
NC |
|
|
4.4.2.2. Server Certificate Selection
|
Client |
NC |
|
|
certificate type MUST be X.509v3 |
NC |
|
|
certificate's public key is compatible |
NC |
|
|
The certificate MUST allow the key to be used for signing |
NC |
|
|
server_name and certificate_authorities are used |
NC |
|
|
Server |
PC |
|
|
certificate type MUST be X.509v3 |
C |
22 |
|
certificate's public key is compatible |
C |
22 |
|
The certificate MUST allow the key to be used for signing |
C |
22 |
|
server_name and certificate_authorities are used |
NC |
|
|
4.4.2.3. Client Certificate Selection
|
|
NC |
|
|
4.4.2.4. Receiving a Certificate Message
|
Client |
NC |
|
|
Server |
C |
22 |
|
4.4.3. Certificate Verify
|
Client |
NC |
|
|
Server |
C |
22 |
|
4.4.4. Finished
|
Client |
NC |
|
|
Server |
C |
22 |
|
4.5. End of Early Data
|
Client |
NC |
|
|
Server |
NC |
|
|
4.6.1. New Session Ticket Message
|
Client |
NC |
|
|
early_data (RFC8446) |
NC |
|
|
Server |
NC |
|
|
early_data (RFC8446) |
NC |
|
|
4.6.2. Post-Handshake Authentication
|
Client |
NC |
|
|
Server |
NC |
|
|
4.6.3. Key and Initialization Vector Update
|
Client |
NC |
|
|
Server |
NC |
|
|
5.1. Record Layer
|
|
C |
22 |
|
MUST NOT be interleaved with other record types |
C |
22 |
|
MUST NOT span key changes |
C |
22 |
|
MUST NOT send zero-length fragments |
C |
22 |
|
Alert messages MUST NOT be fragmented |
C |
22 |
|
5.2. Record Payload Protection
|
|
C |
22 |
|
5.3. Per-Record Nonce
|
|
C |
22 |
|
5.4. Record Padding
|
|
PC |
22 |
|
MAY choose to pad |
NC |
|
|
MUST NOT send Handshake and Alert records that have a zero-length TLSInnerPlaintext.content |
NC |
|
|
The padding sent is automatically verified |
C |
22 |
|
5.5. Limits on Key Usage
|
|
NC |
|
|
6.1. Closure Alerts
|
|
NC |
|
|
close_notify |
NC |
|
|
user_cancelled |
NC |
|
|
6.2. Error Alerts
|
|
PC |
22 |
|
7.1. Key Schedule
|
|
C |
22 |
|
7.2. Updating Traffic Secrets
|
|
C |
22 |
|
7.3. Traffic Key Calculation
|
|
C |
22 |
|
7.5. Exporters
|
|
NC |
|
|
8. 0-RTT and Anti-Replay
|
|
NC |
|
|
8.1. Single-Use Tickets
|
|
NC |
|
|
8.2. Client Hello Recording
|
|
NC |
|
|
8.3. Freshness Checks
|
|
NC |
|
|
9.1. Mandatory-to-Implement Cipher Suites
|
|
PC |
22 |
|
MUST implement the TLS_AES_128_GCM_SHA256 |
C |
22 |
|
SHOULD implement the TLS_AES_256_GCM_SHA384 |
C |
22 |
|
SHOULD implement the TLS_CHACHA20_POLY1305_SHA256 |
NC |
|
|
Digital signatures |
PC |
22 |
|
MUST support rsa_pkcs1_sha256 (for certificates) |
C |
22 |
|
MUST support rsa_pss_rsae_sha256 (for CertificateVerify and certificates) |
C |
22 |
|
MUST support ecdsa_secp256r1_sha256 |
NC |
|
|
Key Exchange |
C |
22 |
|
MUST support key exchange with secp256r1 |
C |
22 |
|
SHOULD support key exchange with X25519 |
C |
22 |
|
9.2. Mandatory-to-Implement Extensions
|
|
PC |
22 |
|
Supported Versions |
C |
22 |
|
Cookie |
NC |
|
|
Signature Algorithms |
C |
22 |
|
Signature Algorithms Certificate |
C |
22 |
|
Negotiated Groups |
C |
22 |
|
Key Share |
C |
22 |
|
Server Name Indication |
NC |
|
|
MUST send and use these extensions |
C |
22 |
|
"supported_versions" is REQUIRED for ClientHello, ServerHello and HelloRetryRequest |
PC |
22 |
|
"signature_algorithms" is REQUIRED for certificate authentication |
C |
22 |
|
"supported_groups" is REQUIRED for ClientHello messages using (EC)DHE key exchange |
C |
22 |
|
"key_share" is REQUIRED for (EC)DHE key exchange |
C |
22 |
|
"pre_shared_key" is REQUIRED for PSK key agreement |
NC |
|
|
"psk_key_exchange_modes" is REQUIRED for PSK key agreement |
NC |
|
|
TLS 1.3 ClientHello |
NC |
|
|
If not containing a "pre_shared_key" extension, it MUST contain both a "signature_algorithms" extension and a "supported_groups" extension. |
NC |
|
|
If containing a "supported_groups" extension, it MUST also contain a "key_share" extension, and vice versa. An empty KeyShare.client_shares vector is permitted. |
NC |
|
|
TLS 1.3 ServerHello |
PC |
22 |
|
MUST support the use of the "server_name" extension |
NC |
|
|
9.3. Protocol Invariants
|
|
NC |
|
|
MUST correctly handle extensible fields |
NC |
|
|
A client sending a ClientHello MUST support all parameters advertised in it. |
NC |
|
|
A middlebox which terminates a TLS connection MUST behave as a compliant TLS server |
NA |
|
|
A middlebox which forwards ClientHello parameters it does not understand MUST NOT process any messages beyond that ClientHello. |
NA |
|
|
B.4. Cipher Suites
|
|
PC |
22 |
|
TLS_AES_128_GCM_SHA256 |
C |
22 |
|
TLS_AES_256_GCM_SHA384 |
C |
22 |
|
TLS_CHACHA20_POLY1305_SHA256 |
NC |
|
|
TLS_AES_128_CCM_SHA256 |
NC |
|
|
TLS_AES_128_CCM_8_SHA256 |
NC |
|
|
C.1. Random Number Generation and Seeding
|
|
C |
22 |
|
C.2. Certificates and Authentication
|
|
C |
22 |
|
C.3. Implementation Pitfalls
|
|
PC |
22 |
|
C.4. Client Tracking Prevention
|
|
NC |
|
|
C.5. Unauthenticated Operation
|
|
C |
22 |
|
D.1. Negotiating with an Older Server
|
|
NC |
|
|
D.2. Negotiating with an Older Client
|
|
C |
22 |
|
D.3. 0-RTT Backward Compatibility
|
|
NC |
|
|
D.4. Middlebox Compatibility Mode
|
|
PC |
22 |
|
D.5. Security Restrictions Related to Backward Compatibility
|
|
C |
22 |
Standards Compliance