rfc9645.original.xml   rfc9645.xml 
<?xml version='1.0' encoding='utf-8'?> <?xml version='1.0' encoding='UTF-8'?>
<!-- draft submitted in xml v3 -->
<!DOCTYPE rfc [ <!DOCTYPE rfc [
<!ENTITY nbsp "&#160;"> <!ENTITY nbsp "&#160;">
<!ENTITY zwsp "&#8203;"> <!ENTITY zwsp "&#8203;">
<!ENTITY nbhy "&#8209;"> <!ENTITY nbhy "&#8209;">
<!ENTITY wj "&#8288;"> <!ENTITY wj "&#8288;">
]> ]>
<?rfc toc="yes"?>
<?rfc symrefs="yes"?> <rfc xmlns:xi="http://www.w3.org/2001/XInclude" category="std" consensus="true"
<?rfc sortrefs="yes" ?> submissionType="IETF" docName="draft-ietf-netconf-tls-client-server-41" number="
<?rfc compact="yes"?> 9645" ipr="trust200902" tocInclude="true" symRefs="true" sortRefs="true" updates
<?rfc subcompact="no"?> ="" obsoletes="" xml:lang="en" version="3">
<?rfc linkmailto="no" ?>
<?rfc editing="no" ?>
<?rfc comments="yes" ?>
<?rfc inline="yes"?>
<?rfc rfcedstyle="yes"?>
<?rfc-ext allow-markup-in-artwork="yes" ?>
<?rfc-ext include-index="no" ?>
<!--<?rfc strict="no"?> -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" category="std" consensus="true"
submissionType="IETF" docName="draft-ietf-netconf-tls-client-server-41" ipr="tru
st200902" tocInclude="true" symRefs="true" sortRefs="true" version="3">
<!-- xml2rfc v2v3 conversion 3.17.4 -->
<front> <front>
<title abbrev="Groupings for TLS Clients and Servers">YANG Groupings for <title abbrev="Groupings for TLS Clients and Servers">YANG Groupings for
TLS Clients and TLS Servers</title> TLS Clients and TLS Servers</title>
<seriesInfo name="Internet-Draft" value="draft-ietf-netconf-tls-client-serve <seriesInfo name="RFC" value="9645"/>
r-41"/>
<author fullname="Kent Watsen" initials="K." surname="Watsen"> <author fullname="Kent Watsen" initials="K." surname="Watsen">
<organization>Watsen Networks</organization> <organization>Watsen Networks</organization>
<address> <address>
<email>kent+ietf@watsen.net</email> <email>kent+ietf@watsen.net</email>
</address> </address>
</author> </author>
<date/> <date year="2024" month="August"/>
<area>Operations</area> <area>OPS</area>
<workgroup>NETCONF Working Group</workgroup> <workgroup>netconf</workgroup>
<!-- [rfced] Please insert any keywords (beyond those that appear in
the title) for use on https://www.rfc-editor.org/search. -->
<abstract> <abstract>
<t>This document presents four YANG 1.1 modules. Three IETF modules, <t>This document presents four YANG 1.1 modules -- three IETF modules
and one supporting IANA module.</t> and one supporting IANA module.</t>
<t>The three IETF modules are: ietf-tls-common, ietf-tls-client, and <t>The three IETF modules are "ietf-tls-common", "ietf-tls-client", and
ietf-tls-server. The "ietf-tls-client" and "ietf-tls-server" modules "ietf-tls-server". The "ietf-tls-client" and "ietf-tls-server" modules
are the primary productions of this work, supporting the configuration are the primary productions of this work, supporting the configuration
and monitoring of TLS clients and servers.</t> and monitoring of TLS clients and servers.</t>
<t>The IANA module is: iana-tls-cipher-suite-algs. This module <t>The IANA module is "iana-tls-cipher-suite-algs". This module
defines YANG enumerations providing support for an IANA-maintained defines YANG enumerations that provide support for an IANA-maintained
algorithm registry.</t> algorithm registry.</t>
</abstract> </abstract>
<note>
<name>Editorial Note (To be removed by RFC Editor)</name>
<t>This draft contains placeholder values that need to be replaced
with finalized values at the time of publication. This note summarizes
all of the substitutions that are needed. No other RFC Editor
instructions are specified elsewhere in this document.</t>
<t>Artwork in this document contains shorthand references to drafts in
progress. Please apply the following replacements:
</t>
<ul spacing="normal">
<li>
<tt>AAAA</tt> --&gt; the assigned RFC value for draft-ietf-netconf-cry
pto-types</li>
<li>
<tt>BBBB</tt> --&gt; the assigned RFC value for draft-ietf-netconf-tru
st-anchors</li>
<li>
<tt>CCCC</tt> --&gt; the assigned RFC value for draft-ietf-netconf-key
store</li>
<li>
<tt>DDDD</tt> --&gt; the assigned RFC value for draft-ietf-netconf-tcp
-client-server</li>
<li>
<tt>FFFF</tt> --&gt; the assigned RFC value for this draft</li>
</ul>
<t>Artwork in this document contains placeholder values for the date of
publication of this draft. Please apply the following replacement:
</t>
<ul spacing="normal">
<li>
<tt>2024-03-16</tt> --&gt; the publication date of this draft</li>
</ul>
<t>The "Relation to other RFCs" section <xref target="collective-effort"/>
contains
the text "one or more YANG modules" and, later, "modules". This text is
sourced
from a file in a context where it is unknown how many modules a draft de
fines.
The text is not wrong as is, but it may be improved by stating more dire
ctly how
many modules are defined.</t>
<t>The "Relation to other RFCs" section <xref target="collective-effort"/>
contains
a self-reference to this draft, along with a corresponding reference i
n
the Appendix. Please replace the self-reference in this section with
"This RFC"
(or similar) and remove the self-reference in the "Normative/Informati
ve References"
section, whichever it is in.</t>
<t>Tree-diagrams in this draft may use the '\' line-folding mode defined i
n RFC 8792.
However, nicer-to-the-eye is when the '\\' line-folding mode is used.
The AD suggested
suggested putting a request here for the RFC Editor to help convert "u
gly" '\' folded
examples to use the '\\' folding mode. "Help convert" may be interpre
ted as, identify
what looks ugly and ask the authors to make the adjustment.</t>
<t>The following Appendix sections are to be removed prior to publication:
</t>
<ul spacing="normal">
<li>
<xref target="tls-cipher-algs-model"/>. Initial Module for the "TLS C
ipher Suites" Registry</li>
<li>
<xref target="change-log"/>. Change Log</li>
</ul>
</note>
</front> </front>
<middle> <middle>
<section> <section>
<name>Introduction</name> <name>Introduction</name>
<t>This document presents four YANG 1.1 <xref target="RFC7950"/> <t>This document presents four YANG 1.1 <xref target="RFC7950"/>
modules. Three "IETF" modules and one "IANA" module.</t> modules -- three IETF modules and one IANA module.</t>
<t>The three IETF modules are ietf-tls-common (<xref target="tls-common-mo <t>The three IETF modules are "ietf-tls-common" (<xref target="tls-common-
del"/>), model"/>),
ietf-tls-client (<xref target="tls-client-model"/>), and ietf-tls-server "ietf-tls-client" (<xref target="tls-client-model"/>), and "ietf-tls-ser
ver"
(<xref target="tls-server-model"/>). The "ietf-tls-client" and (<xref target="tls-server-model"/>). The "ietf-tls-client" and
"ietf-tls-server" modules are the primary productions of this work, "ietf-tls-server" modules are the primary productions of this work,
supporting the configuration and monitoring of TLS clients and servers.< /t> supporting the configuration and monitoring of TLS clients and servers.< /t>
<t>The groupings defined in this document are expected to be used in <t>The groupings defined in this document are expected to be used in
conjunction with the groupings defined in an underlying transport-level conjunction with the groupings defined in an underlying transport-level
module, such as the groupings defined in <xref target="I-D.ietf-net conf-tcp-client-server"/>. module, such as the groupings defined in <xref target="RFC9643"/>.
The transport-level data model enables the configuration of transport-le vel The transport-level data model enables the configuration of transport-le vel
values such as a remote address, a remote port, a local address, and a values such as a remote address, a remote port, a local address, and a
local port.</t> local port.</t>
<t>The IANA module is iana-tls-cipher-suite-algs (<xref target="tls-cipher <t>The IANA module is "iana-tls-cipher-suite-algs".
-algs-model"/>). This module defines YANG enumerations that provide support for an IANA-m
This module defines YANG enumerations providing support for an IANA-main aintained
tained
algorithm registry.</t> algorithm registry.</t>
<t>This document assumes that the IANA module exists, <!-- [rfced] With the understanding that the IANA modules will exist at/around t
he time of RFC publication, are any updates needed to this text? Note that we w
ould update RFC 9644 similarly.
Original:
This document assumes that the IANA module exists, and presents a
script in Appendix A that IANA may use to generate the YANG module.
This document does not publish initial version of this module. IANA
publishes this module.
Perhaps:
IANA used the script in Appendix A to generate the
"iana-tls-cipher-suite-algs" YANG module. This
document does not publish the inital version of the
module; it is published and maintained by IANA.
-->
<t>This document assumes that the IANA module exists
and presents a script in <xref target="iana-script"/> that IANA and presents a script in <xref target="iana-script"/> that IANA
may use to generate the YANG module. This document does not may use to generate the YANG module. This document does not
publish initial version of this module. IANA publishes publish an initial version of this module. IANA publishes
this module.</t> this module.</t>
<section> <section>
<!--[rfced] Should the title of Section 1.1 be "IETF YANG Modules" or
"Features and Groupings of the IETF YANG Modules" instead of
"Regarding the IETF Modules" for clarity?
Original:
1.1. Regarding the IETF Modules
Perhaps:
1.1. Features and Groupings of the IETF YANG Modules
Note: if any changes are made, we will udpate RFC-to-be 9644 similarly.
-->
<name>Regarding the IETF Modules</name> <name>Regarding the IETF Modules</name>
<t>The three IETF modules define features and groupings to model "generi c" TLS <t>The three IETF modules define features and groupings to model "generi c" TLS
clients and TLS servers, where "generic" should be interpreted as "lea st clients and TLS servers, where "generic" should be interpreted as "lea st
common denominator" rather than "complete." Basic TLS protocol suppor t common denominator" rather than "complete." Basic TLS protocol suppor t
is afforded by these modules, leaving configuration of advance feature s is afforded by these modules, leaving configuration of advance feature s
to augmentations made by consuming modules.</t> to augmentations made by consuming modules.</t>
<!-- [rfced] RFC 2818 has been obsoleted by RFC 9110. May we replace
RFC 2818 with RFC 9110?
Also, we rephrased "NETCONF over TLS [RFC7589] based clients and
servers" as shown below in order to avoid ugly hyphenation. Please
let us know of any concerns.
Current:
For instance, these groupings are used to help define the data model
for HTTPS [RFC2818] and NETCONF over TLS [RFC7589] based clients and
servers in [I-D.ietf-netconf-http-client-server] and
[I-D.ietf-netconf-netconf-client-server] respectively.
Perhaps:
For instance, these groupings are used to help define the data model
for HTTPS [RFC9110] and clients and servers based on the Network
Configuration Protocol (NETCONF) over TLS [RFC7589] in [HTTP-CLIENT-SERVER]
and [NETCONF-CLIENT-SERVER], respectively.
-->
<t>It is intended that the YANG groupings will be used by applications n eeding <t>It is intended that the YANG groupings will be used by applications n eeding
to configure TLS client and server protocol stacks. For instance, the se to configure TLS client and server protocol stacks. For instance, the se
groupings are used to help define the data model for HTTPS <xref targe t="RFC2818"/> groupings are used to help define the data model for HTTPS <xref targe t="RFC2818"/>
and NETCONF over TLS <xref target="RFC7589"/> based clients and server and clients and servers based on the Network Configuration Protocol (N
s in ETCONF) over TLS <xref target="RFC7589"/> in <xref target="I-D.ietf-netconf-http
<xref target="I-D.ietf-netconf-http-client-server"/> and -client-server"/> and <xref target="I-D.ietf-netconf-netconf-client-server"/>, r
<xref target="I-D.ietf-netconf-netconf-client-server"/> respectively.< espectively.</t>
/t> <t>The "ietf-tls-client" and "ietf-tls-server" YANG modules each define
<t>The ietf-tls-client and ietf-tls-server YANG modules each define one one
grouping, which is focused on just TLS-specific configuration, and grouping, which is focused on just TLS-specific configuration, and
specifically avoids any transport-level configuration, such as what specifically avoid any transport-level configuration, such as what
ports to listen-on or connect-to. This affords applications the ports to listen on or connect to. This affords applications the
opportunity to define their own strategy for how the underlying TCP opportunity to define their own strategy for how the underlying TCP
connection is established. For instance, applications supporting NETCO NF connection is established. For instance, applications supporting NETCO NF
Call Home <xref target="RFC8071"/> could use the "tls-server-grouping" Call Home <xref target="RFC8071"/> could use the "tls-server-grouping"
grouping for the TLS parts it provides, while adding data nodes for th e grouping for the TLS parts it provides, while adding data nodes for th e
TCP-level call-home configuration.</t> TCP-level call-home configuration.</t>
<t>Both TLS 1.2 and TLS 1.3 may be configured. TLS 1.2 <t>Both TLS 1.2 and TLS 1.3 may be configured. TLS 1.2
<xref target="RFC5246"/> is obsoleted by TLS 1.3 <xref target="RFC8446 "/> <xref target="RFC5246"/> is obsoleted by TLS 1.3 <xref target="RFC8446 "/>
but still in common use, and hence its "feature" statement is marked but is still in common use, and hence its "feature" statement is marke d
"status deprecated".</t> "status deprecated".</t>
</section> </section>
<section anchor="collective-effort"> <section anchor="collective-effort">
<name>Relation to other RFCs</name> <name>Relation to Other RFCs</name>
<t>This document presents one or more YANG modules <xref target="RFC7950 <t>This document presents four YANG modules <xref target="RFC7950"/>
"/>
that are part of a collection of RFCs that work together that are part of a collection of RFCs that work together
to, ultimately, support the configuration of both the clients to ultimately support the configuration of both the clients
and servers of both the NETCONF <xref target="RFC6241"/> and and servers of the NETCONF <xref target="RFC6241"/> and
RESTCONF <xref target="RFC8040"/> protocols.</t> RESTCONF <xref target="RFC8040"/> protocols.</t>
<t> The dependency relationship between the primary YANG groupings <t> The dependency relationship between the primary YANG groupings
defined in the various RFCs is presented in the below diagram. defined in the various RFCs is presented in the diagram below.
In some cases, a draft may define secondary groupings that In some cases, a document may define secondary groupings that
introduce dependencies not illustrated in the diagram. introduce dependencies not illustrated in the diagram.
The labels in the diagram are a shorthand name for the defining The labels in the diagram are shorthand names for the defining
RFC. The citation reference for shorthand name is provided below RFCs. The citation references for the shorthand names are provided
below
the diagram.</t> the diagram.</t>
<t>Please note that the arrows in the diagram point from referencer <t>Please note that the arrows in the diagram point from referencer
to referenced. For example, the "crypto-types" RFC does not to referenced. For example, the "crypto-types" RFC does not
have any dependencies, whilst the "keystore" RFC depends on the have any dependencies, whilst the "keystore" RFC depends on the
"crypto-types" RFC.</t> "crypto-types" RFC.</t>
<artwork><![CDATA[ <artwork><![CDATA[
crypto-types crypto-types
^ ^ ^ ^
/ \ / \
/ \ / \
skipping to change at line 192 skipping to change at line 183
| | | ^ ^ http-client-server | | | ^ ^ http-client-server
| | | | | ^ | | | | | ^
| | | +-----+ +---------+ | | | | +-----+ +---------+ |
| | | | | | | | | | | |
| +-----------|--------|--------------+ | | | +-----------|--------|--------------+ | |
| | | | | | | | | | | |
+-----------+ | | | | | +-----------+ | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | |
netconf-client-server restconf-client-server netconf-client-server restconf-client-server
]]></artwork> ]]></artwork>
<!-- RFC Editor: is there anyway to flush-left the table in PDF/HTML vie <!-- RFC Editor: is there anyway to flush-left the table in PDF/HTML views? -->
ws? --> <table align="left">
<table> <name>Labels in Diagram to RFC Mapping</name>
<name>Label in Diagram to RFC Mapping</name>
<tbody> <tbody>
<tr> <tr>
<th>Label in Diagram</th> <th>Label in Diagram</th>
<th>Originating RFC</th> <th>Originating RFC</th>
</tr> </tr>
<tr> <tr>
<td>crypto-types</td> <td>crypto-types</td>
<td> <td>
<xref target="I-D.ietf-netconf-crypto-types"/></td> <xref target="RFC9640"/></td>
</tr> </tr>
<tr> <tr>
<td>truststore</td> <td>truststore</td>
<td> <td>
<xref target="I-D.ietf-netconf-trust-anchors"/></td> <xref target="RFC9641"/></td>
</tr> </tr>
<tr> <tr>
<td>keystore</td> <td>keystore</td>
<td> <td>
<xref target="I-D.ietf-netconf-keystore"/></td> <xref target="RFC9642"/></td>
</tr> </tr>
<tr> <tr>
<td>tcp-client-server</td> <td>tcp-client-server</td>
<td> <td>
<xref target="I-D.ietf-netconf-tcp-client-server"/></td> <xref target="RFC9643"/></td>
</tr> </tr>
<tr> <tr>
<td>ssh-client-server</td> <td>ssh-client-server</td>
<td> <td>
<xref target="I-D.ietf-netconf-ssh-client-server"/></td> <xref target="RFC9644"/></td>
</tr> </tr>
<tr> <tr>
<td>tls-client-server</td> <td>tls-client-server</td>
<td> <td>
<xref target="I-D.ietf-netconf-tls-client-server"/></td> RFC XXXX</td>
</tr> </tr>
<tr> <tr>
<td>http-client-server</td> <td>http-client-server</td>
<td> <td>
<xref target="I-D.ietf-netconf-http-client-server"/></td> <xref target="I-D.ietf-netconf-http-client-server"/></td>
</tr> </tr>
<tr> <tr>
<td>netconf-client-server</td> <td>netconf-client-server</td>
<td> <td>
<xref target="I-D.ietf-netconf-netconf-client-server"/></td> <xref target="I-D.ietf-netconf-netconf-client-server"/></td>
skipping to change at line 252 skipping to change at line 242
<tr> <tr>
<td>restconf-client-server</td> <td>restconf-client-server</td>
<td> <td>
<xref target="I-D.ietf-netconf-restconf-client-server"/></td> <xref target="I-D.ietf-netconf-restconf-client-server"/></td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</section> </section>
<section> <section>
<name>Specification Language</name> <name>Specification Language</name>
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL <t>
NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>",
"MAY", and "OPTIONAL" in this document are to be interpreted as "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL NOT</bcp14>
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/ ",
> "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>",
when, and only when, they appear in all capitals, as shown here.</t> "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to
be
interpreted as described in BCP&nbsp;14 <xref target="RFC2119"/> <xref
target="RFC8174"/> when, and only when, they appear in all capitals, as
shown here.
</t>
</section> </section>
<section> <section>
<name>Adherence to the NMDA</name> <name>Adherence to the NMDA</name>
<t>This document is compliant with the Network Management Datastore <t>This document is compliant with the Network Management Datastore
Architecture (NMDA) <xref target="RFC8342"/>. For instance, as Architecture (NMDA) <xref target="RFC8342"/>. For instance, as
described in <xref target="I-D.ietf-netconf-trust-anchors"/> and described in <xref target="RFC9641"/> and
<xref target="I-D.ietf-netconf-keystore"/>, trust anchors and keys <xref target="RFC9642"/>, trust anchors and keys
installed during manufacturing are expected to appear installed during manufacturing are expected to appear
in &lt;operational&gt; (<xref section="5.3" target="RFC8342"/>), and & in &lt;operational&gt; (<xref section="5.3" target="RFC8342"/>) and &l
lt;system&gt; t;system&gt;
<xref target="I-D.ietf-netmod-system-config"/>, if implemented.</t> <xref target="I-D.ietf-netmod-system-config"/> if implemented.</t>
</section> </section>
<section> <section>
<name>Conventions</name> <name>Conventions</name>
<t>Various examples in this document use "BASE64VALUE=" as a <t>Various examples in this document use "BASE64VALUE=" as a
placeholder value for binary data that has been base64 placeholder value for binary data that has been base64 encoded
encoded (per <xref section="9.8" target="RFC7950"/>). This (per <xref section="9.8" target="RFC7950"/>). This
placeholder value is used because real base64 encoded structures placeholder value is used because real base64-encoded structures
are often many lines long and hence distracting to the example are often many lines long and hence distracting to the example
being presented.</t> being presented.</t>
</section> </section>
</section> </section>
<section anchor="tls-common-model"> <section anchor="tls-common-model">
<name>The "ietf-tls-common" Module</name> <name>The "ietf-tls-common" Module</name>
<t>The TLS common model presented in this section contains features <t>The TLS common model presented in this section contains features
and groupings common to both TLS clients and TLS servers. The and groupings common to both TLS clients and TLS servers. The
"hello-params-grouping" grouping can be used to configure the list of TLS "hello-params-grouping" grouping can be used to configure the list of TLS
algorithms permitted by the TLS client or TLS server. The lists of algorithms permitted by the TLS client or TLS server. The lists of
algorithms are ordered such that, if multiple algorithms are permitted algorithms are ordered such that, if multiple algorithms are permitted
by the client, the algorithm that appears first in its list that is also by the client, the algorithm that appears first in its list and that is al so
permitted by the server is used for the TLS transport layer connection. permitted by the server is used for the TLS transport layer connection.
The ability to restrict the algorithms allowed is provided in this The ability to restrict the algorithms allowed is provided in this
grouping for TLS clients and TLS servers that are capable of doing so grouping for TLS clients and TLS servers that are capable of doing so
and may serve to make TLS clients and TLS servers compliant with local and that may serve to make TLS clients and TLS servers compliant with loca l
security policies. This model supports both TLS 1.2 <xref target="RFC5246" /> and TLS 1.3 <xref target="RFC8446"/>.</t> security policies. This model supports both TLS 1.2 <xref target="RFC5246" /> and TLS 1.3 <xref target="RFC8446"/>.</t>
<!-- [rfced] Some author comments are present in the XML. Please
confirm that no updates related to these comments are
outstanding. Note that the comments will be deleted prior to
publication.
-->
<!-- <!--
<t>TLS 1.2 and TLS 1.3 have different ways defining their own supported <t>TLS 1.2 and TLS 1.3 have different ways defining their own supported
cryptographic algorithms, see TLS and DTLS IANA registries page cryptographic algorithms, see TLS and DTLS IANA registries page
(https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml):</t > (https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml):</t >
<t><list style="symbols"> <t><list style="symbols">
<t>TLS 1.2 defines four categories of registries for cryptographic <t>TLS 1.2 defines four categories of registries for cryptographic
algorithms: TLS Cipher Suites, TLS SignatureAlgorithm, TLS algorithms: TLS Cipher Suites, TLS SignatureAlgorithm, TLS
HashAlgorithm, TLS Supported Groups. TLS Cipher Suites plays the HashAlgorithm, TLS Supported Groups. TLS Cipher Suites plays the
role of combining all of them into one set, as each value of the set role of combining all of them into one set, as each value of the set
skipping to change at line 325 skipping to change at line 327
Secondly, all three of these categories are useful, since they Secondly, all three of these categories are useful, since they
represent different parts of all the supported algorithms represent different parts of all the supported algorithms
respectively. Thus, all of these registries categories are respectively. Thus, all of these registries categories are
considered here. In this draft, the TLS common model chooses only considered here. In this draft, the TLS common model chooses only
those TLS1.3 algorithms specified in B.4, 4.2.3, 4.2.7 of <xref those TLS1.3 algorithms specified in B.4, 4.2.3, 4.2.7 of <xref
target="RFC8446"/>.</t> target="RFC8446"/>.</t>
</list></t> </list></t>
--> -->
<!-- FIXME - is there an open item below? --> <!-- FIXME - is there an open item below? -->
<t>Thus, in order to support both TLS1.2 and TLS1.3, the cipher-suites <t>Thus, in order to support both TLS 1.2 and TLS 1.3, the cipher suites
part of the "hello-params-grouping" grouping should include three paramete part of the "hello-params-grouping" grouping should include the following
rs for three parameters for
configuring its permitted TLS algorithms, which are: TLS Cipher Suites, configuring its permitted TLS algorithms: TLS Cipher Suites,
TLS SignatureScheme, TLS Supported Groups.</t> TLS SignatureScheme, and TLS Supported Groups.</t>
<!-- <!--
<t>Features are defined for algorithms that are OPTIONAL or are not <t>Features are defined for algorithms that are OPTIONAL or are not
widely supported by popular implementations. Note that the list of widely supported by popular implementations. Note that the list of
algorithms is not exhaustive.</t> algorithms is not exhaustive.</t>
--> -->
<section> <section>
<name>Data Model Overview</name> <name>Data Model Overview</name>
<t>This section provides an overview of the "ietf-tls-common" module <t>This section provides an overview of the "ietf-tls-common" module
in terms of its features, identities, and groupings.</t> in terms of its features, identities, and groupings.</t>
<section anchor="common-features" toc="exclude"> <section anchor="common-features" toc="exclude">
<name>Features</name> <name>Features</name>
<t>The following diagram lists all the "feature" statements <t>The following diagram lists all the "feature" statements
defined in the "ietf-tls-common" module:</t> defined in the "ietf-tls-common" module:</t>
<artwork><![CDATA[
<!-- [rfced] We updated several <artwork> elements to <sourcecode>.
Please review and confirm if this is correct or if further
updates are needed.
In addition, please consider whether the "type" attribute of the
sourcecode elements has been set correctly or if updates are needed.
The current list of preferred values for "type" is available at
https://www.rfc-editor.org/materials/sourcecode-types.txt. If the current
list does not contain an applicable type, feel free to suggest additions
for consideration. Note that it is also acceptable to leave the "type"
attribute not set.
-->
<sourcecode type="yangtree"><![CDATA[
Features: Features:
+-- tls12 +-- tls12
+-- tls13 +-- tls13
+-- hello-params +-- hello-params
+-- asymmetric-key-pair-generation +-- asymmetric-key-pair-generation
+-- supported-algorithms +-- supported-algorithms
]]></artwork> ]]></sourcecode>
<t>The diagram above uses syntax that is similar to but not <t>The diagram above uses syntax that is similar to but not
defined in <xref target="RFC8340"/>.</t> defined in <xref target="RFC8340"/>.</t>
<t>Please refer to the YANG module for a description of each feature.< /t> <t>Please refer to the YANG module for a description of each feature.< /t>
</section> </section>
<section anchor="identities" toc="exclude"> <section anchor="identities" toc="exclude">
<name>Identities</name> <name>Identities</name>
<t>The following diagram illustrates the relationship amongst the <t>The following diagram illustrates the relationship amongst the
"identity" statements defined in the "ietf-tls-common" module:</t> "identity" statements defined in the "ietf-tls-common" module:</t>
<artwork><![CDATA[ <sourcecode type="yangtree"><![CDATA[
Identities: Identities:
+-- tls-version-base +-- tls-version-base
+-- tls12 +-- tls12
+-- tls13 +-- tls13
]]></artwork> ]]></sourcecode>
<!--<aside>--> <!--<aside>-->
<t>The diagram above uses syntax that is similar to but not <t>The diagram above uses syntax that is similar to but not
defined in <xref target="RFC8340"/>.</t> defined in <xref target="RFC8340"/>.</t>
<!--</aside>--> <!--</aside>-->
<t>Comments:</t> <t>Comments:</t>
<ul spacing="compact"> <ul spacing="compact">
<li>The diagram shows that there are two base identities.</li> <li>The diagram shows that there are two base identities.</li>
<li>One base identity is used to specific TLS versions, while <li>One base identity is used to specific TLS versions, while
the other is used to specify cipher-suites.</li> the other is used to specify cipher suites.</li>
<li>These base identities are "abstract", in the object oriented <li>These base identities are "abstract" in the object-oriented
programming sense, in that they only define a "class" of things, programming sense because they only define a "class" of things
rather than a specific thing.</li> rather than a specific thing.</li>
</ul> </ul>
</section> </section>
<section toc="exclude"> <section toc="exclude">
<name>Groupings</name> <name>Groupings</name>
<t>The "ietf-tls-common" module defines the following "grouping" state ment:</t> <t>The "ietf-tls-common" module defines the following "grouping" state ment:</t>
<ul spacing="compact"> <ul spacing="compact">
<li>hello-params-grouping</li> <li>hello-params-grouping</li>
</ul> </ul>
<t>This grouping is presented in the following subsection.</t> <t>This grouping is presented in the following subsection.</t>
<section anchor="hello-params-grouping"> <section anchor="hello-params-grouping">
<name>The "hello-params-grouping" Grouping</name> <name>The "hello-params-grouping" Grouping</name>
<t>The following tree diagram <xref target="RFC8340"/> illustrates t he <t>The following tree diagram <xref target="RFC8340"/> illustrates t he
"hello-params-grouping" grouping:</t> "hello-params-grouping" grouping:</t>
<artwork><![CDATA[ <sourcecode type="yangtree"><![CDATA[
grouping hello-params-grouping: grouping hello-params-grouping:
+-- tls-versions +-- tls-versions
| +-- min? identityref | +-- min? identityref
| +-- max? identityref | +-- max? identityref
+-- cipher-suites +-- cipher-suites
+-- cipher-suite* tlscsa:tls-cipher-suite-algorithm +-- cipher-suite* tlscsa:tls-cipher-suite-algorithm
]]></artwork> ]]></sourcecode>
<t>Comments:</t> <t>Comments:</t>
<ul> <ul>
<li>This grouping is used by both the "tls-client-grouping" and th e <li>This grouping is used by both the "tls-client-grouping" and th e
"tls-server-grouping" groupings defined in <xref target="tls-cli "tls-server-grouping" groupings defined in Sections <xref target
ent-grouping"/> ="tls-client-grouping" format="counter"/>
and <xref target="tls-server-grouping"/>, respectively.</li> and <xref target="tls-server-grouping" format="counter"/>, respe
ctively.</li>
<li>This grouping enables client and server configurations to <li>This grouping enables client and server configurations to
specify the TLS versions and cipher suites that are to be used specify the TLS versions and cipher suites that are to be used
when establishing TLS sessions.</li> when establishing TLS sessions.</li>
<li>The "cipher-suites" list is "ordered-by user".</li> <li>The "cipher-suites" list is "ordered-by user".</li>
</ul> </ul>
</section> </section>
</section> </section>
<section toc="exclude"> <section toc="exclude">
<name>Protocol-accessible Nodes</name> <name>Protocol-Accessible Nodes</name>
<t>The following tree diagram <xref target="RFC8340"/> lists all the <t>The following tree diagram <xref target="RFC8340"/> lists all the
protocol-accessible nodes defined in the "ietf-tls-common" module, protocol-accessible nodes defined in the "ietf-tls-common" module,
without expanding the "grouping" statements:</t> without expanding the "grouping" statements:</t>
<artwork><![CDATA[ <sourcecode type="yangtree"><![CDATA[
module: ietf-tls-common module: ietf-tls-common
+--ro supported-algorithms {algorithm-discovery}? +--ro supported-algorithms {algorithm-discovery}?
+--ro supported-algorithm* tlscsa:tls-cipher-suite-algorithm +--ro supported-algorithm* tlscsa:tls-cipher-suite-algorithm
rpcs: rpcs:
+---x generate-asymmetric-key-pair +---x generate-asymmetric-key-pair
{asymmetric-key-pair-generation}? {asymmetric-key-pair-generation}?
+---w input +---w input
| +---w algorithm | +---w algorithm
| | tlscsa:tls-cipher-suite-algorithm | | tlscsa:tls-cipher-suite-algorithm
skipping to change at line 443 skipping to change at line 460
| | +---w ks:encrypted-by-grouping | | +---w ks:encrypted-by-grouping
| +--:(hidden) {ct:hidden-private-keys}? | +--:(hidden) {ct:hidden-private-keys}?
| +---w hidden? empty | +---w hidden? empty
+--ro output +--ro output
+--ro (key-or-hidden)? +--ro (key-or-hidden)?
+--:(key) +--:(key)
| +---u ct:asymmetric-key-pair-grouping | +---u ct:asymmetric-key-pair-grouping
+--:(hidden) +--:(hidden)
+--ro location? +--ro location?
instance-identifier instance-identifier
]]></artwork> ]]></sourcecode>
<t>Comments:</t> <t>Comments:</t>
<ul> <ul>
<li>Protocol-accessible nodes are those nodes that are accessible <li>Protocol-accessible nodes are nodes that are accessible
when the module is "implemented", as described in <xref section="5 .6.5" target="RFC7950"/>.</li> when the module is "implemented", as described in <xref section="5 .6.5" target="RFC7950"/>.</li>
<li>The protocol-accessible nodes for the "ietf-tls-common" module <li>The protocol-accessible nodes for the "ietf-tls-common" module
are limited to the "supported-algorithms" container, which is cons trained are limited to the "supported-algorithms" container, which is cons trained
by the "algorithm-discovery" feature, and the RPC "generate-asymme tric-key-pair", by the "algorithm-discovery" feature, and the "generate-asymmetric -key-pair" RPC,
which is constrained by the "asymmetric-key-pair-generation" featu re.</li> which is constrained by the "asymmetric-key-pair-generation" featu re.</li>
<li>The "encrypted-by-grouping" grouping is discussed in <li>The "encrypted-by-grouping" grouping is discussed in
<xref section="2.1.3.1" target="I-D.ietf-netconf-keystore"/>.</li> <xref section="2.1.3.1" target="RFC9642"/>.</li>
<li>The "asymmetric-key-pair-grouping" grouping is discussed in <li>The "asymmetric-key-pair-grouping" grouping is discussed in
<xref section="2.1.4.6" target="I-D.ietf-netconf-crypto-types"/>.< /li> <xref section="2.1.4.6" target="RFC9640"/>.</li>
</ul> </ul>
</section> </section>
</section> </section>
<section> <section>
<name>Example Usage</name> <name>Example Usage</name>
<t>The following example illustrates the "hello-params-grouping' <t>The following example illustrates the "hello-params-grouping"
grouping when populated with some data.</t> grouping when populated with some data.</t>
<artwork><![CDATA[
<sourcecode type="xml"><![CDATA[
<!-- The outermost element below doesn't exist in the data model. --> <!-- The outermost element below doesn't exist in the data model. -->
<!-- It simulates if the "grouping" were a "container" instead. --> <!-- It simulates if the "grouping" were a "container" instead. -->
<hello-params <hello-params
xmlns="urn:ietf:params:xml:ns:yang:ietf-tls-common" xmlns="urn:ietf:params:xml:ns:yang:ietf-tls-common"
xmlns:tlscmn="urn:ietf:params:xml:ns:yang:ietf-tls-common"> xmlns:tlscmn="urn:ietf:params:xml:ns:yang:ietf-tls-common">
<tls-versions> <tls-versions>
<min>tlscmn:tls12</min> <min>tlscmn:tls12</min>
<max>tlscmn:tls13</max> <max>tlscmn:tls13</max>
</tls-versions> </tls-versions>
<cipher-suites> <cipher-suites>
<cipher-suite>TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA</cipher-suite> <cipher-suite>TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA</cipher-suite>
<cipher-suite>TLS_DHE_RSA_WITH_AES_128_CBC_SHA256</cipher-suite> <cipher-suite>TLS_DHE_RSA_WITH_AES_128_CBC_SHA256</cipher-suite>
<cipher-suite>TLS_RSA_WITH_3DES_EDE_CBC_SHA</cipher-suite> <cipher-suite>TLS_RSA_WITH_3DES_EDE_CBC_SHA</cipher-suite>
</cipher-suites> </cipher-suites>
</hello-params> </hello-params>
]]></artwork> ]]></sourcecode>
<t>The following example illustrates operational state data indicating <t>The following example illustrates operational state data indicating
the TLS algorithms supported by the server.</t> the TLS algorithms supported by the server.</t>
<artwork><![CDATA[
<sourcecode type="xml"><![CDATA[
=============== NOTE: '\' line wrapping per RFC 8792 ================ =============== NOTE: '\' line wrapping per RFC 8792 ================
<supported-algorithms <supported-algorithms
xmlns="urn:ietf:params:xml:ns:yang:ietf-tls-common"> xmlns="urn:ietf:params:xml:ns:yang:ietf-tls-common">
<supported-algorithm>TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA</support\ <supported-algorithm>TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA</support\
ed-algorithm> ed-algorithm>
<supported-algorithm>TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384</supp\ <supported-algorithm>TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384</supp\
orted-algorithm> orted-algorithm>
<supported-algorithm>TLS_DHE_RSA_WITH_AES_128_CBC_SHA256</supporte\ <supported-algorithm>TLS_DHE_RSA_WITH_AES_128_CBC_SHA256</supporte\
d-algorithm> d-algorithm>
skipping to change at line 514 skipping to change at line 534
hm> hm>
<supported-algorithm>TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384</sup\ <supported-algorithm>TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384</sup\
ported-algorithm> ported-algorithm>
<supported-algorithm>TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384</support\ <supported-algorithm>TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384</support\
ed-algorithm> ed-algorithm>
<supported-algorithm>TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA</supported\ <supported-algorithm>TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA</supported\
-algorithm> -algorithm>
<supported-algorithm>TLS_DH_DSS_WITH_AES_128_GCM_SHA256</supported\ <supported-algorithm>TLS_DH_DSS_WITH_AES_128_GCM_SHA256</supported\
-algorithm> -algorithm>
</supported-algorithms> </supported-algorithms>
]]></artwork> ]]></sourcecode>
<t>The following example illustrates the "generate-asymmetric-key-pair" RPC.</t> <t>The following example illustrates the "generate-asymmetric-key-pair" RPC.</t>
<t keepWithNext="true">REQUEST</t> <t keepWithNext="true">REQUEST</t>
<artwork><![CDATA[ <sourcecode type="xml"><![CDATA[
=============== NOTE: '\' line wrapping per RFC 8792 ================ =============== NOTE: '\' line wrapping per RFC 8792 ================
<rpc message-id="101" <rpc message-id="101"
xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<generate-asymmetric-key-pair <generate-asymmetric-key-pair
xmlns="urn:ietf:params:xml:ns:yang:ietf-tls-common"> xmlns="urn:ietf:params:xml:ns:yang:ietf-tls-common">
<algorithm>TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256</algorithm> <algorithm>TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256</algorithm>
<num-bits>521</num-bits> <num-bits>521</num-bits>
<private-key-encoding> <private-key-encoding>
<encrypted> <encrypted>
<asymmetric-key-ref>hidden-asymmetric-key</asymmetric-key-re\ <asymmetric-key-ref>hidden-asymmetric-key</asymmetric-key-re\
f> f>
</encrypted> </encrypted>
</private-key-encoding> </private-key-encoding>
</generate-asymmetric-key-pair> </generate-asymmetric-key-pair>
</rpc> </rpc>
]]></artwork> ]]></sourcecode>
<t keepWithNext="true">RESPONSE</t> <t keepWithNext="true">RESPONSE</t>
<artwork><![CDATA[ <sourcecode type="xml"><![CDATA[
=============== NOTE: '\' line wrapping per RFC 8792 ================ =============== NOTE: '\' line wrapping per RFC 8792 ================
<rpc-reply message-id="101" <rpc-reply message-id="101"
xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"
xmlns:ct="urn:ietf:params:xml:ns:yang:ietf-crypto-types" xmlns:ct="urn:ietf:params:xml:ns:yang:ietf-crypto-types"
xmlns:tlscmn="urn:ietf:params:xml:ns:yang:ietf-tls-common"> xmlns:tlscmn="urn:ietf:params:xml:ns:yang:ietf-tls-common">
<tlscmn:public-key-format>ct:subject-public-key-info-format</tlscm\ <tlscmn:public-key-format>ct:subject-public-key-info-format</tlscm\
n:public-key-format> n:public-key-format>
<tlscmn:public-key>BASE64VALUE=</tlscmn:public-key> <tlscmn:public-key>BASE64VALUE=</tlscmn:public-key>
<tlscmn:private-key-format>ct:ec-private-key-format</tlscmn:privat\ <tlscmn:private-key-format>ct:ec-private-key-format</tlscmn:privat\
e-key-format> e-key-format>
<tlscmn:cleartext-private-key>BASE64VALUE=</tlscmn:cleartext-priva\ <tlscmn:cleartext-private-key>BASE64VALUE=</tlscmn:cleartext-priva\
te-key> te-key>
</rpc-reply> </rpc-reply>
]]></artwork> ]]></sourcecode>
</section> </section>
<section anchor="tls-common-yang-module"> <section anchor="tls-common-yang-module">
<name>YANG Module</name> <name>YANG Module</name>
<t>This YANG module has a normative references to
<!-- [rfced] Section 2.3. May we add citations for "FIPS 180-4" and
"FIPS 186-2" in the sentence below since these documents are
referenced in the "ietf-tls-common" YANG module? We would also
like to add reference entries to the Normative References section
as shown below. FIPS 180-4 can be accessed at
<https://csrc.nist.gov/pubs/fips/180-4/upd1/final>. Note that
FIPS 186-2 has been superseded by FIPS 186-5 and can be accessed
at <https://csrc.nist.gov/pubs/fips/186-5/final>.
We would also like to add the following companion documents that are
referenced in the module to the sentence below. Please let us know if
this is agreeable or if you prefer otherwise.
Current:
This YANG module has a normative references to [RFC5288],
[RFC5289], [RFC8422], and FIPS PUB 180-4.
Perhaps:
This YANG module has normative references to [RFC5288],
[RFC5289], [RFC8422], [RFC9640], [RFC9642], [FIPS180-4],
and [FIPS186-5].
Normative Reference Entries
Perhaps:
[FIPS180-4]
National Institute of Standards and Technology (NIST),
"Secure Hash Standard (SHS)", FIPS PUB 180-4,
DOI 10.6028/NIST.FIPS.180-4, August 2015,
<https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf>.
[FIPS186-5]
National Institute of Standards and Technology (NIST),
"Digital Signature Standard (DSS)", FIPS 186-5,
February 2023, <https://nvlpubs.nist.gov/nistpubs/FIPS/
NIST.FIPS.186-5.pdf>.
-->
<t>This YANG module has normative references to
<xref target="RFC5288"/>, <xref target="RFC5289"/>, <xref target="RFC8 422"/>, <xref target="RFC5288"/>, <xref target="RFC5289"/>, <xref target="RFC8 422"/>,
and FIPS PUB 180-4.</t> and FIPS PUB 180-4.</t>
<t>This YANG module has a informative references to <t>This YANG module has informative references to
<xref target="RFC5246"/>, and <xref target="RFC8446"/>.</t> <xref target="RFC5246"/> and <xref target="RFC8446"/>.</t>
<t keepWithNext="true">&lt;CODE BEGINS&gt; file "ietf-tls-common@2024-03
-16.yang"</t> <!--[rfced] Section 2.3. In the "ietf-tls-common" YANG module, we
<artwork><![CDATA[ assume that the following reference is to this document, so we
updated the title as shown below. If that is not correct, please
let us know. (Note that if further changes are made to the title,
we will update this entry accordingly.)
Original:
import iana-tls-cipher-suite-algs {
prefix tlscsa;
reference
"RFC FFFF: YANG Groupings for TLS Clients and SSH Servers";
Current:
import iana-tls-cipher-suite-algs {
prefix tlscsa;
reference
"RFC 9645: YANG Groupings for TLS Clients and TLS Servers";
-->
<!--Section 2.3 YANG Module-->
<sourcecode name="ietf-tls-common@2024-03-16.yang" type="yang" markers="
true"><![CDATA[
module ietf-tls-common { module ietf-tls-common {
yang-version 1.1; yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-tls-common"; namespace "urn:ietf:params:xml:ns:yang:ietf-tls-common";
prefix tlscmn; prefix tlscmn;
import iana-tls-cipher-suite-algs { import iana-tls-cipher-suite-algs {
prefix tlscsa; prefix tlscsa;
reference reference
"RFC FFFF: YANG Groupings for TLS Clients and SSH Servers"; "RFC 9645: YANG Groupings for TLS Clients and TLS Servers";
} }
import ietf-crypto-types { import ietf-crypto-types {
prefix ct; prefix ct;
reference reference
"RFC AAAA: YANG Data Types and Groupings for Cryptography"; "RFC 9640: YANG Data Types and Groupings for Cryptography";
} }
import ietf-keystore { import ietf-keystore {
prefix ks; prefix ks;
reference reference
"RFC CCCC: A YANG Data Model for a Keystore"; "RFC 9642: A YANG Data Model for a Keystore and Keystore
Operations";
} }
organization organization
"IETF NETCONF (Network Configuration) Working Group"; "IETF NETCONF (Network Configuration) Working Group";
contact contact
"WG List: NETCONF WG list <mailto:netconf@ietf.org> "WG List: NETCONF WG list <mailto:netconf@ietf.org>
WG Web: https://datatracker.ietf.org/wg/netconf WG Web: https://datatracker.ietf.org/wg/netconf
Author: Kent Watsen <mailto:kent+ietf@watsen.net> Author: Kent Watsen <mailto:kent+ietf@watsen.net>
Author: Jeff Hartley <mailto:intensifysecurity@gmail.com> Author: Jeff Hartley <mailto:intensifysecurity@gmail.com>
Author: Gary Wu <mailto:garywu@cisco.com>"; Author: Gary Wu <mailto:garywu@cisco.com>";
description description
"This module defines a common features and groupings for "This module defines common features and groupings for
Transport Layer Security (TLS). Transport Layer Security (TLS).
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
are to be interpreted as described in BCP 14 (RFC 2119)
(RFC 8174) when, and only when, they appear in all
capitals, as shown here.
Copyright (c) 2024 IETF Trust and the persons identified Copyright (c) 2024 IETF Trust and the persons identified
as authors of the code. All rights reserved. as authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with Redistribution and use in source and binary forms, with
or without modification, is permitted pursuant to, and or without modification, is permitted pursuant to, and
subject to the license terms contained in, the Revised subject to the license terms contained in, the Revised
BSD License set forth in Section 4.c of the IETF Trust's BSD License set forth in Section 4.c of the IETF Trust's
Legal Provisions Relating to IETF Documents Legal Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info). (https://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC FFFF This version of this YANG module is part of RFC 9645
(https://www.rfc-editor.org/info/rfcFFFF); see the RFC (https://www.rfc-editor.org/info/rfc9645); see the RFC
itself for full legal notices. itself for full legal notices.";
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
are to be interpreted as described in BCP 14 (RFC 2119)
(RFC 8174) when, and only when, they appear in all
capitals, as shown here.";
revision 2024-03-16 { revision 2024-03-16 {
description description
"Initial version"; "Initial version.";
reference reference
"RFC FFFF: YANG Groupings for TLS Clients and TLS Servers"; "RFC 9645: YANG Groupings for TLS Clients and TLS Servers";
} }
// Features // Features
feature tls12 { feature tls12 {
description description
"TLS Protocol Version 1.2 is supported. TLS 1.2 is obsolete "TLS Protocol Version 1.2 is supported. TLS 1.2 is obsolete,
and thus it is NOT RECOMMENDED to enable this feature."; and thus it is NOT RECOMMENDED to enable this feature.";
reference reference
"RFC 5246: The Transport Layer Security (TLS) Protocol "RFC 5246: The Transport Layer Security (TLS) Protocol
Version 1.2"; Version 1.2";
} }
feature tls13 { feature tls13 {
description description
"TLS Protocol Version 1.3 is supported."; "TLS Protocol Version 1.3 is supported.";
reference reference
skipping to change at line 696 skipping to change at line 776
"RFC 8446: The Transport Layer Security (TLS) "RFC 8446: The Transport Layer Security (TLS)
Protocol Version 1.3"; Protocol Version 1.3";
} }
// Typedefs // Typedefs
typedef epsk-supported-hash { typedef epsk-supported-hash {
type enumeration { type enumeration {
enum sha-256 { enum sha-256 {
description description
"The SHA-256 Hash."; "The SHA-256 hash.";
} }
enum sha-384 { enum sha-384 {
description description
"The SHA-384 Hash."; "The SHA-384 hash.";
} }
} }
description description
"As per Section 4.2.11 of RFC 8446, the hash algorithm "As per Section 4.2.11 of RFC 8446, the hash algorithm
supported by an instance of an External Pre-Shared supported by an instance of an External Pre-Shared
Key (EPSK)."; Key (EPSK).";
reference reference
"RFC 8446: The Transport Layer Security (TLS) "RFC 8446: The Transport Layer Security (TLS)
Protocol Version 1.3"; Protocol Version 1.3";
} }
skipping to change at line 754 skipping to change at line 834
container cipher-suites { container cipher-suites {
description description
"Parameters regarding cipher suites."; "Parameters regarding cipher suites.";
leaf-list cipher-suite { leaf-list cipher-suite {
type tlscsa:tls-cipher-suite-algorithm; type tlscsa:tls-cipher-suite-algorithm;
ordered-by user; ordered-by user;
description description
"Acceptable cipher suites in order of descending "Acceptable cipher suites in order of descending
preference. The configured host key algorithms should preference. The configured host key algorithms should
be compatible with the algorithm used by the configured be compatible with the algorithm used by the configured
private key. Please see Section 5 of RFC FFFF for private key. Please see Section 5 of RFC 9645 for
valid combinations. valid combinations.
If this leaf-list is not configured (has zero elements) If this leaf-list is not configured (has zero elements),
the acceptable cipher suites are implementation- the acceptable cipher suites are implementation-
defined."; defined.";
reference reference
"RFC FFFF: YANG Groupings for TLS Clients and TLS Servers"; "RFC 9645: YANG Groupings for TLS Clients and TLS Servers";
} }
} }
} // hello-params-grouping } // hello-params-grouping
// Protocol-accessible Nodes // Protocol-accessible Nodes
container supported-algorithms { container supported-algorithms {
if-feature "algorithm-discovery"; if-feature "algorithm-discovery";
config false; config false;
description description
skipping to change at line 784 skipping to change at line 864
leaf-list supported-algorithm { leaf-list supported-algorithm {
type tlscsa:tls-cipher-suite-algorithm; type tlscsa:tls-cipher-suite-algorithm;
description description
"A cipher suite algorithm supported by the server."; "A cipher suite algorithm supported by the server.";
} }
} }
rpc generate-asymmetric-key-pair { rpc generate-asymmetric-key-pair {
if-feature "asymmetric-key-pair-generation"; if-feature "asymmetric-key-pair-generation";
description description
"Requests the device to generate an asymmetric-key-pair "Requests the device to generate an 'asymmetric-key-pair'
key using the specified key algorithm."; key using the specified key algorithm.";
input { input {
leaf algorithm { leaf algorithm {
type tlscsa:tls-cipher-suite-algorithm; type tlscsa:tls-cipher-suite-algorithm;
mandatory true; mandatory true;
description description
"The cipher suite algorithm that the generated key is "The cipher suite algorithm that the generated key
to work with. Implementations derive the public key works with. Implementations derive the public key
algorithm from the cipher suite algorithm. Example: algorithm from the cipher suite algorithm. For
cipher suite 'tls-rsa-with-aes-256-cbc-sha256' maps example, cipher suite
to the RSA public key."; 'tls-rsa-with-aes-256-cbc-sha256' maps to the RSA
public key.";
} }
leaf num-bits { leaf num-bits {
type uint16; type uint16;
description description
"Specifies the number of bits in the key to create. "Specifies the number of bits to create in the key.
For RSA keys, the minimum size is 1024 bits and For RSA keys, the minimum size is 1024 bits, and
the default is 3072 bits. Generally, 3072 bits is the default is 3072 bits. Generally, 3072 bits is
considered sufficient. DSA keys must be exactly 1024 considered sufficient. DSA keys must be exactly
bits as specified by FIPS 186-2. For elliptical 1024 bits as specified by FIPS 186-2. For
keys, the 'num-bits' value determines the key length elliptical keys, the 'num-bits' value determines
of the curve (e.g., 256, 384 or 521), where valid the key length of the curve (e.g., 256, 384, or 521),
values supported by the server are conveyed via an where valid values supported by the server are
unspecified mechanism. For some public algorithms, conveyed via an unspecified mechanism. For some
the keys have a fixed length and thus the 'num-bits' public algorithms, the keys have a fixed length, and
value is not specified."; thus the 'num-bits' value is not specified.";
} }
container private-key-encoding { container private-key-encoding {
description description
"Indicates how the private key is to be encoded."; "Indicates how the private key is to be encoded.";
choice private-key-encoding { choice private-key-encoding {
mandatory true; mandatory true;
description description
"A choice amongst optional private key handling."; "A choice amongst optional private key handling.";
case cleartext { case cleartext {
if-feature "ct:cleartext-private-keys"; if-feature "ct:cleartext-private-keys";
skipping to change at line 832 skipping to change at line 913
type empty; type empty;
description description
"Indicates that the private key is to be returned "Indicates that the private key is to be returned
as a cleartext value."; as a cleartext value.";
} }
} }
case encrypted { case encrypted {
if-feature "ct:encrypted-private-keys"; if-feature "ct:encrypted-private-keys";
container encrypted { container encrypted {
description description
"Indicates that the key is to be encrypted using "Indicates that the key is to be encrypted using
the specified symmetric or asymmetric key."; the specified symmetric or asymmetric key.";
uses ks:encrypted-by-grouping; uses ks:encrypted-by-grouping;
} }
} }
case hidden { case hidden {
if-feature "ct:hidden-private-keys"; if-feature "ct:hidden-private-keys";
leaf hidden { leaf hidden {
type empty; type empty;
description description
"Indicates that the private key is to be hidden. "Indicates that the private key is to be hidden.
Unlike the 'cleartext' and 'encrypt' options, the Unlike the 'cleartext' and 'encrypt' options, the
key returned is a placeholder for an internally key returned is a placeholder for an internally
stored key. See the 'Support for Built-in Keys' stored key. See Section 3 of RFC 9642 ('Support
section in RFC CCCC for information about hidden for Built-In Keys') for information about hidden
keys."; keys.";
} }
} }
} }
} }
} }
output { output {
choice key-or-hidden { choice key-or-hidden {
case key { case key {
uses ct:asymmetric-key-pair-grouping; uses ct:asymmetric-key-pair-grouping;
skipping to change at line 875 skipping to change at line 956
} }
description description
"The output can be either a key (for cleartext and "The output can be either a key (for cleartext and
encrypted keys) or the location to where the key encrypted keys) or the location to where the key
was created (for hidden keys)."; was created (for hidden keys).";
} }
} }
} // end generate-asymmetric-key-pair } // end generate-asymmetric-key-pair
} }
]]></artwork> ]]></sourcecode>
<t keepWithPrevious="true">&lt;CODE ENDS&gt;</t>
</section> </section>
</section> </section>
<section anchor="tls-client-model"> <section anchor="tls-client-model">
<name>The "ietf-tls-client" Module</name> <name>The "ietf-tls-client" Module</name>
<t>This section defines a YANG 1.1 <xref target="RFC7950"/> module called <t>This section defines a YANG 1.1 <xref target="RFC7950"/> module called
"ietf-tls-client". A high-level overview of the module is provided in "ietf-tls-client". A high-level overview of the module is provided in
<xref target="client-overview"/>. Examples illustrating the module's use <xref target="client-overview"/>. Examples illustrating the module's use
are provided in <xref target="client-examples">Examples</xref>. The YANG are provided in <xref target="client-examples"/> ("Example Usage"). The YANG
module itself is defined in <xref target="client-yang-module"/>.</t> module itself is defined in <xref target="client-yang-module"/>.</t>
<section anchor="client-overview"> <section anchor="client-overview">
<name>Data Model Overview</name> <name>Data Model Overview</name>
<t>This section provides an overview of the "ietf-tls-client" module <t>This section provides an overview of the "ietf-tls-client" module
in terms of its features and groupings.</t> in terms of its features and groupings.</t>
<section anchor="client-features" toc="exclude"> <section anchor="client-features" toc="exclude">
<name>Features</name> <name>Features</name>
<t>The following diagram lists all the "feature" statements <t>The following diagram lists all the "feature" statements
defined in the "ietf-tls-client" module:</t> defined in the "ietf-tls-client" module:</t>
<artwork><![CDATA[ <sourcecode type="yangtree"><![CDATA[
Features: Features:
+-- tls-client-keepalives +-- tls-client-keepalives
+-- client-ident-x509-cert +-- client-ident-x509-cert
+-- client-ident-raw-public-key +-- client-ident-raw-public-key
+-- client-ident-psk +-- client-ident-psk
+-- server-auth-x509-cert +-- server-auth-x509-cert
+-- server-auth-raw-public-key +-- server-auth-raw-public-key
+-- server-auth-psk +-- server-auth-psk
]]></artwork> ]]></sourcecode>
<t>The diagram above uses syntax that is similar to but not <t>The diagram above uses syntax that is similar to but not
defined in <xref target="RFC8340"/>.</t> defined in <xref target="RFC8340"/>.</t>
<t>Please refer to the YANG module for a description of each feature.< /t> <t>Please refer to the YANG module for a description of each feature.< /t>
</section> </section>
<section toc="exclude"> <section toc="exclude">
<name>Groupings</name> <name>Groupings</name>
<t>The "ietf-tls-client" module defines the following "grouping" state ment:</t> <t>The "ietf-tls-client" module defines the following "grouping" state ment:</t>
<ul spacing="compact"> <ul spacing="compact">
<li>tls-client-grouping</li> <li>tls-client-grouping</li>
</ul> </ul>
<t>This grouping is presented in the following subsection.</t> <t>This grouping is presented in the following subsection.</t>
<section anchor="tls-client-grouping"> <section anchor="tls-client-grouping">
<name>The "tls-client-grouping" Grouping</name> <name>The "tls-client-grouping" Grouping</name>
<t>The following tree diagram <xref target="RFC8340"/> illustrates t he <t>The following tree diagram <xref target="RFC8340"/> illustrates t he
"tls-client-grouping" grouping:</t> "tls-client-grouping" grouping:</t>
<artwork><![CDATA[ <sourcecode type="yangtree"><![CDATA[
=============== NOTE: '\' line wrapping per RFC 8792 ================ =============== NOTE: '\' line wrapping per RFC 8792 ================
grouping tls-client-grouping: grouping tls-client-grouping:
+-- client-identity! +-- client-identity!
| +-- (auth-type) | +-- (auth-type)
| +--:(certificate) {client-ident-x509-cert}? | +--:(certificate) {client-ident-x509-cert}?
| | +-- certificate | | +-- certificate
| | +---u ks:inline-or-keystore-end-entity-cert-with-key\ | | +---u ks:inline-or-keystore-end-entity-cert-with-key\
-grouping -grouping
| +--:(raw-public-key) {client-ident-raw-public-key}? | +--:(raw-public-key) {client-ident-raw-public-key}?
skipping to change at line 966 skipping to change at line 1048
| | +---u ts:inline-or-truststore-public-keys-grouping | | +---u ts:inline-or-truststore-public-keys-grouping
| +-- tls12-psks? empty {server-auth-tls12-psk}? | +-- tls12-psks? empty {server-auth-tls12-psk}?
| +-- tls13-epsks? empty {server-auth-tls13-epsk}? | +-- tls13-epsks? empty {server-auth-tls13-epsk}?
+-- hello-params {tlscmn:hello-params}? +-- hello-params {tlscmn:hello-params}?
| +---u tlscmn:hello-params-grouping | +---u tlscmn:hello-params-grouping
+-- keepalives {tls-client-keepalives}? +-- keepalives {tls-client-keepalives}?
+-- peer-allowed-to-send? empty +-- peer-allowed-to-send? empty
+-- test-peer-aliveness! +-- test-peer-aliveness!
+-- max-wait? uint16 +-- max-wait? uint16
+-- max-attempts? uint8 +-- max-attempts? uint8
]]></artwork> ]]></sourcecode>
<t>Comments:</t> <t>Comments:</t>
<ul> <ul>
<li>The "client-identity" node, which is optionally configured (as client <li>The "client-identity" node, which is optionally configured (as client
authentication MAY occur at a higher protocol layer), configures authentication <bcp14>MAY</bcp14> occur at a higher protocol lay er), configures
identity credentials, each enabled by a "feature" statement defi ned in identity credentials, each enabled by a "feature" statement defi ned in
<xref target="client-features"/>.</li> <xref target="client-features"/>.</li>
<li>The "server-authentication" node configures trust anchors for <li>The "server-authentication" node configures trust anchors for
authenticating the TLS server, with each option enabled by a "fe ature" statement.</li> authenticating the TLS server, with each option enabled by a "fe ature" statement.</li>
<li>The "hello-params" node, which must be enabled by a feature, c onfigures <li>The "hello-params" node, which must be enabled by a feature, c onfigures
parameters for the TLS sessions established by this configuratio n.</li> parameters for the TLS sessions established by this configuratio n.</li>
<li>The "keepalives" node, which must be enabled by a feature, con figures <li>The "keepalives" node, which must be enabled by a feature, con figures
a "presence" container for testing the aliveness of the TLS serv er. The a "presence" container to test the aliveness of the TLS server. Th e
aliveness-test occurs at the TLS protocol layer.</li> aliveness-test occurs at the TLS protocol layer.</li>
<li> <li>
<t>For the referenced grouping statement(s): <t>For the referenced grouping statement(s):
</t> </t>
<ul spacing="compact"> <ul spacing="compact">
<li>The "inline-or-keystore-end-entity-cert-with-key-grouping" grouping is <li>The "inline-or-keystore-end-entity-cert-with-key-grouping" grouping is
discussed in <xref section="2.1.3.6" target="I-D.ietf-netcon f-keystore"/>.</li> discussed in <xref section="2.1.3.6" target="RFC9642"/>.</li >
<li>The "inline-or-keystore-asymmetric-key-grouping" grouping is <li>The "inline-or-keystore-asymmetric-key-grouping" grouping is
discussed in <xref section="2.1.3.4" target="I-D.ietf-netcon f-keystore"/>.</li> discussed in <xref section="2.1.3.4" target="RFC9642"/>.</li >
<li>The "inline-or-keystore-symmetric-key-grouping" grouping i s <li>The "inline-or-keystore-symmetric-key-grouping" grouping i s
discussed in <xref section="2.1.3.3" target="I-D.ietf-netcon f-keystore"/>.</li> discussed in <xref section="2.1.3.3" target="RFC9642"/>.</li >
<li>The "inline-or-truststore-certs-grouping" grouping is <li>The "inline-or-truststore-certs-grouping" grouping is
discussed in <xref section="2.1.3.3" target="I-D.ietf-netcon f-trust-anchors"/>.</li> discussed in <xref section="2.1.3.3" target="RFC9641"/>.</li >
<li>The "inline-or-truststore-public-keys-grouping" grouping i s <li>The "inline-or-truststore-public-keys-grouping" grouping i s
discussed in <xref section="2.1.3.4" target="I-D.ietf-netcon f-trust-anchors"/>.</li> discussed in <xref section="2.1.3.4" target="RFC9641"/>.</li >
<li>The "hello-params-grouping" grouping is discussed in <li>The "hello-params-grouping" grouping is discussed in
<xref target="hello-params-grouping"/> in this document.</li> <xref target="hello-params-grouping"/> in this document.</li>
</ul> </ul>
</li> </li>
</ul> </ul>
</section> </section>
</section> </section>
<section toc="exclude"> <section toc="exclude">
<name>Protocol-accessible Nodes</name> <name>Protocol-Accessible Nodes</name>
<t>The "ietf-tls-client" module defines only "grouping" statements tha t are <t>The "ietf-tls-client" module defines only "grouping" statements tha t are
used by other modules to instantiate protocol-accessible nodes. Thus used by other modules to instantiate protocol-accessible nodes. Thus,
this this module does not itself define any protocol-accessible nodes when implement
module, when implemented, does not itself define any protocol-accessib ed.</t>
le nodes.</t>
</section> </section>
</section> </section>
<section anchor="client-examples"> <section anchor="client-examples">
<name>Example Usage</name> <name>Example Usage</name>
<t>This section presents two examples showing the "tls-client-grouping" <t>This section presents two examples showing the "tls-client-grouping"
grouping populated with some data. These examples are effectively the sa me grouping populated with some data. These examples are effectively the sa me
except the first configures the client identity using a local key except the first configures the client identity using a local key
while the second uses a key configured in a keystore. Both examples while the second uses a key configured in a keystore. Both examples
are consistent with the examples presented in are consistent with the examples presented in
<xref section="2.2.1" target="I-D.ietf-netconf-trust-anchors"/> and <xref section="2.2.1" target="RFC9641"/> and
<xref section="2.2.1" target="I-D.ietf-netconf-keystore"/>.</t> <xref section="2.2.1" target="RFC9642"/>.</t>
<t>The following configuration example uses inline-definitions for the <t>The following configuration example uses inline-definitions for the
client identity and server authentication: client identity and server authentication:
</t> </t>
<artwork><![CDATA[ <sourcecode type="xml"><![CDATA[
=============== NOTE: '\' line wrapping per RFC 8792 ================ =============== NOTE: '\' line wrapping per RFC 8792 ================
<!-- The outermost element below doesn't exist in the data model. --> <!-- The outermost element below doesn't exist in the data model. -->
<!-- It simulates if the "grouping" were a "container" instead. --> <!-- It simulates if the "grouping" were a "container" instead. -->
<tls-client <tls-client
xmlns="urn:ietf:params:xml:ns:yang:ietf-tls-client" xmlns="urn:ietf:params:xml:ns:yang:ietf-tls-client"
xmlns:ct="urn:ietf:params:xml:ns:yang:ietf-crypto-types"> xmlns:ct="urn:ietf:params:xml:ns:yang:ietf-crypto-types">
<!-- how this client will authenticate itself to the server --> <!-- how this client will authenticate itself to the server -->
<client-identity> <client-identity>
<certificate> <certificate>
<inline-definition> <inline-definition>
<private-key-format>ct:rsa-private-key-format</priva\ <private-key-format>ct:rsa-private-key-format</priva\
te-key-format> te-key-format>
<cleartext-private-key>BASE64VALUE=</cleartext-priva\ <cleartext-private-key>BASE64VALUE=</cleartext-priva\
te-key> te-key>
<cert-data>BASE64VALUE=</cert-data> <cert-data>BASE64VALUE=</cert-data>
</inline-definition> </inline-definition>
</certificate> </certificate>
skipping to change at line 1097 skipping to change at line 1178
</server-authentication> </server-authentication>
<keepalives> <keepalives>
<test-peer-aliveness> <test-peer-aliveness>
<max-wait>30</max-wait> <max-wait>30</max-wait>
<max-attempts>3</max-attempts> <max-attempts>3</max-attempts>
</test-peer-aliveness> </test-peer-aliveness>
</keepalives> </keepalives>
</tls-client> </tls-client>
]]></artwork> ]]></sourcecode>
<t>The following configuration example uses central-keystore-references for the <t>The following configuration example uses central-keystore-references for the
client identity and central-truststore-references for server authentic ation: client identity and central-truststore-references for server authentic ation
from the keystore: from the keystore:
</t> </t>
<artwork><![CDATA[ <sourcecode type="xml"><![CDATA[
=============== NOTE: '\' line wrapping per RFC 8792 ================ =============== NOTE: '\' line wrapping per RFC 8792 ================
<!-- The outermost element below doesn't exist in the data model. --> <!-- The outermost element below doesn't exist in the data model. -->
<!-- It simulates if the "grouping" were a "container" instead. --> <!-- It simulates if the "grouping" were a "container" instead. -->
<tls-client xmlns="urn:ietf:params:xml:ns:yang:ietf-tls-client"> <tls-client xmlns="urn:ietf:params:xml:ns:yang:ietf-tls-client">
<!-- how this client will authenticate itself to the server --> <!-- how this client will authenticate itself to the server -->
<client-identity> <client-identity>
<certificate> <certificate>
skipping to change at line 1146 skipping to change at line 1227
</server-authentication> </server-authentication>
<keepalives> <keepalives>
<test-peer-aliveness> <test-peer-aliveness>
<max-wait>30</max-wait> <max-wait>30</max-wait>
<max-attempts>3</max-attempts> <max-attempts>3</max-attempts>
</test-peer-aliveness> </test-peer-aliveness>
</keepalives> </keepalives>
</tls-client> </tls-client>
]]></artwork> ]]></sourcecode>
</section> </section>
<section anchor="client-yang-module"> <section anchor="client-yang-module">
<name>YANG Module</name>
<t>This YANG module has normative references to <xref target="I-D.ietf-n <!--[rfced] Questions re: Sections 3.3 and 4.3.
etconf-trust-anchors"/>
and <xref target="I-D.ietf-netconf-keystore"/>, and Informative refere a) We notice that the two YANG modules ("ietf-tls-client" and
nces to "ietf-tls-server") contain references that are not listed in the
<xref target="RFC5246"/>, <xref target="RFC8446"/>, <xref target="RFC9 references section. Please let us know whether RFCs 5056, 5280, 6520,
258"/> and and 7250 should be listed as normative or informative, and we will add
them accordingly. We would also like to include RFCs 4279 and 9640 as
normative in the list below.
Original:
This YANG module has normative references to
[I-D.ietf-netconf-trust-anchors] and [I-D.ietf-netconf-keystore],
and Informative references to [RFC5246], [RFC8446], [RFC9258] and
[RFC9257].
b) Regarding "for externally established PSKs" (in both modules), should
this be rephrased as "for EPSKs" for consistency as shown below?
Original:
"As per Section 4.2.11 of RFC 8446, for externally
established PSKs, the Hash algorithm MUST be set
when the PSK is established or default to SHA-256
if no such algorithm is defined.
Perhaps:
"As per Section 4.2.11 of RFC 8446, for EPSKs,
the hash algorithm MUST be set when the PSK
is established; otherwise, default to SHA-256
if no such algorithm is defined.
-->
<!--Section 3.3 YANG Module-->
<name>YANG Module</name>
<t>This YANG module has normative references to <xref target="RFC9641"/>
and <xref target="RFC9642"/> and informative references to
<xref target="RFC5246"/>, <xref target="RFC8446"/>, <xref target="RFC9
258"/>, and
<xref target="RFC9257"/>.</t> <xref target="RFC9257"/>.</t>
<t keepWithNext="true">&lt;CODE BEGINS&gt; file "ietf-tls-client@2024-03 <!--[rfced] Please note that we have made some minor updates to the format of ie
-16.yang"</t> tf-tls-client@2024-03-16.yang and ietf-tls-server@2024-03-16.yang to match the f
<artwork><![CDATA[ ormatted output of pyang.
module ietf-tls-client { -->
<sourcecode name="ietf-tls-client@2024-03-16.yang" type="yang" markers="
true"><![CDATA[module ietf-tls-client {
yang-version 1.1; yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-tls-client"; namespace "urn:ietf:params:xml:ns:yang:ietf-tls-client";
prefix tlsc; prefix tlsc;
import ietf-netconf-acm { import ietf-netconf-acm {
prefix nacm; prefix nacm;
reference reference
"RFC 8341: Network Configuration Access Control Model"; "RFC 8341: Network Configuration Access Control Model";
} }
import ietf-crypto-types { import ietf-crypto-types {
prefix ct; prefix ct;
reference reference
"RFC AAAA: YANG Data Types and Groupings for Cryptography"; "RFC 9640: YANG Data Types and Groupings for Cryptography";
} }
import ietf-truststore { import ietf-truststore {
prefix ts; prefix ts;
reference reference
"RFC BBBB: A YANG Data Model for a Truststore"; "RFC 9641: A YANG Data Model for a Truststore";
} }
import ietf-keystore { import ietf-keystore {
prefix ks; prefix ks;
reference reference
"RFC CCCC: A YANG Data Model for a Keystore"; "RFC 9642: A YANG Data Model for a Keystore and Keystore
Operations";
} }
import ietf-tls-common { import ietf-tls-common {
prefix tlscmn; prefix tlscmn;
reference reference
"RFC FFFF: YANG Groupings for TLS Clients and TLS Servers"; "RFC 9645: YANG Groupings for TLS Clients and TLS Servers";
} }
organization organization
"IETF NETCONF (Network Configuration) Working Group"; "IETF NETCONF (Network Configuration) Working Group";
contact contact
"WG List: NETCONF WG list <mailto:netconf@ietf.org> "WG List: NETCONF WG list <mailto:netconf@ietf.org>
WG Web: https://datatracker.ietf.org/wg/netconf WG Web: https://datatracker.ietf.org/wg/netconf
Author: Kent Watsen <mailto:kent+ietf@watsen.net> Author: Kent Watsen <mailto:kent+ietf@watsen.net>
Author: Jeff Hartley <mailto:intensifysecurity@gmail.com>"; Author: Jeff Hartley <mailto:intensifysecurity@gmail.com>";
description description
"This module defines reusable groupings for TLS clients that "This module defines reusable groupings for TLS clients that
can be used as a basis for specific TLS client instances. can be used as a basis for specific TLS client instances.
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
are to be interpreted as described in BCP 14 (RFC 2119)
(RFC 8174) when, and only when, they appear in all
capitals, as shown here.
Copyright (c) 2024 IETF Trust and the persons identified Copyright (c) 2024 IETF Trust and the persons identified
as authors of the code. All rights reserved. as authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with Redistribution and use in source and binary forms, with
or without modification, is permitted pursuant to, and or without modification, is permitted pursuant to, and
subject to the license terms contained in, the Revised subject to the license terms contained in, the Revised
BSD License set forth in Section 4.c of the IETF Trust's BSD License set forth in Section 4.c of the IETF Trust's
Legal Provisions Relating to IETF Documents Legal Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info). (https://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC FFFF This version of this YANG module is part of RFC 9645
(https://www.rfc-editor.org/info/rfcFFFF); see the RFC (https://www.rfc-editor.org/info/rfc9645); see the RFC
itself for full legal notices. itself for full legal notices.";
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
are to be interpreted as described in BCP 14 (RFC 2119)
(RFC 8174) when, and only when, they appear in all
capitals, as shown here.";
revision 2024-03-16 { revision 2024-03-16 {
description description
"Initial version"; "Initial version";
reference reference
"RFC FFFF: YANG Groupings for TLS Clients and TLS Servers"; "RFC 9645: YANG Groupings for TLS Clients and TLS Servers";
} }
// Features // Features
feature tls-client-keepalives { feature tls-client-keepalives {
description description
"Per socket TLS keepalive parameters are configurable for "Per-socket TLS keepalive parameters are configurable for
TLS clients on the server implementing this feature."; TLS clients on the server implementing this feature.";
} }
feature client-ident-x509-cert { feature client-ident-x509-cert {
description description
"Indicates that the client supports identifying itself "Indicates that the client supports identifying itself
using X.509 certificates."; using X.509 certificates.";
reference reference
"RFC 5280: "RFC 5280:
Internet X.509 Public Key Infrastructure Certificate Internet X.509 Public Key Infrastructure Certificate
skipping to change at line 1264 skipping to change at line 1373
reference reference
"RFC 7250: "RFC 7250:
Using Raw Public Keys in Transport Layer Security (TLS) Using Raw Public Keys in Transport Layer Security (TLS)
and Datagram Transport Layer Security (DTLS)"; and Datagram Transport Layer Security (DTLS)";
} }
feature client-ident-tls12-psk { feature client-ident-tls12-psk {
if-feature "tlscmn:tls12"; if-feature "tlscmn:tls12";
description description
"Indicates that the client supports identifying itself "Indicates that the client supports identifying itself
using TLS-1.2 PSKs (pre-shared or pairwise-symmetric keys)."; using TLS 1.2 PSKs (pre-shared or pairwise symmetric keys).";
reference reference
"RFC 4279: "RFC 4279:
Pre-Shared Key Ciphersuites for Transport Layer Security Pre-Shared Key Ciphersuites for Transport Layer Security
(TLS)"; (TLS)";
} }
feature client-ident-tls13-epsk { feature client-ident-tls13-epsk {
if-feature "tlscmn:tls13"; if-feature "tlscmn:tls13";
description description
"Indicates that the client supports identifying itself "Indicates that the client supports identifying itself
using TLS-1.3 External PSKs (pre-shared keys)."; using TLS 1.3 External PSKs (pre-shared keys).";
reference reference
"RFC 8446: "RFC 8446:
The Transport Layer Security (TLS) Protocol Version 1.3"; The Transport Layer Security (TLS) Protocol Version 1.3";
} }
feature server-auth-x509-cert { feature server-auth-x509-cert {
description description
"Indicates that the client supports authenticating servers "Indicates that the client supports authenticating servers
using X.509 certificates."; using X.509 certificates.";
reference reference
skipping to change at line 1304 skipping to change at line 1413
using raw public keys."; using raw public keys.";
reference reference
"RFC 7250: "RFC 7250:
Using Raw Public Keys in Transport Layer Security (TLS) Using Raw Public Keys in Transport Layer Security (TLS)
and Datagram Transport Layer Security (DTLS)"; and Datagram Transport Layer Security (DTLS)";
} }
feature server-auth-tls12-psk { feature server-auth-tls12-psk {
description description
"Indicates that the client supports authenticating servers "Indicates that the client supports authenticating servers
using PSKs (pre-shared or pairwise-symmetric keys)."; using PSKs (pre-shared or pairwise symmetric keys).";
reference reference
"RFC 4279: "RFC 4279:
Pre-Shared Key Ciphersuites for Transport Layer Security Pre-Shared Key Ciphersuites for Transport Layer Security
(TLS)"; (TLS)";
} }
feature server-auth-tls13-epsk { feature server-auth-tls13-epsk {
description description
"Indicates that the client supports authenticating servers "Indicates that the client supports authenticating servers
using TLS-1.3 External PSKs (pre-shared keys)."; using TLS 1.3 External PSKs (pre-shared keys).";
reference reference
"RFC 8446: "RFC 8446:
The Transport Layer Security (TLS) Protocol Version 1.3"; The Transport Layer Security (TLS) Protocol Version 1.3";
} }
// Groupings // Groupings
grouping tls-client-grouping { grouping tls-client-grouping {
description description
"A reusable grouping for configuring a TLS client without "A reusable grouping for configuring a TLS client without
skipping to change at line 1336 skipping to change at line 1445
established. established.
Note that this grouping uses fairly typical descendant Note that this grouping uses fairly typical descendant
node names such that a stack of 'uses' statements will node names such that a stack of 'uses' statements will
have name conflicts. It is intended that the consuming have name conflicts. It is intended that the consuming
data model will resolve the issue (e.g., by wrapping data model will resolve the issue (e.g., by wrapping
the 'uses' statement in a container called the 'uses' statement in a container called
'tls-client-parameters'). This model purposely does 'tls-client-parameters'). This model purposely does
not do this itself so as to provide maximum flexibility not do this itself so as to provide maximum flexibility
to consuming models."; to consuming models.";
container client-identity { container client-identity {
nacm:default-deny-write; nacm:default-deny-write;
presence presence "Indicates that a TLS-level client identity has been
"Indicates that a TLS-level client identity has been configured. This statement is present so the
configured. This statement is present so the mandatory mandatory descendant nodes do not imply that this
descendant do not imply that this node must be configured."; node must be configured.";
description description
"Identity credentials the TLS client MAY present when "Identity credentials the TLS client MAY present when
establishing a connection to a TLS server. If not establishing a connection to a TLS server. If not
configured, then client authentication is presumed to configured, then client authentication is presumed to
occur in a protocol layer above TLS. When configured, occur in a protocol layer above TLS. When configured,
and requested by the TLS server when establishing a and requested by the TLS server when establishing a
TLS session, these credentials are passed in the TLS session, these credentials are passed in the
Certificate message defined in Section 7.4.2 of Certificate message defined in Section 7.4.2 of
RFC 5246 and Section 4.4.2 in RFC 8446."; RFC 5246 and Section 4.4.2 of RFC 8446.";
reference reference
"RFC 5246: The Transport Layer Security (TLS) "RFC 5246: The Transport Layer Security (TLS)
Protocol Version 1.2 Protocol Version 1.2
RFC 8446: The Transport Layer Security (TLS) RFC 8446: The Transport Layer Security (TLS)
Protocol Version 1.3 Protocol Version 1.3
RFC CCCC: A YANG Data Model for a Keystore"; RFC 9642: A YANG Data Model for a Keystore and Keystore
Operations";
choice auth-type { choice auth-type {
mandatory true; mandatory true;
description description
"A choice amongst authentication types, of which one must "A choice amongst authentication types, of which one must
be enabled (via its associated 'feature') and selected."; be enabled (via its associated 'feature') and selected.";
case certificate { case certificate {
if-feature "client-ident-x509-cert"; if-feature "client-ident-x509-cert";
container certificate { container certificate {
description description
"Specifies the client identity using a certificate."; "Specifies the client identity using a certificate.";
uses uses "ks:inline-or-keystore-end-entity-cert-with-key-"
"ks:inline-or-keystore-end-entity-cert-with-key-" + "grouping" {
+ "grouping" {
refine "inline-or-keystore/inline/inline-definition" { refine "inline-or-keystore/inline/inline-definition" {
must 'not(public-key-format) or derived-from-or-self' must 'not(public-key-format) or derived-from-or-self'
+ '(public-key-format, "ct:subject-public-key-' + '(public-key-format, "ct:subject-public-key-'
+ 'info-format")'; + 'info-format")';
} }
refine "inline-or-keystore/central-keystore/" refine "inline-or-keystore/central-keystore/"
+ "central-keystore-reference/asymmetric-key" { + "central-keystore-reference/asymmetric-key" {
must 'not(deref(.)/../ks:public-key-format) or ' must 'not(deref(.)/../ks:public-key-format) or '
+ 'derived-from-or-self(deref(.)/../ks:public-' + 'derived-from-or-self(deref(.)/../ks:public-'
+ 'key-format, "ct:subject-public-key-info-' + 'key-format, "ct:subject-public-key-info-'
skipping to change at line 1413 skipping to change at line 1521
+ 'format")'; + 'format")';
} }
} }
} }
} }
case tls12-psk { case tls12-psk {
if-feature "client-ident-tls12-psk"; if-feature "client-ident-tls12-psk";
container tls12-psk { container tls12-psk {
description description
"Specifies the client identity using a PSK (pre-shared "Specifies the client identity using a PSK (pre-shared
or pairwise-symmetric key)."; or pairwise symmetric key).";
uses ks:inline-or-keystore-symmetric-key-grouping; uses ks:inline-or-keystore-symmetric-key-grouping;
leaf id { leaf id {
type string; type string;
description description
"The key 'psk_identity' value used in the TLS "The key 'psk_identity' value used in the TLS
'ClientKeyExchange' message."; 'ClientKeyExchange' message.";
reference reference
"RFC 4279: Pre-Shared Key Ciphersuites for "RFC 4279: Pre-Shared Key Ciphersuites for
Transport Layer Security (TLS)"; Transport Layer Security (TLS)";
} }
} }
} }
case tls13-epsk { case tls13-epsk {
if-feature "client-ident-tls13-epsk"; if-feature "client-ident-tls13-epsk";
container tls13-epsk { container tls13-epsk {
description description
"An External Pre-Shared Key (EPSK) is established "An External Pre-Shared Key (EPSK) is established
or provisioned out-of-band, i.e., not from a TLS or provisioned out of band, i.e., not from a TLS
connection. An EPSK is a tuple of (Base Key, connection. An EPSK is a tuple of (Base Key,
External Identity, Hash). External PSKs MUST NOT External Identity, Hash). EPSKs MUST NOT be
be imported for (D)TLS 1.2 or prior versions. When imported for (D)TLS 1.2 or prior versions. When
PSKs are provisioned out of band, the PSK identity PSKs are provisioned out of band, the PSK identity
and the KDF hash algorithm to be used with the PSK and the Key Derivation Function (KDF) hash algorithm
MUST also be provisioned. to be used with the PSK MUST also be provisioned.
The structure of this container is designed to The structure of this container is designed to satisfy
satisfy the requirements of RFC 8446 Section the requirements in Section 4.2.11 of RFC 8446, the
4.2.11, the recommendations from Section 6 in recommendations from Section 6 of RFC 9257, and the
RFC 9257, and the EPSK input fields detailed in EPSK input fields detailed in Section 5.1 of RFC 9258.
Section 5.1 in RFC 9258. The base-key is based The base-key is based upon
upon ks:inline-or-keystore-symmetric-key-grouping 'ks:inline-or-keystore-symmetric-key-grouping' in
in order to provide users with flexible and order to provide users with flexible and secure
secure storage options."; storage options.";
reference reference
"RFC 8446: The Transport Layer Security (TLS) "RFC 8446: The Transport Layer Security (TLS)
Protocol Version 1.3 Protocol Version 1.3
RFC 9257: Guidance for External Pre-Shared Key RFC 9257: Guidance for External Pre-Shared Key
(PSK) Usage in TLS (PSK) Usage in TLS
RFC 9258: Importing External Pre-Shared Keys RFC 9258: Importing External Pre-Shared Keys
(PSKs) for TLS 1.3"; (PSKs) for TLS 1.3";
uses ks:inline-or-keystore-symmetric-key-grouping; uses ks:inline-or-keystore-symmetric-key-grouping;
leaf external-identity { leaf external-identity {
type string; type string;
mandatory true; mandatory true;
description description
"As per Section 4.2.11 of RFC 8446, and Section 4.1 "As per Section 4.2.11 of RFC 8446 and Section 4.1
of RFC 9257, a sequence of bytes used to identify of RFC 9257, a sequence of bytes used to identify
an EPSK. A label for a pre-shared key established an EPSK. A label for a pre-shared key established
externally."; externally.";
reference reference
"RFC 8446: The Transport Layer Security (TLS) "RFC 8446: The Transport Layer Security (TLS)
Protocol Version 1.3 Protocol Version 1.3
RFC 9257: Guidance for External Pre-Shared Key RFC 9257: Guidance for External Pre-Shared Key
(PSK) Usage in TLS"; (PSK) Usage in TLS";
} }
leaf hash { leaf hash {
type tlscmn:epsk-supported-hash; type tlscmn:epsk-supported-hash;
default sha-256; default "sha-256";
description description
"As per Section 4.2.11 of RFC 8446, for externally "As per Section 4.2.11 of RFC 8446, for externally
established PSKs, the Hash algorithm MUST be set established PSKs, the hash algorithm MUST be set
when the PSK is established or default to SHA-256 when the PSK is established; otherwise, default to
if no such algorithm is defined. The server MUST SHA-256 if no such algorithm is defined. The server
ensure that it selects a compatible PSK (if any) MUST ensure that it selects a compatible PSK (if
and cipher suite. Each PSK MUST only be used with any) and cipher suite. Each PSK MUST only be used
a single hash function."; with a single hash function.";
reference reference
"RFC 8446: The Transport Layer Security (TLS) "RFC 8446: The Transport Layer Security (TLS)
Protocol Version 1.3"; Protocol Version 1.3";
} }
leaf context { leaf context {
type string; type string;
description description
"Per Section 5.1 of RFC 9258, context MUST include "As per Section 5.1 of RFC 9258, context MUST
the context used to determine the EPSK, if include the context used to determine the EPSK,
any exists. For example, context may include if any exists. For example, context may include
information about peer roles or identities information about peer roles or identities
to mitigate Selfie-style reflection attacks. to mitigate Selfie-style reflection attacks.
Since the EPSK is a key derived from an external Since the EPSK is a key derived from an external
protocol or sequence of protocols, context MUST protocol or a sequence of protocols, context MUST
include a channel binding for the deriving include a channel binding for the deriving
protocols [RFC5056]. The details of this protocols (see RFC 5056). The details of this
binding are protocol specfic and out of scope binding are protocol specific and out of scope
for this document."; for this document.";
reference reference
"RFC 9258: Importing External Pre-Shared Keys "RFC 9258: Importing External Pre-Shared Keys
(PSKs) for TLS 1.3"; (PSKs) for TLS 1.3";
} }
leaf target-protocol { leaf target-protocol {
type uint16; type uint16;
description description
"As per Section 3 of RFC 9258, the protocol "As per Section 3 of RFC 9258, the protocol
for which a PSK is imported for use."; for which a PSK is imported for use.";
reference reference
"RFC 9258: Importing External Pre-Shared Keys "RFC 9258: Importing External Pre-Shared Keys
(PSKs) for TLS 1.3"; (PSKs) for TLS 1.3";
} }
leaf target-kdf { leaf target-kdf {
type uint16; type uint16;
description description
"As per Section 3 of RFC 9258, the KDF for "As per Section 3 of RFC 9258, the Key Derivation
which a PSK is imported for use."; Function (KDF) for which a PSK is imported for
use.";
reference reference
"RFC 9258: Importing External Pre-Shared Keys "RFC 9258: Importing External Pre-Shared Keys
(PSKs) for TLS 1.3"; (PSKs) for TLS 1.3";
} }
} }
} }
} }
} // container client-identity } // container client-identity
container server-authentication { container server-authentication {
nacm:default-deny-write; nacm:default-deny-write;
must 'ca-certs or ee-certs or raw-public-keys or tls12-psks must "ca-certs or ee-certs or raw-public-keys or tls12-psks
or tls13-epsks'; or tls13-epsks";
description description
"Specifies how the TLS client can authenticate TLS servers. "Specifies how the TLS client can authenticate TLS servers.
Any combination of credentials is additive and unordered. Any combination of credentials is additive and unordered.
Note that no configuration is required for PSK (pre-shared Note that no configuration is required for authentication
or pairwise-symmetric key) based authentication as the key based on PSK (pre-shared or pairwise symmetric key) as
is necessarily the same as configured in the '../client- the key is necessarily the same as configured in the
identity' node."; '../client-identity' node.";
container ca-certs { container ca-certs {
if-feature "server-auth-x509-cert"; if-feature "server-auth-x509-cert";
presence presence "Indicates that certificate authority (CA)
"Indicates that CA certificates have been configured. certificates have been configured. This
This statement is present so the mandatory descendant statement is present so the mandatory
nodes do not imply that this node must be configured."; descendant nodes do not imply that this
node must be configured.";
description description
"A set of certificate authority (CA) certificates used by "A set of CA certificates used by the TLS client to
the TLS client to authenticate TLS server certificates. authenticate TLS server certificates. A server
A server certificate is authenticated if it has a valid certificate is authenticated if it has a valid chain of
chain of trust to a configured CA certificate."; trust to a configured CA certificate.";
reference reference
"RFC BBBB: A YANG Data Model for a Truststore"; "RFC 9641: A YANG Data Model for a Truststore";
uses ts:inline-or-truststore-certs-grouping; uses ts:inline-or-truststore-certs-grouping;
} }
container ee-certs { container ee-certs {
if-feature "server-auth-x509-cert"; if-feature "server-auth-x509-cert";
presence presence "Indicates that End-Entity (EE) certificates have
"Indicates that EE certificates have been configured. been configured. This statement is present so
This statement is present so the mandatory descendant the mandatory descendant nodes do not imply
nodes do not imply that this node must be configured."; that this node must be configured.";
description description
"A set of server certificates (i.e., end entity "A set of server certificates (i.e., EE certificates) used
certificates) used by the TLS client to authenticate by the TLS client to authenticate certificates presented
certificates presented by TLS servers. A server by TLS servers. A server certificate is authenticated if
certificate is authenticated if it is an exact it is an exact match to a configured server certificate.";
match to a configured server certificate.";
reference reference
"RFC BBBB: A YANG Data Model for a Truststore"; "RFC 9641: A YANG Data Model for a Truststore";
uses ts:inline-or-truststore-certs-grouping; uses ts:inline-or-truststore-certs-grouping;
} }
container raw-public-keys { container raw-public-keys {
if-feature "server-auth-raw-public-key"; if-feature "server-auth-raw-public-key";
presence presence "Indicates that raw public keys have been
"Indicates that raw public keys have been configured. configured. This statement is present so
This statement is present so the mandatory descendant the mandatory descendant nodes do not imply
nodes do not imply that this node must be configured."; that this node must be configured.";
description description
"A set of raw public keys used by the TLS client to "A set of raw public keys used by the TLS client to
authenticate raw public keys presented by the TLS authenticate raw public keys presented by the TLS
server. A raw public key is authenticated if it server. A raw public key is authenticated if it
is an exact match to a configured raw public key."; is an exact match to a configured raw public key.";
reference reference
"RFC BBBB: A YANG Data Model for a Truststore"; "RFC 9641: A YANG Data Model for a Truststore";
uses ts:inline-or-truststore-public-keys-grouping { uses ts:inline-or-truststore-public-keys-grouping {
refine "inline-or-truststore/inline/inline-definition/" refine "inline-or-truststore/inline/inline-definition/"
+ "public-key" { + "public-key" {
must 'derived-from-or-self(public-key-format,' must 'derived-from-or-self(public-key-format,'
+ ' "ct:subject-public-key-info-format")'; + ' "ct:subject-public-key-info-format")';
} }
refine "inline-or-truststore/central-truststore/" refine "inline-or-truststore/central-truststore/"
+ "central-truststore-reference" { + "central-truststore-reference" {
must 'not(deref(.)/../ts:public-key/ts:public-key-' must 'not(deref(.)/../ts:public-key/ts:public-key-'
+ 'format[not(derived-from-or-self(., "ct:subject-' + 'format[not(derived-from-or-self(., "ct:subject-'
+ 'public-key-info-format"))])'; + 'public-key-info-format"))])';
} }
} }
} }
leaf tls12-psks { leaf tls12-psks {
if-feature "server-auth-tls12-psk"; if-feature "server-auth-tls12-psk";
type empty; type empty;
description description
"Indicates that the TLS client can authenticate TLS servers "Indicates that the TLS client can authenticate TLS servers
using configured PSKs (pre-shared or pairwise-symmetric using configured PSKs (pre-shared or pairwise symmetric
keys). keys).
No configuration is required since the PSK value is the No configuration is required since the PSK value is the
same as PSK value configured in the 'client-identity' same as the PSK value configured in the 'client-identity'
node."; node.";
} }
leaf tls13-epsks { leaf tls13-epsks {
if-feature "server-auth-tls13-epsk"; if-feature "server-auth-tls13-epsk";
type empty; type empty;
description description
"Indicates that the TLS client can authenticate TLS servers "Indicates that the TLS client can authenticate TLS servers
using configured external PSKs (pre-shared keys). using configured external PSKs (pre-shared keys).
No configuration is required since the PSK value is the No configuration is required since the PSK value is the
same as PSK value configured in the 'client-identity' same as the PSK value configured in the 'client-identity'
node."; node.";
} }
} // container server-authentication } // container server-authentication
container hello-params { container hello-params {
nacm:default-deny-write; nacm:default-deny-write;
if-feature "tlscmn:hello-params"; if-feature "tlscmn:hello-params";
uses tlscmn:hello-params-grouping; uses tlscmn:hello-params-grouping;
description description
"Configurable parameters for the TLS hello message."; "Configurable parameters for the TLS hello message.";
} // container hello-params } // container hello-params
container keepalives { container keepalives {
nacm:default-deny-write; nacm:default-deny-write;
if-feature "tls-client-keepalives"; if-feature "tls-client-keepalives";
description description
"Configures the keepalive policy for the TLS client."; "Configures the keepalive policy for the TLS client.";
leaf peer-allowed-to-send { leaf peer-allowed-to-send {
type empty; type empty;
description description
"Indicates that the remote TLS server is allowed to send "Indicates that the remote TLS server is allowed to send
HeartbeatRequest messages, as defined by RFC 6520 HeartbeatRequest messages, as defined by RFC 6520,
to this TLS client."; to this TLS client.";
reference reference
"RFC 6520: Transport Layer Security (TLS) and Datagram "RFC 6520: Transport Layer Security (TLS) and Datagram
Transport Layer Security (DTLS) Heartbeat Extension"; Transport Layer Security (DTLS) Heartbeat Extension";
} }
container test-peer-aliveness { container test-peer-aliveness {
presence presence "Indicates that the TLS client proactively tests the
"Indicates that the TLS client proactively tests the aliveness of the remote TLS server.";
aliveness of the remote TLS server.";
description description
"Configures the keep-alive policy to proactively test "Configures the keep-alive policy to proactively test
the aliveness of the TLS server. An unresponsive the aliveness of the TLS server. An unresponsive
TLS server is dropped after approximately max-wait TLS server is dropped after approximately max-wait
* max-attempts seconds. The TLS client MUST send * max-attempts seconds. The TLS client MUST send
HeartbeatRequest messages, as defined by RFC 6520."; HeartbeatRequest messages, as defined in RFC 6520.";
reference reference
"RFC 6520: Transport Layer Security (TLS) and Datagram "RFC 6520: Transport Layer Security (TLS) and Datagram
Transport Layer Security (DTLS) Heartbeat Extension"; Transport Layer Security (DTLS) Heartbeat Extension";
leaf max-wait { leaf max-wait {
type uint16 { type uint16 {
range "1..max"; range "1..max";
} }
units "seconds"; units "seconds";
default "30"; default "30";
description description
"Sets the amount of time in seconds after which if "Sets the amount of time in seconds, after which a
no data has been received from the TLS server, a
TLS-level message will be sent to test the TLS-level message will be sent to test the
aliveness of the TLS server."; aliveness of the TLS server if no data has been
received from the TLS server.";
} }
leaf max-attempts { leaf max-attempts {
type uint8; type uint8;
default "3"; default "3";
description description
"Sets the maximum number of sequential keep-alive "Sets the maximum number of sequential keep-alive
messages that can fail to obtain a response from messages that can fail to obtain a response from
the TLS server before assuming the TLS server is the TLS server before assuming the TLS server is
no longer alive."; no longer alive.";
} }
} }
} }
} // grouping tls-client-grouping } // grouping tls-client-grouping
} }
]]></artwork> ]]>
<t keepWithPrevious="true">&lt;CODE ENDS&gt;</t> </sourcecode>
</section> </section>
</section> </section>
<section anchor="tls-server-model"> <section anchor="tls-server-model">
<name>The "ietf-tls-server" Module</name> <name>The "ietf-tls-server" Module</name>
<t>This section defines a YANG 1.1 module called <t>This section defines a YANG 1.1 module called
"ietf-tls-server". A high-level overview of the module is provided in "ietf-tls-server". A high-level overview of the module is provided in
<xref target="server-overview"/>. Examples illustrating the module's use <xref target="server-overview"/>. Examples illustrating the module's use
are provided in <xref target="server-examples">Examples</xref>. The YANG are provided in <xref target="server-examples"/> ("Example Usage"). The YANG
module itself is defined in <xref target="server-yang-module"/>.</t> module itself is defined in <xref target="server-yang-module"/>.</t>
<section anchor="server-overview"> <section anchor="server-overview">
<name>Data Model Overview</name> <name>Data Model Overview</name>
<t>This section provides an overview of the "ietf-tls-server" module <t>This section provides an overview of the "ietf-tls-server" module
in terms of its features and groupings.</t> in terms of its features and groupings.</t>
<section anchor="server-features" toc="exclude"> <section anchor="server-features" toc="exclude">
<name>Features</name> <name>Features</name>
<t>The following diagram lists all the "feature" statements <t>The following diagram lists all the "feature" statements
defined in the "ietf-tls-server" module:</t> defined in the "ietf-tls-server" module:</t>
<artwork><![CDATA[ <sourcecode type="yangtree"><![CDATA[
Features: Features:
+-- tls-server-keepalives +-- tls-server-keepalives
+-- server-ident-x509-cert +-- server-ident-x509-cert
+-- server-ident-raw-public-key +-- server-ident-raw-public-key
+-- server-ident-psk +-- server-ident-psk
+-- client-auth-supported +-- client-auth-supported
+-- client-auth-x509-cert +-- client-auth-x509-cert
+-- client-auth-raw-public-key +-- client-auth-raw-public-key
+-- client-auth-psk +-- client-auth-psk
]]></artwork> ]]></sourcecode>
<t>The diagram above uses syntax that is similar to but not <t>The diagram above uses syntax that is similar to but not
defined in <xref target="RFC8340"/>.</t> defined in <xref target="RFC8340"/>.</t>
<t>Please refer to the YANG module for a description of each feature.< /t> <t>Please refer to the YANG module for a description of each feature.< /t>
</section> </section>
<section toc="exclude"> <section toc="exclude">
<name>Groupings</name> <name>Groupings</name>
<t>The "ietf-tls-server" module defines the following "grouping" state ment:</t> <t>The "ietf-tls-server" module defines the following "grouping" state ment:</t>
<ul spacing="compact"> <ul spacing="compact">
<li>tls-server-grouping</li> <li>tls-server-grouping</li>
</ul> </ul>
<t>This grouping is presented in the following subsection.</t> <t>This grouping is presented in the following subsection.</t>
<section anchor="tls-server-grouping"> <section anchor="tls-server-grouping">
<name>The "tls-server-grouping" Grouping</name> <name>The "tls-server-grouping" Grouping</name>
<t>The following tree diagram <xref target="RFC8340"/> illustrates t he <t>The following tree diagram <xref target="RFC8340"/> illustrates t he
"tls-server-grouping" grouping:</t> "tls-server-grouping" grouping:</t>
<artwork><![CDATA[ <sourcecode type="yangtree"><![CDATA[
=============== NOTE: '\' line wrapping per RFC 8792 ================ =============== NOTE: '\' line wrapping per RFC 8792 ================
grouping tls-server-grouping: grouping tls-server-grouping:
+-- server-identity +-- server-identity
| +-- (auth-type) | +-- (auth-type)
| +--:(certificate) {server-ident-x509-cert}? | +--:(certificate) {server-ident-x509-cert}?
| | +-- certificate | | +-- certificate
| | +---u ks:inline-or-keystore-end-entity-cert-with-key\ | | +---u ks:inline-or-keystore-end-entity-cert-with-key\
-grouping -grouping
| +--:(raw-private-key) {server-ident-raw-public-key}? | +--:(raw-private-key) {server-ident-raw-public-key}?
skipping to change at line 1774 skipping to change at line 1880
| | +---u ts:inline-or-truststore-public-keys-grouping | | +---u ts:inline-or-truststore-public-keys-grouping
| +-- tls12-psks? empty {client-auth-tls12-psk}? | +-- tls12-psks? empty {client-auth-tls12-psk}?
| +-- tls13-epsks? empty {client-auth-tls13-epsk}? | +-- tls13-epsks? empty {client-auth-tls13-epsk}?
+-- hello-params {tlscmn:hello-params}? +-- hello-params {tlscmn:hello-params}?
| +---u tlscmn:hello-params-grouping | +---u tlscmn:hello-params-grouping
+-- keepalives {tls-server-keepalives}? +-- keepalives {tls-server-keepalives}?
+-- peer-allowed-to-send? empty +-- peer-allowed-to-send? empty
+-- test-peer-aliveness! +-- test-peer-aliveness!
+-- max-wait? uint16 +-- max-wait? uint16
+-- max-attempts? uint8 +-- max-attempts? uint8
]]></artwork> ]]></sourcecode>
<t>Comments:</t> <t>Comments:</t>
<ul> <ul>
<li>The "server-identity" node configures identity credentials, ea ch of <li>The "server-identity" node configures identity credentials, ea ch of
which is enabled by a "feature".</li> which is enabled by a "feature".</li>
<li>The "client-authentication" node, which is optionally configur ed (as client <li>The "client-authentication" node, which is optionally configur ed (as client
authentication MAY occur at a higher protocol layer), configures trust authentication <bcp14>MAY</bcp14> occur at a higher protocol lay er), configures trust
anchors for authenticating the TLS client, with each option enab led anchors for authenticating the TLS client, with each option enab led
by a "feature" statement.</li> by a "feature" statement.</li>
<li>The "hello-params" node, which must be enabled by a feature, c onfigures <li>The "hello-params" node, which must be enabled by a feature, c onfigures
parameters for the TLS sessions established by this configuratio n.</li> parameters for the TLS sessions established by this configuratio n.</li>
<li>The "keepalives" node, which must be enabled by a feature, con figures <li>The "keepalives" node, which must be enabled by a feature, con figures
a flag enabling the TLS client to test the aliveness of the TLS a flag enabling the TLS client to test the aliveness of the TLS
server, server
as well as a "presence" container for testing the aliveness of t as well as a "presence" container to test the aliveness of the T
he TLS LS
client. The aliveness-tests occurs at the TLS protocol layer.</ client. The aliveness-tests occur at the TLS protocol layer.</l
li> i>
<li> <li>
<t>For the referenced grouping statement(s): <t>For the referenced grouping statement(s):
</t> </t>
<ul spacing="compact"> <ul spacing="compact">
<li>The "inline-or-keystore-end-entity-cert-with-key-grouping" grouping is <li>The "inline-or-keystore-end-entity-cert-with-key-grouping" grouping is
discussed in <xref section="2.1.3.6" target="I-D.ietf-netcon f-keystore"/>.</li> discussed in <xref section="2.1.3.6" target="RFC9642"/>.</li >
<li>The "inline-or-keystore-asymmetric-key-grouping" grouping is <li>The "inline-or-keystore-asymmetric-key-grouping" grouping is
discussed in <xref section="2.1.3.4" target="I-D.ietf-netcon f-keystore"/>.</li> discussed in <xref section="2.1.3.4" target="RFC9642"/>.</li >
<li>The "inline-or-keystore-symmetric-key-grouping" grouping i s <li>The "inline-or-keystore-symmetric-key-grouping" grouping i s
discussed in <xref section="2.1.3.3" target="I-D.ietf-netcon f-keystore"/>.</li> discussed in <xref section="2.1.3.3" target="RFC9642"/>.</li >
<li>The "inline-or-truststore-public-keys-grouping" grouping i s <li>The "inline-or-truststore-public-keys-grouping" grouping i s
discussed in <xref section="2.1.3.4" target="I-D.ietf-netcon f-trust-anchors"/>.</li> discussed in <xref section="2.1.3.4" target="RFC9641"/>.</li >
<li>The "inline-or-truststore-certs-grouping" grouping is <li>The "inline-or-truststore-certs-grouping" grouping is
discussed in <xref section="2.1.3.3" target="I-D.ietf-netcon f-trust-anchors"/>.</li> discussed in <xref section="2.1.3.3" target="RFC9641"/>.</li >
<li>The "hello-params-grouping" grouping is discussed in <li>The "hello-params-grouping" grouping is discussed in
<xref target="hello-params-grouping"/> in this document.</li> <xref target="hello-params-grouping"/> in this document.</li>
</ul> </ul>
</li> </li>
</ul> </ul>
</section> </section>
</section> </section>
<section toc="exclude"> <section toc="exclude">
<name>Protocol-accessible Nodes</name> <name>Protocol-Accessible Nodes</name>
<t>The "ietf-tls-server" module defines only "grouping" statements tha t are <t>The "ietf-tls-server" module defines only "grouping" statements tha t are
used by other modules to instantiate protocol-accessible nodes. Thus used by other modules to instantiate protocol-accessible nodes. Thus,
this this
module, when implemented, does not itself define any protocol-accessib module does not itself define any protocol-accessible nodes when imple
le nodes.</t> mented.</t>
</section> </section>
</section> </section>
<section anchor="server-examples"> <section anchor="server-examples">
<name>Example Usage</name> <name>Example Usage</name>
<t>This section presents two examples showing the "tls-server-grouping" <t>This section presents two examples showing the "tls-server-grouping"
grouping populated with some data. These examples are effectively the sa me grouping populated with some data. These examples are effectively the sa me
except the first configures the server identity using a local key except the first configures the server identity using a local key
while the second uses a key configured in a keystore. Both examples while the second uses a key configured in a keystore. Both examples
are consistent with the examples presented in are consistent with the examples presented in
<xref section="2.2.1" target="I-D.ietf-netconf-trust-anchors"/> and <xref section="2.2.1" target="RFC9641"/> and
<xref section="2.2.1" target="I-D.ietf-netconf-keystore"/>.</t> <xref section="2.2.1" target="RFC9642"/>.</t>
<t>The following configuration example uses inline-definitions for the <t>The following configuration example uses inline-definitions for the
server identity and client authentication: server identity and client authentication:
</t> </t>
<artwork><![CDATA[ <sourcecode type="xml"><![CDATA[
=============== NOTE: '\' line wrapping per RFC 8792 ================ =============== NOTE: '\' line wrapping per RFC 8792 ================
<!-- The outermost element below doesn't exist in the data model. --> <!-- The outermost element below doesn't exist in the data model. -->
<!-- It simulates if the "grouping" were a "container" instead. --> <!-- It simulates if the "grouping" were a "container" instead. -->
<tls-server <tls-server
xmlns="urn:ietf:params:xml:ns:yang:ietf-tls-server" xmlns="urn:ietf:params:xml:ns:yang:ietf-tls-server"
xmlns:ct="urn:ietf:params:xml:ns:yang:ietf-crypto-types"> xmlns:ct="urn:ietf:params:xml:ns:yang:ietf-crypto-types">
<!-- how this server will authenticate itself to the client --> <!-- how this server will authenticate itself to the client -->
skipping to change at line 1903 skipping to change at line 2009
</raw-public-keys> </raw-public-keys>
<tls12-psks/> <tls12-psks/>
<tls13-epsks/> <tls13-epsks/>
</client-authentication> </client-authentication>
<keepalives> <keepalives>
<peer-allowed-to-send/> <peer-allowed-to-send/>
</keepalives> </keepalives>
</tls-server> </tls-server>
]]></artwork> ]]></sourcecode>
<t>The following configuration example uses central-keystore-references for the <t>The following configuration example uses central-keystore-references for the
server identity and central-truststore-references for client authentic ation: server identity and central-truststore-references for client authentic ation
from the keystore: from the keystore:
</t> </t>
<artwork><![CDATA[ <sourcecode type="xml"><![CDATA[
=============== NOTE: '\' line wrapping per RFC 8792 ================ =============== NOTE: '\' line wrapping per RFC 8792 ================
<!-- The outermost element below doesn't exist in the data model. --> <!-- The outermost element below doesn't exist in the data model. -->
<!-- It simulates if the "grouping" were a "container" instead. --> <!-- It simulates if the "grouping" were a "container" instead. -->
<tls-server xmlns="urn:ietf:params:xml:ns:yang:ietf-tls-server"> <tls-server xmlns="urn:ietf:params:xml:ns:yang:ietf-tls-server">
<!-- how this server will authenticate itself to the client --> <!-- how this server will authenticate itself to the client -->
<server-identity> <server-identity>
<certificate> <certificate>
skipping to change at line 1949 skipping to change at line 2055
</raw-public-keys> </raw-public-keys>
<tls12-psks/> <tls12-psks/>
<tls13-epsks/> <tls13-epsks/>
</client-authentication> </client-authentication>
<keepalives> <keepalives>
<peer-allowed-to-send/> <peer-allowed-to-send/>
</keepalives> </keepalives>
</tls-server> </tls-server>
]]></artwork> ]]></sourcecode>
</section> </section>
<section anchor="server-yang-module"> <section anchor="server-yang-module">
<name>YANG Module</name> <name>YANG Module</name>
<t>This YANG module has normative references to <xref target="I-D.ietf-n
etconf-trust-anchors"/> <t>This YANG module has normative references to <xref target="RFC9641"/>
and <xref target="I-D.ietf-netconf-keystore"/>, and Informative refere and <xref target="RFC9642"/> and informative references to
nces to <xref target="RFC5246"/>, <xref target="RFC8446"/>, <xref target="RFC9
<xref target="RFC5246"/>, <xref target="RFC8446"/>, <xref target="RFC9 258"/>, and
258"/> and
<xref target="RFC9257"/>.</t> <xref target="RFC9257"/>.</t>
<t keepWithNext="true">&lt;CODE BEGINS&gt; file "ietf-tls-server@2024-03
-16.yang"</t> <!--Section 4.3 YANG Module-->
<artwork><![CDATA[ <sourcecode name="ietf-tls-server@2024-03-16.yang" type="yang" markers="
true"><![CDATA[
module ietf-tls-server { module ietf-tls-server {
yang-version 1.1; yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-tls-server"; namespace "urn:ietf:params:xml:ns:yang:ietf-tls-server";
prefix tlss; prefix tlss;
import ietf-netconf-acm { import ietf-netconf-acm {
prefix nacm; prefix nacm;
reference reference
"RFC 8341: Network Configuration Access Control Model"; "RFC 8341: Network Configuration Access Control Model";
} }
skipping to change at line 1969 skipping to change at line 2077
module ietf-tls-server { module ietf-tls-server {
yang-version 1.1; yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-tls-server"; namespace "urn:ietf:params:xml:ns:yang:ietf-tls-server";
prefix tlss; prefix tlss;
import ietf-netconf-acm { import ietf-netconf-acm {
prefix nacm; prefix nacm;
reference reference
"RFC 8341: Network Configuration Access Control Model"; "RFC 8341: Network Configuration Access Control Model";
} }
import ietf-crypto-types { import ietf-crypto-types {
prefix ct; prefix ct;
reference reference
"RFC AAAA: YANG Data Types and Groupings for Cryptography"; "RFC 9640: YANG Data Types and Groupings for Cryptography";
} }
import ietf-truststore { import ietf-truststore {
prefix ts; prefix ts;
reference reference
"RFC BBBB: A YANG Data Model for a Truststore"; "RFC 9641: A YANG Data Model for a Truststore";
} }
import ietf-keystore { import ietf-keystore {
prefix ks; prefix ks;
reference reference
"RFC CCCC: A YANG Data Model for a Keystore"; "RFC 9642: A YANG Data Model for a Keystore and Keystore
Operations";
} }
import ietf-tls-common { import ietf-tls-common {
prefix tlscmn; prefix tlscmn;
reference reference
"RFC FFFF: YANG Groupings for TLS Clients and TLS Servers"; "RFC 9645: YANG Groupings for TLS Clients and TLS Servers";
} }
organization organization
"IETF NETCONF (Network Configuration) Working Group"; "IETF NETCONF (Network Configuration) Working Group";
contact contact
"WG List: NETCONF WG list <mailto:netconf@ietf.org> "WG List: NETCONF WG list <mailto:netconf@ietf.org>
WG Web: https://datatracker.ietf.org/wg/netconf WG Web: https://datatracker.ietf.org/wg/netconf
Author: Kent Watsen <mailto:kent+ietf@watsen.net> Author: Kent Watsen <mailto:kent+ietf@watsen.net>
Author: Jeff Hartley <mailto:intensifysecurity@gmail.com>"; Author: Jeff Hartley <mailto:intensifysecurity@gmail.com>";
description description
"This module defines reusable groupings for TLS servers that "This module defines reusable groupings for TLS servers that
can be used as a basis for specific TLS server instances. can be used as a basis for specific TLS server instances.
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
are to be interpreted as described in BCP 14 (RFC 2119)
(RFC 8174) when, and only when, they appear in all
capitals, as shown here.
Copyright (c) 2024 IETF Trust and the persons identified Copyright (c) 2024 IETF Trust and the persons identified
as authors of the code. All rights reserved. as authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with Redistribution and use in source and binary forms, with
or without modification, is permitted pursuant to, and or without modification, is permitted pursuant to, and
subject to the license terms contained in, the Revised subject to the license terms contained in, the Revised
BSD License set forth in Section 4.c of the IETF Trust's BSD License set forth in Section 4.c of the IETF Trust's
Legal Provisions Relating to IETF Documents Legal Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info). (https://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC FFFF This version of this YANG module is part of RFC 9645
(https://www.rfc-editor.org/info/rfcFFFF); see the RFC (https://www.rfc-editor.org/info/rfc9645); see the RFC
itself for full legal notices. itself for full legal notices.";
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
are to be interpreted as described in BCP 14 (RFC 2119)
(RFC 8174) when, and only when, they appear in all
capitals, as shown here.";
revision 2024-03-16 { revision 2024-03-16 {
description description
"Initial version"; "Initial version.";
reference reference
"RFC FFFF: YANG Groupings for TLS Clients and TLS Servers"; "RFC 9645: YANG Groupings for TLS Clients and TLS Servers";
} }
// Features // Features
feature tls-server-keepalives { feature tls-server-keepalives {
description description
"Per socket TLS keepalive parameters are configurable for "Per-socket TLS keepalive parameters are configurable for
TLS servers on the server implementing this feature."; TLS servers on the server implementing this feature.";
} }
feature server-ident-x509-cert { feature server-ident-x509-cert {
description description
"Indicates that the server supports identifying itself "Indicates that the server supports identifying itself
using X.509 certificates."; using X.509 certificates.";
reference reference
"RFC 5280: "RFC 5280:
Internet X.509 Public Key Infrastructure Certificate Internet X.509 Public Key Infrastructure Certificate
skipping to change at line 2067 skipping to change at line 2170
reference reference
"RFC 7250: "RFC 7250:
Using Raw Public Keys in Transport Layer Security (TLS) Using Raw Public Keys in Transport Layer Security (TLS)
and Datagram Transport Layer Security (DTLS)"; and Datagram Transport Layer Security (DTLS)";
} }
feature server-ident-tls12-psk { feature server-ident-tls12-psk {
if-feature "tlscmn:tls12"; if-feature "tlscmn:tls12";
description description
"Indicates that the server supports identifying itself "Indicates that the server supports identifying itself
using TLS-1.2 PSKs (pre-shared or pairwise-symmetric keys)."; using TLS 1.2 PSKs (pre-shared or pairwise symmetric keys).";
reference reference
"RFC 4279: "RFC 4279:
Pre-Shared Key Ciphersuites for Transport Layer Security Pre-Shared Key Ciphersuites for Transport Layer Security
(TLS)"; (TLS)";
} }
feature server-ident-tls13-epsk { feature server-ident-tls13-epsk {
if-feature "tlscmn:tls13"; if-feature "tlscmn:tls13";
description description
"Indicates that the server supports identifying itself "Indicates that the server supports identifying itself
using TLS-1.3 External PSKs (pre-shared keys)."; using TLS 1.3 External PSKs (pre-shared keys).";
reference reference
"RFC 8446: "RFC 8446:
The Transport Layer Security (TLS) Protocol Version 1.3"; The Transport Layer Security (TLS) Protocol Version 1.3";
} }
feature client-auth-supported { feature client-auth-supported {
description description
"Indicates that the configuration for how to authenticate "Indicates that the configuration for how to authenticate
clients can be configured herein. TLS-level client clients can be configured herein. TLS-level client
authentication may not be needed when client authentication authentication may not be needed when client authentication
skipping to change at line 2115 skipping to change at line 2218
using raw public keys."; using raw public keys.";
reference reference
"RFC 7250: "RFC 7250:
Using Raw Public Keys in Transport Layer Security (TLS) Using Raw Public Keys in Transport Layer Security (TLS)
and Datagram Transport Layer Security (DTLS)"; and Datagram Transport Layer Security (DTLS)";
} }
feature client-auth-tls12-psk { feature client-auth-tls12-psk {
description description
"Indicates that the server supports authenticating clients "Indicates that the server supports authenticating clients
using PSKs (pre-shared or pairwise-symmetric keys)."; using PSKs (pre-shared or pairwise symmetric keys).";
reference reference
"RFC 4279: "RFC 4279:
Pre-Shared Key Ciphersuites for Transport Layer Security Pre-Shared Key Ciphersuites for Transport Layer Security
(TLS)"; (TLS)";
} }
feature client-auth-tls13-epsk { feature client-auth-tls13-epsk {
description description
"Indicates that the server supports authenticating clients "Indicates that the server supports authenticating clients
using TLS-1.3 External PSKs (pre-shared keys)."; using TLS 1.3 External PSKs (pre-shared keys).";
reference reference
"RFC 8446: "RFC 8446:
The Transport Layer Security (TLS) Protocol Version 1.3"; The Transport Layer Security (TLS) Protocol Version 1.3";
} }
// Groupings // Groupings
grouping tls-server-grouping { grouping tls-server-grouping {
description description
"A reusable grouping for configuring a TLS server without "A reusable grouping for configuring a TLS server without
skipping to change at line 2147 skipping to change at line 2250
established. established.
Note that this grouping uses fairly typical descendant Note that this grouping uses fairly typical descendant
node names such that a stack of 'uses' statements will node names such that a stack of 'uses' statements will
have name conflicts. It is intended that the consuming have name conflicts. It is intended that the consuming
data model will resolve the issue (e.g., by wrapping data model will resolve the issue (e.g., by wrapping
the 'uses' statement in a container called the 'uses' statement in a container called
'tls-server-parameters'). This model purposely does 'tls-server-parameters'). This model purposely does
not do this itself so as to provide maximum flexibility not do this itself so as to provide maximum flexibility
to consuming models."; to consuming models.";
container server-identity { container server-identity {
nacm:default-deny-write; nacm:default-deny-write;
description description
"A locally-defined or referenced end-entity certificate, "A locally defined or referenced End-Entity (EE) certificate,
including any configured intermediate certificates, the including any configured intermediate certificates, that
TLS server will present when establishing a TLS connection the TLS server will present when establishing a TLS
in its Certificate message, as defined in Section 7.4.2 connection in its Certificate message, as defined in
in RFC 5246 and Section 4.4.2 in RFC 8446."; Section 7.4.2 of RFC 5246 and Section 4.4.2 of RFC 8446.";
reference reference
"RFC 5246: The Transport Layer Security (TLS) Protocol "RFC 5246: The Transport Layer Security (TLS) Protocol
Version 1.2 Version 1.2
RFC 8446: The Transport Layer Security (TLS) Protocol RFC 8446: The Transport Layer Security (TLS) Protocol
Version 1.3 Version 1.3
RFC CCCC: A YANG Data Model for a Keystore"; RFC 9642: A YANG Data Model for a Keystore and Keystore
Operations";
choice auth-type { choice auth-type {
mandatory true; mandatory true;
description description
"A choice amongst authentication types, of which one must "A choice amongst authentication types, of which one must
be enabled (via its associated 'feature') and selected."; be enabled (via its associated 'feature') and selected.";
case certificate { case certificate {
if-feature "server-ident-x509-cert"; if-feature "server-ident-x509-cert";
container certificate { container certificate {
description description
"Specifies the server identity using a certificate."; "Specifies the server identity using a certificate.";
uses uses "ks:inline-or-keystore-end-entity-cert-with-key-"
"ks:inline-or-keystore-end-entity-cert-with-key-" + "grouping" {
+ "grouping" {
refine "inline-or-keystore/inline/inline-definition" { refine "inline-or-keystore/inline/inline-definition" {
must 'not(public-key-format) or derived-from-or-self' must 'not(public-key-format) or derived-from-or-self'
+ '(public-key-format,' + ' "ct:subject-public-' + '(public-key-format,'
+ ' "ct:subject-public-'
+ 'key-info-format")'; + 'key-info-format")';
} }
refine "inline-or-keystore/central-keystore/" refine "inline-or-keystore/central-keystore/"
+ "central-keystore-reference/asymmetric-key" { + "central-keystore-reference/asymmetric-key" {
must 'not(deref(.)/../ks:public-key-format) or ' must 'not(deref(.)/../ks:public-key-format) or '
+ 'derived-from-or-self(deref(.)/../ks:public-key' + 'derived-from-or-self(deref(.)/../ks:public-key'
+ '-format, "ct:subject-public-key-info-format")'; + '-format, "ct:subject-public-key-info-format")';
} }
} }
} }
} }
case raw-private-key { case raw-private-key {
if-feature "server-ident-raw-public-key"; if-feature "server-ident-raw-public-key";
container raw-private-key { container raw-private-key {
description description
"Specifies the server identity using a raw "Specifies the server identity using a raw
private key."; private key.";
uses ks:inline-or-keystore-asymmetric-key-grouping { uses ks:inline-or-keystore-asymmetric-key-grouping {
refine "inline-or-keystore/inline/inline-definition" { refine "inline-or-keystore/inline/inline-definition" {
must 'not(public-key-format) or derived-from-or-self' must 'not(public-key-format) or derived-from-or-self'
+ '(public-key-format,' + ' "ct:subject-public-' + '(public-key-format,'
+ ' "ct:subject-public-'
+ 'key-info-format")'; + 'key-info-format")';
} }
refine "inline-or-keystore/central-keystore/" refine "inline-or-keystore/central-keystore/"
+ "central-keystore-reference" { + "central-keystore-reference" {
must 'not(deref(.)/../ks:public-key-format) or ' must 'not(deref(.)/../ks:public-key-format) or '
+ 'derived-from-or-self(deref(.)/../ks:public-key' + 'derived-from-or-self(deref(.)/../ks:public-key'
+ '-format, "ct:subject-public-key-info-format")'; + '-format, "ct:subject-public-key-info-format")';
} }
} }
} }
} }
case tls12-psk { case tls12-psk {
if-feature "server-ident-tls12-psk"; if-feature "server-ident-tls12-psk";
container tls12-psk { container tls12-psk {
description description
"Specifies the server identity using a PSK (pre-shared "Specifies the server identity using a PSK (pre-shared
or pairwise-symmetric key)."; or pairwise symmetric key).";
uses ks:inline-or-keystore-symmetric-key-grouping; uses ks:inline-or-keystore-symmetric-key-grouping;
leaf id-hint { leaf id-hint {
type string; type string;
description description
"The key 'psk_identity_hint' value used in the TLS "The key 'psk_identity_hint' value used in the TLS
'ServerKeyExchange' message."; 'ServerKeyExchange' message.";
reference reference
"RFC 4279: Pre-Shared Key Ciphersuites for "RFC 4279: Pre-Shared Key Ciphersuites for
Transport Layer Security (TLS)"; Transport Layer Security (TLS)";
} }
} }
} }
case tls13-epsk { case tls13-epsk {
if-feature "server-ident-tls13-epsk"; if-feature "server-ident-tls13-epsk";
container tls13-epsk { container tls13-epsk {
description description
"An External Pre-Shared Key (EPSK) is established "An External Pre-Shared Key (EPSK) is established
or provisioned out-of-band, i.e., not from a TLS or provisioned out of band, i.e., not from a TLS
connection. An EPSK is a tuple of (Base Key, connection. An EPSK is a tuple of (Base Key,
External Identity, Hash). External PSKs MUST External Identity, Hash). EPSKs MUST NOT be
NOT be imported for (D)TLS 1.2 or prior versions. imported for (D)TLS 1.2 or prior versions.
When PSKs are provisioned out of band, the PSK When PSKs are provisioned out of band, the PSK
identity and the KDF hash algorithm to be used identity and the KDF hash algorithm to be used
with the PSK MUST also be provisioned. with the PSK MUST also be provisioned.
The structure of this container is designed to The structure of this container is designed to
satisfy the requirements of RFC 8446 Section satisfy the requirements in Section 4.2.11 of
4.2.11, the recommendations from Section 6 in RFC 8446, the recommendations from Section 6 of
RFC 9257, and the EPSK input fields detailed in RFC 9257, and the EPSK input fields detailed in
Section 5.1 in RFC 9258. The base-key is based Section 5.1 of RFC 9258. The base-key is based
upon ks:inline-or-keystore-symmetric-key-grouping upon 'ks:inline-or-keystore-symmetric-key-grouping'
in order to provide users with flexible and in order to provide users with flexible and
secure storage options."; secure storage options.";
reference reference
"RFC 8446: The Transport Layer Security (TLS) "RFC 8446: The Transport Layer Security (TLS)
Protocol Version 1.3 Protocol Version 1.3
RFC 9257: Guidance for External Pre-Shared Key RFC 9257: Guidance for External Pre-Shared Key
(PSK) Usage in TLS (PSK) Usage in TLS
RFC 9258: Importing External Pre-Shared Keys RFC 9258: Importing External Pre-Shared Keys
(PSKs) for TLS 1.3"; (PSKs) for TLS 1.3";
uses ks:inline-or-keystore-symmetric-key-grouping; uses ks:inline-or-keystore-symmetric-key-grouping;
leaf external-identity { leaf external-identity {
type string; type string;
mandatory true; mandatory true;
description description
"As per Section 4.2.11 of RFC 8446, and Section 4.1 "As per Section 4.2.11 of RFC 8446 and Section 4.1
of RFC 9257, a sequence of bytes used to identify of RFC 9257, a sequence of bytes used to identify
an EPSK. A label for a pre-shared key established an EPSK. A label for a pre-shared key established
externally."; externally.";
reference reference
"RFC 8446: The Transport Layer Security (TLS) "RFC 8446: The Transport Layer Security (TLS)
Protocol Version 1.3 Protocol Version 1.3
RFC 9257: Guidance for External Pre-Shared Key RFC 9257: Guidance for External Pre-Shared Key
(PSK) Usage in TLS"; (PSK) Usage in TLS";
} }
leaf hash { leaf hash {
type tlscmn:epsk-supported-hash; type tlscmn:epsk-supported-hash;
default sha-256; default "sha-256";
description description
"As per Section 4.2.11 of RFC 8446, for externally "As per Section 4.2.11 of RFC 8446, for externally
established PSKs, the Hash algorithm MUST be set established PSKs, the hash algorithm MUST be set
when the PSK is established or default to SHA-256 when the PSK is established; otherwise, default to
if no such algorithm is defined. The server MUST SHA-256 if no such algorithm is defined. The server
ensure that it selects a compatible PSK (if any) MUST ensure that it selects a compatible PSK (if
and cipher suite. Each PSK MUST only be used any) and cipher suite. Each PSK MUST only be used
with a single hash function."; with a single hash function.";
reference reference
"RFC 8446: The Transport Layer Security (TLS) "RFC 8446: The Transport Layer Security (TLS)
Protocol Version 1.3"; Protocol Version 1.3";
} }
leaf context { leaf context {
type string; type string;
description description
"Per Section 5.1 of RFC 9258, context MUST include "As per Section 5.1 of RFC 9258, context MUST
the context used to determine the EPSK, if include the context used to determine the EPSK,
any exists. For example, context may include if any exists. For example, context may include
information about peer roles or identities information about peer roles or identities
to mitigate Selfie-style reflection attacks. to mitigate Selfie-style reflection attacks.
Since the EPSK is a key derived from an external Since the EPSK is a key derived from an external
protocol or sequence of protocols, context MUST protocol or sequence of protocols, context MUST
include a channel binding for the deriving include a channel binding for the deriving
protocols [RFC5056]. The details of this protocols (see RFC 5056). The details of this
binding are protocol specfic and out of scope binding are protocol specific and out of scope
for this document."; for this document.";
reference reference
"RFC 9258: Importing External Pre-Shared Keys "RFC 9258: Importing External Pre-Shared Keys
(PSKs) for TLS 1.3"; (PSKs) for TLS 1.3";
} }
leaf target-protocol { leaf target-protocol {
type uint16; type uint16;
description description
"As per Section 3.1 of RFC 9258, the protocol "As per Section 3.1 of RFC 9258, the protocol
for which a PSK is imported for use."; for which a PSK is imported for use.";
skipping to change at line 2326 skipping to change at line 2430
"As per Section 3 of RFC 9258, the KDF for "As per Section 3 of RFC 9258, the KDF for
which a PSK is imported for use."; which a PSK is imported for use.";
reference reference
"RFC 9258: Importing External Pre-Shared Keys "RFC 9258: Importing External Pre-Shared Keys
(PSKs) for TLS 1.3"; (PSKs) for TLS 1.3";
} }
} }
} }
} }
} // container server-identity } // container server-identity
container client-authentication { container client-authentication {
if-feature "client-auth-supported"; if-feature "client-auth-supported";
nacm:default-deny-write; nacm:default-deny-write;
must 'ca-certs or ee-certs or raw-public-keys or tls12-psks must "ca-certs or ee-certs or raw-public-keys or tls12-psks
or tls13-epsks'; or tls13-epsks";
presence presence "Indicates that client authentication is supported
"Indicates that client authentication is supported (i.e., (i.e., that the server will request clients send
that the server will request clients send certificates). certificates). If not configured, the TLS server
If not configured, the TLS server SHOULD NOT request the SHOULD NOT request that TLS clients provide
TLS clients provide authentication credentials."; authentication credentials.";
description description
"Specifies how the TLS server can authenticate TLS clients. "Specifies how the TLS server can authenticate TLS clients.
Any combination of credentials is additive and unordered. Any combination of credentials is additive and unordered.
Note that no configuration is required for PSK (pre-shared Note that no configuration is required for authentication
or pairwise-symmetric key) based authentication as the key based on PSK (pre-shared or pairwise symmetric key) as the
is necessarily the same as configured in the '../server- the key is necessarily the same as configured in the
identity' node."; '../server-identity' node.";
container ca-certs { container ca-certs {
if-feature "client-auth-x509-cert"; if-feature "client-auth-x509-cert";
presence presence "Indicates that certificate authority (CA)
"Indicates that CA certificates have been configured. certificates have been configured. This
This statement is present so the mandatory descendant statement is present so the mandatory
nodes do not imply that this node must be configured."; descendant nodes do not imply that this node
must be configured.";
description description
"A set of certificate authority (CA) certificates used by "A set of CA certificates used by the TLS server to
the TLS server to authenticate TLS client certificates. authenticate TLS client certificates. A client
A client certificate is authenticated if it has a valid certificate is authenticated if it has a valid chain
chain of trust to a configured CA certificate."; of trust to a configured CA certificate.";
reference reference
"RFC BBBB: A YANG Data Model for a Truststore"; "RFC 9641: A YANG Data Model for a Truststore";
uses ts:inline-or-truststore-certs-grouping; uses ts:inline-or-truststore-certs-grouping;
} }
container ee-certs { container ee-certs {
if-feature "client-auth-x509-cert"; if-feature "client-auth-x509-cert";
presence presence "Indicates that EE certificates have been
"Indicates that EE certificates have been configured. configured. This statement is present so the
This statement is present so the mandatory descendant mandatory descendant nodes do not imply that
nodes do not imply that this node must be configured."; this node must be configured.";
description description
"A set of client certificates (i.e., end entity "A set of client certificates (i.e., EE certificates)
certificates) used by the TLS server to authenticate used by the TLS server to authenticate
certificates presented by TLS clients. A client certificates presented by TLS clients. A client
certificate is authenticated if it is an exact certificate is authenticated if it is an exact
match to a configured client certificate."; match to a configured client certificate.";
reference reference
"RFC BBBB: A YANG Data Model for a Truststore"; "RFC 9641: A YANG Data Model for a Truststore";
uses ts:inline-or-truststore-certs-grouping; uses ts:inline-or-truststore-certs-grouping;
} }
container raw-public-keys { container raw-public-keys {
if-feature "client-auth-raw-public-key"; if-feature "client-auth-raw-public-key";
presence presence "Indicates that raw public keys have been
"Indicates that raw public keys have been configured. configured. This statement is present so
This statement is present so the mandatory descendant the mandatory descendant nodes do not imply
nodes do not imply that this node must be configured."; that this node must be configured.";
description description
"A set of raw public keys used by the TLS server to "A set of raw public keys used by the TLS server to
authenticate raw public keys presented by the TLS authenticate raw public keys presented by the TLS
client. A raw public key is authenticated if it client. A raw public key is authenticated if it
is an exact match to a configured raw public key."; is an exact match to a configured raw public key.";
reference reference
"RFC BBBB: A YANG Data Model for a Truststore"; "RFC 9641: A YANG Data Model for a Truststore";
uses ts:inline-or-truststore-public-keys-grouping { uses ts:inline-or-truststore-public-keys-grouping {
refine "inline-or-truststore/inline/inline-definition/" refine "inline-or-truststore/inline/inline-definition/"
+ "public-key" { + "public-key" {
must 'derived-from-or-self(public-key-format,' must 'derived-from-or-self(public-key-format,'
+ ' "ct:subject-public-key-info-format")'; + ' "ct:subject-public-key-info-format")';
} }
refine "inline-or-truststore/central-truststore/" refine "inline-or-truststore/central-truststore/"
+ "central-truststore-reference" { + "central-truststore-reference" {
must 'not(deref(.)/../ts:public-key/ts:public-key-' must 'not(deref(.)/../ts:public-key/ts:public-key-'
+ 'format[not(derived-from-or-self(., "ct:subject-' + 'format[not(derived-from-or-self(., "ct:subject-'
+ 'public-key-info-format"))])'; + 'public-key-info-format"))])';
} }
} }
} }
leaf tls12-psks { leaf tls12-psks {
if-feature "client-auth-tls12-psk"; if-feature "client-auth-tls12-psk";
type empty; type empty;
description description
"Indicates that the TLS server can authenticate TLS clients "Indicates that the TLS server can authenticate TLS clients
using configured PSKs (pre-shared or pairwise-symmetric using configured PSKs (pre-shared or pairwise symmetric
keys). keys).
No configuration is required since the PSK value is the No configuration is required since the PSK value is the
same as PSK value configured in the 'server-identity' same as PSK value configured in the 'server-identity'
node."; node.";
} }
leaf tls13-epsks { leaf tls13-epsks {
if-feature "client-auth-tls13-epsk"; if-feature "client-auth-tls13-epsk";
type empty; type empty;
description description
skipping to change at line 2427 skipping to change at line 2531
type empty; type empty;
description description
"Indicates that the TLS 1.3 server can authenticate TLS "Indicates that the TLS 1.3 server can authenticate TLS
clients using configured external PSKs (pre-shared keys). clients using configured external PSKs (pre-shared keys).
No configuration is required since the PSK value is the No configuration is required since the PSK value is the
same as PSK value configured in the 'server-identity' same as PSK value configured in the 'server-identity'
node."; node.";
} }
} // container client-authentication } // container client-authentication
container hello-params { container hello-params {
nacm:default-deny-write; nacm:default-deny-write;
if-feature "tlscmn:hello-params"; if-feature "tlscmn:hello-params";
uses tlscmn:hello-params-grouping; uses tlscmn:hello-params-grouping;
description description
"Configurable parameters for the TLS hello message."; "Configurable parameters for the TLS hello message.";
} // container hello-params } // container hello-params
container keepalives { container keepalives {
nacm:default-deny-write; nacm:default-deny-write;
if-feature "tls-server-keepalives"; if-feature "tls-server-keepalives";
description description
"Configures the keepalive policy for the TLS server."; "Configures the keepalive policy for the TLS server.";
leaf peer-allowed-to-send { leaf peer-allowed-to-send {
type empty; type empty;
description description
"Indicates that the remote TLS client is allowed to send "Indicates that the remote TLS client is allowed to send
HeartbeatRequest messages, as defined by RFC 6520 HeartbeatRequest messages, as defined by RFC 6520,
to this TLS server."; to this TLS server.";
reference reference
"RFC 6520: Transport Layer Security (TLS) and Datagram "RFC 6520: Transport Layer Security (TLS) and Datagram
Transport Layer Security (DTLS) Heartbeat Extension"; Transport Layer Security (DTLS) Heartbeat Extension";
} }
container test-peer-aliveness { container test-peer-aliveness {
presence presence "Indicates that the TLS server proactively tests the
"Indicates that the TLS server proactively tests the aliveness of the remote TLS client.";
aliveness of the remote TLS client.";
description description
"Configures the keep-alive policy to proactively test "Configures the keep-alive policy to proactively test
the aliveness of the TLS client. An unresponsive the aliveness of the TLS client. An unresponsive
TLS client is dropped after approximately max-wait TLS client is dropped after approximately max-wait
* max-attempts seconds."; * max-attempts seconds.";
leaf max-wait { leaf max-wait {
type uint16 { type uint16 {
range "1..max"; range "1..max";
} }
units "seconds"; units "seconds";
default "30"; default "30";
description description
"Sets the amount of time in seconds after which if "Sets the amount of time in seconds, after which a
no data has been received from the TLS client, a
TLS-level message will be sent to test the TLS-level message will be sent to test the
aliveness of the TLS client."; aliveness of the TLS client if no data has been
received from the TLS client.";
} }
leaf max-attempts { leaf max-attempts {
type uint8; type uint8;
default "3"; default "3";
description description
"Sets the maximum number of sequential keep-alive "Sets the maximum number of sequential keep-alive
messages that can fail to obtain a response from messages that can fail to obtain a response from
the TLS client before assuming the TLS client is the TLS client before assuming the TLS client is
no longer alive."; no longer alive.";
} }
} }
} // container keepalives } // container keepalives
} // grouping tls-server-grouping } // grouping tls-server-grouping
} }
]]></artwork> ]]>
<t keepWithPrevious="true">&lt;CODE ENDS&gt;</t>
</sourcecode>
<!-- <t keepWithPrevious="true">&lt;CODE ENDS&gt;</t>-->
</section> </section>
</section> </section>
<section> <section>
<name>Security Considerations</name> <name>Security Considerations</name>
<t>The three IETF YANG modules in this document define groupings and will <t>The three IETF YANG modules in this document define groupings and will
not be deployed as standalone modules. Their security implications not be deployed as standalone modules. Their security implications
may be context dependent based on their use in other modules. The may be context dependent based on their use in other modules. The
designers of modules which import these grouping must conduct their designers of modules that import these grouping must conduct their
own analysis of the security considerations.</t> own analysis of the security considerations.</t>
<section> <section>
<name>Considerations for the "iana-tls-cipher-suite-algs" Module</name>
<!--[rfced] *AD - We note that the text in Sections 5.1-5.4 does not
exactly match the YANG security considerations boilerplate text
at <https://wiki.ietf.org/group/ops/yang-security-guidelines>,
including missing citations to RFCs 6242 and 8446. Please review and let
us know if updates are needed or if the text is ok as is.
-->
<name>Considerations for the "iana-tls-cipher-suite-algs" YANG Module</n
ame>
<t>This section follows the template defined in <xref section="3.7.1" ta rget="RFC8407"/>.</t> <t>This section follows the template defined in <xref section="3.7.1" ta rget="RFC8407"/>.</t>
<t>The "iana-tls-cipher-suite-algs" YANG module defines a data model
that is designed to be accessed via YANG based management <!--DNE - template-->
protocols, such as NETCONF <xref target="RFC6241"/> and RESTCONF <!--paragraph 1-->
<xref target="RFC8040"/>. Both of these protocols have <t>The "iana-tls-cipher-suite-algs" YANG module defines defines a
mandatory-to-implement secure transport layers (e.g., SSH, TLS) data model that is designed to be accessed via YANG-based network managem
with mutual authentication.</t> ent
<t>The Network Access Control Model (NACM) <xref target="RFC8341"/> protocols such as NETCONF <xref target="RFC6241"/> and RESTCONF
<xref target="RFC8040"/>. Both of these
protocols have mandatory-to-implement secure transport layers (e.g., SSH, TLS
) with mutual authentication.
</t>
<!--paragraph 2-->
<t>The Network Configuration Access Control Model (NACM) <xref target="RF
C8341"/>
provides the means to restrict access for particular users to a provides the means to restrict access for particular users to a
pre-configured subset of all available protocol operations and preconfigured subset of all available protocol operations and
content.</t> content.</t>
<!--does not follow the template-->
<t>This YANG module defines YANG enumerations, for a public IANA-maintai ned <t>This YANG module defines YANG enumerations, for a public IANA-maintai ned
registry.</t> registry.</t>
<t>YANG enumerations are not security-sensitive, as they are statically <t>YANG enumerations are not security-sensitive, as they are statically
defined in the publicly-accessible YANG module. IANA MAY deprecate defined in the publicly accessible YANG module. IANA <bcp14>MAY</bcp1 4> deprecate
and/or obsolete enumerations over time as needed to address security and/or obsolete enumerations over time as needed to address security
issues found in the algorithms.</t> issues found in the algorithms.</t>
<t>This module does not define any writable-nodes, RPCs, actions, <t>This module does not define any writable nodes, RPCs, actions,
or notifications, and thus the security consideration for such or notifications, and thus the security considerations for such
is not provided here.</t> are not provided here.</t>
<!--End-->
</section> </section>
<section> <section>
<name>Considerations for the "ietf-tls-common" YANG Module</name> <name>Considerations for the "ietf-tls-common" YANG Module</name>
<t>This section follows the template defined in <xref section="3.7.1" ta rget="RFC8407"/>.</t> <t>This section follows the template defined in <xref section="3.7.1" ta rget="RFC8407"/>.</t>
<!--DNE - template-->
<!--paragraph 1-->
<t>The "ietf-tls-common" YANG module defines "grouping" statements <t>The "ietf-tls-common" YANG module defines "grouping" statements
that are designed to be accessed via YANG based management that are designed to be accessed via YANG-based management
protocols, such as NETCONF <xref target="RFC6241"/> and RESTCONF protocols such as NETCONF <xref target="RFC6241"/> and RESTCONF
<xref target="RFC8040"/>. Both of these protocols have <xref target="RFC8040"/>. Both of these protocols
mandatory-to-implement secure transport layers (e.g., SSH, TLS) have mandatory-to-implement secure transport layers (e.g., SSH, TLS)
with mutual authentication.</t> with mutual authentication.
<t>The Network Access Control Model (NACM) <xref target="RFC8341"/> </t>
<!--paragraph 2-->
<t>The Network Configuration Access Control Model (NACM) <xref ta
rget="RFC8341"/>
provides the means to restrict access for particular users to a provides the means to restrict access for particular users to a
pre-configured subset of all available protocol operations and preconfigured subset of all available protocol operations and
content.</t> content.</t>
<!--does not follow the template-->
<t>Please be aware that this YANG module uses groupings from <t>Please be aware that this YANG module uses groupings from
other YANG modules that define nodes that may be considered other YANG modules that define nodes that may be considered
sensitive or vulnerable in network environments. Please sensitive or vulnerable in network environments. Please
review the Security Considerations for dependent YANG modules review the Security Considerations for dependent YANG modules
for information as to which nodes may be considered sensitive for information as to which nodes may be considered sensitive
or vulnerable in network environments.</t> or vulnerable in network environments.</t>
<t>None of the readable data nodes defined in this YANG module are <t>None of the readable data nodes defined in this YANG module are
considered sensitive or vulnerable in network environments. considered sensitive or vulnerable in network environments.
The NACM "default-deny-all" extension has not been set for The NACM "default-deny-all" extension has not been set for
any data nodes defined in this module.</t> any data nodes defined in this module.</t>
<t>None of the writable data nodes defined in this YANG module are <t>None of the writable data nodes defined in this YANG module are
considered sensitive or vulnerable in network environments. considered sensitive or vulnerable in network environments.
The NACM "default-deny-write" extension has not been set for The NACM "default-deny-write" extension has not been set for
any data nodes defined in this module.</t> any data nodes defined in this module.</t>
<t>This module defines the RPC "generate-asymmetric-key-pair" that may, <t>This module defines the "generate-asymmetric-key-pair" RPC that may,
if if
the "ct:cleartext-private-keys" feature is enabled, and the client the "ct:cleartext-private-keys" feature is enabled and the client
requests it, return the private clear in cleartext form. It is requests it, return the private clear in cleartext form. It is
NOT RECOMMENDED for private keys to pass the server's security <bcp14>NOT RECOMMENDED</bcp14> for private keys to pass the server's s ecurity
perimeter.</t> perimeter.</t>
<t>This module does not define any actions or notifications, <t>This module does not define any actions or notifications,
and thus the security consideration for such is not provided here.</t> and thus the security considerations for such are not provided here.</t>
<!--End-->
</section> </section>
<section> <section>
<name>Considerations for the "ietf-tls-client" YANG Module</name> <name>Considerations for the "ietf-tls-client" YANG Module</name>
<t>This section follows the template defined in <xref section="3.7.1" ta rget="RFC8407"/>.</t> <t>This section follows the template defined in <xref section="3.7.1" ta rget="RFC8407"/>.</t>
<!--DNE - template-->
<!--paragraph 1-->
<t>The "ietf-tls-client" YANG module defines "grouping" statements <t>The "ietf-tls-client" YANG module defines "grouping" statements
that are designed to be accessed via YANG based management that are designed to be accessed via YANG-based management
protocols, such as NETCONF <xref target="RFC6241"/> and RESTCONF protocols such as NETCONF <xref target="RFC6241"/> or RESTCONF
<xref target="RFC8040"/>. Both of these protocols have <xref target="RFC8040"/>. Both of these protocols have
mandatory-to-implement secure transport layers (e.g., SSH, TLS) mandatory-to-implement secure transport layers (e.g., SSH, TLS)
with mutual authentication.</t> with mutual authentication.
</t>
<!--paragraph 2-->
<t>The Network Access Control Model (NACM) <xref target="RFC8341"/> <t>The Network Access Control Model (NACM) <xref target="RFC8341"/>
provides the means to restrict access for particular users to a provides the means to restrict access for particular users to a
pre-configured subset of all available protocol operations and preconfigured subset of all available protocol operations and
content.</t> content.</t>
<!--does not follow the template-->
<t>Please be aware that this YANG module uses groupings from <t>Please be aware that this YANG module uses groupings from
other YANG modules that define nodes that may be considered other YANG modules that define nodes that may be considered
sensitive or vulnerable in network environments. Please sensitive or vulnerable in network environments. Please
review the Security Considerations for dependent YANG modules review the Security Considerations for dependent YANG modules
for information as to which nodes may be considered sensitive for information as to which nodes may be considered sensitive
or vulnerable in network environments.</t> or vulnerable in network environments.</t>
<t>None of the readable data nodes defined in this YANG module <t>None of the readable data nodes defined in this YANG module
are considered sensitive or vulnerable in network environments. are considered sensitive or vulnerable in network environments.
The NACM "default-deny-all" extension has not been set for any The NACM "default-deny-all" extension has not been set for any
data nodes defined in this module.</t> data nodes defined in this module.</t>
<t>All the writable data nodes defined by this module may be <t>All the writable data nodes defined by this module may be
considered sensitive or vulnerable in some network environments. considered sensitive or vulnerable in some network environments.
For instance, any modification to a key or reference to a key For instance, any modification to a key or reference to a key
may dramatically alter the implemented security policy. For may dramatically alter the implemented security policy. For
this reason, the NACM extension "default-deny-write" has been this reason, the NACM extension "default-deny-write" has been
set for all data nodes defined in this module.</t> set for all data nodes defined in this module.</t>
<t>This module does not define any RPCs, actions, or notifications, <t>This module does not define any RPCs, actions, or notifications,
and thus the security consideration for such is not provided here.</t> and thus the security considerations for such are not provided here.</t>
<!--End-->
</section> </section>
<section> <section>
<name>Considerations for the "ietf-tls-server" YANG Module</name> <name>Considerations for the "ietf-tls-server" YANG Module</name>
<t>This section follows the template defined in <xref section="3.7.1" ta rget="RFC8407"/>.</t> <t>This section follows the template defined in <xref section="3.7.1" ta rget="RFC8407"/>.</t>
<!--DNE - template-->
<!--paragraph 1-->
<t>The "ietf-tls-server" YANG module defines "grouping" statements <t>The "ietf-tls-server" YANG module defines "grouping" statements
that are designed to be accessed via YANG based management that are designed to be accessed via YANG-based management
protocols, such as NETCONF <xref target="RFC6241"/> and RESTCONF protocols such as NETCONF <xref target="RFC6241"/> and RESTCONF
<xref target="RFC8040"/>. Both of these protocols have <xref target="RFC8040"/>. Both of these protocols have
mandatory-to-implement secure transport layers (e.g., SSH, TLS) mandatory-to-implement secure transport layers (e.g., SSH, TLS)
with mutual authentication.</t> with mutual authentication.
<t>The Network Access Control Model (NACM) <xref target="RFC8341"/> </t>
<!--paragraph 2-->
<t>The Network Configuration Access Control Model (NACM) <xref target="R
FC8341"/>
provides the means to restrict access for particular users to a provides the means to restrict access for particular users to a
pre-configured subset of all available protocol operations and preconfigured subset of all available protocol operations and
content.</t> content.</t>
<!--does not follow the template-->
<t>Please be aware that this YANG module uses groupings from <t>Please be aware that this YANG module uses groupings from
other YANG modules that define nodes that may be considered other YANG modules that define nodes that may be considered
sensitive or vulnerable in network environments. Please sensitive or vulnerable in network environments. Please
review the Security Considerations for dependent YANG modules review the Security Considerations for dependent YANG modules
for information as to which nodes may be considered sensitive for information as to which nodes may be considered sensitive
or vulnerable in network environments.</t> or vulnerable in network environments.</t>
<t>None of the readable data nodes defined in this YANG module are consi dered sensitive <t>None of the readable data nodes defined in this YANG module are consi dered sensitive
or vulnerable in network environments. The NACM "default-deny-all" ext ension or vulnerable in network environments. The NACM "default-deny-all" ext ension
has not been set for any data nodes defined in this module.</t> has not been set for any data nodes defined in this module.</t>
<!--<aside>--> <!--<aside>-->
<t>Please be aware that this module uses the "key" and "private-key" <t>Please be aware that this module uses the "key" and "private-key"
nodes from the "ietf-crypto-types" module <xref target="I-D.ietf-net conf-crypto-types"/>, nodes from the "ietf-crypto-types" module <xref target="RFC9640"/>,
where said nodes have the NACM extension "default-deny-all" set, thu s where said nodes have the NACM extension "default-deny-all" set, thu s
preventing unrestricted read-access to the cleartext key values.</t> preventing unrestricted read access to the cleartext key values.</t>
<!--</aside>--> <!--</aside>-->
<t>All the writable data nodes defined by this module may be <t>All the writable data nodes defined by this module may be
considered sensitive or vulnerable in some network environments. considered sensitive or vulnerable in some network environments.
For instance, any modification to a key or reference to a key For instance, any modification to a key or reference to a key
may dramatically alter the implemented security policy. For may dramatically alter the implemented security policy. For
this reason, the NACM extension "default-deny-write" has been this reason, the NACM extension "default-deny-write" has been
set for all data nodes defined in this module.</t> set for all data nodes defined in this module.</t>
<t>This module does not define any RPCs, actions, or notifications, <t>This module does not define any RPCs, actions, or notifications,
and thus the security consideration for such is not provided here.</t> and thus the security considerations for such are not provided here.</t>
<!--End-->
</section> </section>
</section> </section>
<section> <section>
<name>IANA Considerations</name> <name>IANA Considerations</name>
<section> <section>
<name>The "IETF XML" Registry</name> <name>The IETF XML Registry</name>
<t>This document registers four URIs in the "ns" subregistry of the <t>IANA has registered the following four URIs in the "ns" registry of t
IETF XML Registry <xref target="RFC3688"/>. Following the format in he
<xref target="RFC3688"/>, the following registrations are "IETF XML Registry" <xref target="RFC3688"/>.</t>
requested:</t> <dl spacing="compact">
<artwork><![CDATA[ <!-- IANA updates: change "N/A," to "N/A;"
URI: urn:ietf:params:xml:ns:yang:iana-tls-cipher-suite-algs https://www.iana.org/assignments/xml-registry/ns/yang/iana-tls-cipher-suite-algs
Registrant Contact: The IESG .txt
XML: N/A, the requested URI is an XML namespace. https://www.iana.org/assignments/xml-registry/ns/yang/ietf-tls-common.txt
https://www.iana.org/assignments/xml-registry/ns/yang/ietf-tls-client.txt
URI: urn:ietf:params:xml:ns:yang:ietf-tls-common https://www.iana.org/assignments/xml-registry/ns/yang/ietf-tls-server.txt
Registrant Contact: The IESG -->
XML: N/A, the requested URI is an XML namespace. <dt>URI:</dt><dd> urn:ietf:params:xml:ns:yang:iana-tls-cipher-suite-algs</dd>
<dt>Registrant Contact:</dt><dd>The IESG</dd>
<dt>XML:</dt><dd> N/A; the requested URI is an XML namespace.</dd>
</dl>
<dl spacing="compact">
<dt>URI:</dt><dd> urn:ietf:params:xml:ns:yang:ietf-tls-common</dd>
<dt>Registrant Contact:</dt><dd> The IESG</dd>
<dt>XML:</dt><dd> N/A; the requested URI is an XML namespace.</dd>
</dl>
URI: urn:ietf:params:xml:ns:yang:ietf-tls-client <dl spacing="compact">
Registrant Contact: The IESG <dt>URI:</dt><dd> urn:ietf:params:xml:ns:yang:ietf-tls-client</dd>
XML: N/A, the requested URI is an XML namespace. <dt>Registrant Contact:</dt><dd> The IESG</dd>
<dt>XML:</dt><dd> N/A; the requested URI is an XML namespace.</dd>
</dl>
URI: urn:ietf:params:xml:ns:yang:ietf-tls-server <dl spacing="compact">
Registrant Contact: The IESG <dt>URI:</dt><dd> urn:ietf:params:xml:ns:yang:ietf-tls-server</dd>
XML: N/A, the requested URI is an XML namespace. <dt>Registrant Contact:</dt><dd> The IESG</dd>
]]></artwork> <dt>XML:</dt><dd> N/A; the requested URI is an XML namespace.</dd>
</dl>
</section> </section>
<section> <section>
<name>The "YANG Module Names" Registry</name> <name>The YANG Module Names Registry</name>
<t>This document registers four YANG modules in the YANG Module Names <t>IANA has registered the following four YANG modules in the "YANG Modu
registry <xref target="RFC6020"/>. Following the format in <xref target= le Names"
"RFC6020"/>, the following registrations are requested:</t> registry <xref target="RFC6020"/>.</t>
<artwork><![CDATA[ <dl spacing="compact">
name: iana-tls-cipher-suite-algs <dt>name:</dt><dd> iana-tls-cipher-suite-algs</dd>
namespace: urn:ietf:params:xml:ns:yang:iana-tls-cipher-suite-algs <dt>Maintained by IANA:</dt><dd>Y</dd>
prefix: tlscsa <dt>namespace:</dt><dd> urn:ietf:params:xml:ns:yang:iana-tls-cipher-suite-alg
reference: RFC FFFF s</dd>
<dt>prefix:</dt><dd> tlscsa</dd>
name: ietf-tls-common <dt>reference:</dt><dd> RFC 9645</dd>
namespace: urn:ietf:params:xml:ns:yang:ietf-tls-common </dl>
prefix: tlscmn <dl spacing="compact">
reference: RFC FFFF <dt>name: </dt><dd> ietf-tls-common</dd>
<dt>Maintained by IANA:</dt><dd>N</dd>
name: ietf-tls-client <dt>namespace: </dt><dd> urn:ietf:params:xml:ns:yang:ietf-tls-common</dd>
namespace: urn:ietf:params:xml:ns:yang:ietf-tls-client <dt>prefix: </dt><dd> tlscmn</dd>
prefix: tlsc <dt>reference: </dt><dd> RFC 9645</dd>
reference: RFC FFFF </dl>
<dl spacing="compact">
name: ietf-tls-server <dt>name: </dt><dd> ietf-tls-client </dd>
namespace: urn:ietf:params:xml:ns:yang:ietf-tls-server <dt>Maintained by IANA:</dt><dd>N</dd>
prefix: tlss <dt>namespace: </dt><dd> urn:ietf:params:xml:ns:yang:ietf-tls-client </dd>
reference: RFC FFFF <dt>prefix: </dt><dd> tlsc </dd>
]]></artwork> <dt>reference: </dt><dd> RFC 9645</dd>
</dl>
<dl spacing="compact">
<dt>name: </dt><dd> ietf-tls-server </dd>
<dt>Maintained by IANA:</dt><dd>N</dd>
<dt>namespace: </dt><dd> urn:ietf:params:xml:ns:yang:ietf-tls-server </dd>
<dt>prefix: </dt><dd> tlss </dd>
<dt>reference: </dt><dd> RFC 9645</dd>
</dl>
</section> </section>
<section> <section>
<name>Considerations for the "iana-tls-cipher-suite-algs" Module</name> <name>Considerations for the "iana-tls-cipher-suite-algs" YANG Module</n ame>
<t>This section follows the template defined in <xref section="4.30.3.1" target="I-D.ietf-netmod-rfc8407bis"/>.</t> <t>This section follows the template defined in <xref section="4.30.3.1" target="I-D.ietf-netmod-rfc8407bis"/>.</t>
<!-- [rfced] As the module will be available at/around the time of publication,
please consider whether any udpates are desired. Note that RFC-to-be 9644 would
be updated similarly.
Original:
This document presents a script (see Appendix A) for IANA to use to
generate the IANA-maintained "iana-tls-cipher-suite-algs" YANG
module. The most recent version of the YANG module is available from
the "YANG Parameters" registry [IANA-YANG-PARAMETERS].
Perhaps:
IANA used the script in Appendix A to generate the IANA-maintained
"iana-tls-cipher-suite-algs" YANG module. The YANG module is
available from the "YANG Parameters" registry [IANA-YANG-PARAMETERS].
-->
<t>This document presents a script (see <xref target="iana-script"/>) fo r <t>This document presents a script (see <xref target="iana-script"/>) fo r
IANA to use to generate the IANA-maintained "iana-tls-cipher-suite-alg s" YANG module. IANA to use to generate the IANA-maintained "iana-tls-cipher-suite-alg s" YANG module.
The most recent version of the YANG module is available from the "YANG Parameters" The most recent version of the YANG module is available from the "YANG Parameters"
registry <xref target="IANA-YANG-PARAMETERS"/>.</t> registry <xref target="IANA-YANG-PARAMETERS"/>.</t>
<t>IANA is requested to add the following note to the registry:</t> <t>IANA has added the following note to the registry:</t>
<blockquote>New values must not be directly added to the "iana-tls-ciphe <blockquote>
r-suite-algs" New values must not be directly added to the "iana-tls-cipher-suite-alg
YANG module. They must instead be added to the "TLS Cipher Suites" su s"
b-registry of YANG module. They must instead be added to the "TLS Cipher Suites" re
the "Transport Layer Security (TLS) Parameters" registry <xref target= gistry under
"IANA-CIPHER-ALGS"/>.</blockquote> the "Transport Layer Security (TLS) Parameters" registry group <xref t
<t>When a value is added to the "TLS Cipher Suites" sub-registry, a new arget="IANA-CIPHER-ALGS"/>.
"enum" </blockquote>
<t>When a value is added to the "TLS Cipher Suites" registry, a new "enu
m"
statement must be added to the "iana-tls-cipher-suite-algs" YANG module . The statement must be added to the "iana-tls-cipher-suite-algs" YANG module . The
"enum" statement, and sub-statements thereof, should be defined as fol "enum" statement, and substatements thereof, should be defined as follow
lows:</t> s:</t>
<dl newline="true"> <dl newline="true">
<dt>enum</dt> <dt>enum</dt>
<dd>Replicates a name from the registry.</dd> <dd>Replicates a name from the registry.</dd>
<dt>value</dt> <dt>value</dt>
<dd>Contains the decimal value of the IANA-assigned value.</dd> <dd>Contains the decimal value of the IANA-assigned value.</dd>
<dt>status</dt> <dt>status</dt>
<!-- [rfced] In this paragraph, may we remove the link to "Moving
single-DES and IDEA TLS ciphersuites to Historic" and provide a
citation instead as shown below?
Note: the URL provided contains the following message, and
"draft-ietf-tls-oldversions-deprecate" has since been published
as RFC 8996 (https://datatracker.ietf.org/doc/rfc8996/):
Upon approval and its publication as an RFC,
draft-ietf-tls-oldversions-deprecate should replace this status
change document as the reference for the status change event.
Original:
status
Include only if a registration has been deprecated or obsoleted.
An IANA "Recommended" maps to YANG status "deprecated". Since the
registry is unable to express a logical "MUST NOT" recommendation,
there is no mapping to YANG status "obsolete", which is
unfortunate given Moving single-DES and IDEA TLS ciphersuites to
Historic (https://datatracker.ietf.org/doc/status-change-tls-des-
idea-ciphers-to-historic) .
Perhaps:
status
Include only if a registration has been deprecated or obsoleted.
An IANA "Recommended" maps to YANG status "deprecated". Since the
registry is unable to express a logical "MUST NOT" recommendation,
there is no mapping to YANG status "obsolete", which is
unfortunate given the moving of single-DES and International Data
Encryption Algorithm (IDEA) TLS cipher suites to Historic [RFC8996].
-->
<dd>Include only if a registration has been deprecated or obsoleted. <dd>Include only if a registration has been deprecated or obsoleted.
An IANA "Recommended" maps to YANG status "deprecated". Since the r egistry An IANA "Recommended" maps to YANG status "deprecated". Since the r egistry
is unable to express a logical "MUST NOT" recommendation, there is n o is unable to express a logical "<bcp14>MUST NOT</bcp14>" recommendat ion, there is no
mapping to YANG status "obsolete", which is unfortunate given mapping to YANG status "obsolete", which is unfortunate given
<eref target="https://datatracker.ietf.org/doc/status-change-tls-des -idea-ciphers-to-historic">Moving <eref target="https://datatracker.ietf.org/doc/status-change-tls-des -idea-ciphers-to-historic">Moving
single-DES and IDEA TLS ciphersuites to Historic</eref> .</dd> single-DES and IDEA TLS cipher suites to Historic</eref>.</dd>
<dt>description</dt> <dt>description</dt>
<dd>Contains "Enumeration for the 'TLS_FOO' algorithm.", where "TLS_FO O" is <dd>Contains "Enumeration for the 'TLS_FOO' algorithm", where "TLS_FOO " is
a placeholder for the algorithm's name (e.g., "TLS_PSK_WITH_AES_256_ CBC_SHA").</dd> a placeholder for the algorithm's name (e.g., "TLS_PSK_WITH_AES_256_ CBC_SHA").</dd>
<dt>reference</dt> <dt>reference</dt>
<dd>Replicates the reference(s) from the registry with the title of th e <dd>Replicates the reference(s) from the registry with the title of th e
document(s) added.</dd> document(s) added.</dd>
</dl> </dl>
<t>Unassigned or reserved values are not present in the module.</t> <t>Unassigned or reserved values are not present in the module.</t>
<t>When the "iana-tls-cipher-suite-algs" YANG module is updated, a <t>When the "iana-tls-cipher-suite-algs" YANG module is updated, a
new "revision" statement with a unique revision date must be added new "revision" statement with a unique revision date must be added
in front of the existing revision statements. The "revision" in front of the existing revision statements. The "revision"
must have a "description" statement explaining why the the update must have a "description" statement explaining why the the update
occurred, and must have a "reference" substatement that points to the occurred and must have a "reference" substatement that points to the
document defining the registry update that resulted in this change. document defining the registry update that resulted in this change.
For instance:</t> For instance:</t>
<artwork><![CDATA[
<sourcecode type="yang"><![CDATA[
revision 2024-02-02 { revision 2024-02-02 {
description description
"This update reflect the update made to the underlying "This update reflects the update made to the underlying
Foo Bar registry per RFC XXXX."; 'Foo Bar' registry per RFC XXXX.";
reference reference
"RFC XXXX: Extend the Foo Bars Registry "RFC XXXX: Extend the Foo Bar Registry
to Support Something Important"; to Support Something Important";
}]]></artwork> }]]></sourcecode>
<t>IANA is requested to add the following note to the "TLS Cipher Suites <t>IANA has added the following note to the "TLS Cipher Suites"
" registry under the "Transport Layer Security (TLS) Parameters"
sub-registry of the "Transport Layer Security (TLS) Parameters" registry group <xref target="IANA-CIPHER-ALGS"/>.</t>
registry <xref target="IANA-CIPHER-ALGS"/>.</t>
<blockquote>When this registry is modified, the YANG module "iana-tls-ci pher-suite-algs" <blockquote>When this registry is modified, the YANG module "iana-tls-ci pher-suite-algs"
<xref target="IANA-YANG-PARAMETERS"/> must be updated as defined in RF <xref target="IANA-YANG-PARAMETERS"/> must be updated as defined in RFC
C FFFF.</blockquote> 9645.</blockquote>
<t>An initial version of this module can be found in <xref target="tls-c
ipher-algs-model"/>.</t> <!--Note: Removed this sentence because Appendix A.1 has been removed per the au
thor's note.
<t>An initial version of this module can be found in <xref target="tls-cipher-al
gs-model"/>.</t>-->
</section> </section>
</section> </section>
</middle> </middle>
<back> <back>
<displayreference target="I-D.ietf-netmod-system-config" to="SYSTEM-CONFIG"/
>
<displayreference target="I-D.ietf-netmod-rfc8407bis" to="RFC8407BIS"/>
<!-- <displayreference target="I-D.irtf-cfrg-aegis-aead" to="AEGIS"/>-->
<displayreference target="I-D.ietf-netconf-http-client-server"
to="HTTP-CLIENT-SERVER"/>
<displayreference target="I-D.ietf-netconf-netconf-client-server"
to="NETCONF-CLIENT-SERVER"/>
<displayreference target="I-D.ietf-netconf-restconf-client-server"
to="RESTCONF-CLIENT-SERVER"/>
<references> <references>
<name>References</name> <name>References</name>
<references> <references>
<name>Normative References</name> <name>Normative References</name>
<reference anchor="RFC2119" target="https://www.rfc-editor.org/info/rfc2
119" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.21
<front> 19.xml"/>
<title>Key words for use in RFCs to Indicate Requirement Levels</tit <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.42
le> 79.xml"/>
<author fullname="S. Bradner" initials="S." surname="Bradner"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.52
<date month="March" year="1997"/> 88.xml"/>
<abstract> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.52
<t>In many standards track documents several words are used to sig 89.xml"/>
nify the requirements in the specification. These words are often capitalized. T <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.60
his document defines these words as they should be interpreted in IETF documents 20.xml"/>
. This document specifies an Internet Best Current Practices for the Internet Co <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.75
mmunity, and requests discussion and suggestions for improvements.</t> 89.xml"/>
</abstract> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.79
</front> 50.xml"/>
<seriesInfo name="BCP" value="14"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.81
<seriesInfo name="RFC" value="2119"/> 74.xml"/>
<seriesInfo name="DOI" value="10.17487/RFC2119"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.83
</reference> 41.xml"/>
<reference anchor="RFC2712" target="https://www.rfc-editor.org/info/rfc2 <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.84
712" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2712.xml"> 22.xml"/>
<front> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.80
<title>Addition of Kerberos Cipher Suites to Transport Layer Securit 40.xml"/>
y (TLS)</title> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.62
<author fullname="A. Medvinsky" initials="A." surname="Medvinsky"/> 41.xml"/>
<author fullname="M. Hur" initials="M." surname="Hur"/>
<date month="October" year="1999"/> <!--Note: Removed per removal of Appendix A.1
<abstract> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.27
<t>This document proposes the addition of new cipher suites to the 12.xml"/>
TLS protocol to support Kerberos-based authentication. [STANDARDS-TRACK]</t> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.41
</abstract> 62.xml"/>
</front> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.43
<seriesInfo name="RFC" value="2712"/> 46.xml"/>
<seriesInfo name="DOI" value="10.17487/RFC2712"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.47
</reference> 85.xml"/>
<reference anchor="RFC4162" target="https://www.rfc-editor.org/info/rfc4 <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.50
162" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4162.xml"> 54.xml"/>
<front> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.54
<title>Addition of SEED Cipher Suites to Transport Layer Security (T 69.xml"/>
LS)</title> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.54
<author fullname="H.J. Lee" initials="H.J." surname="Lee"/> 87.xml"/>
<author fullname="J.H. Yoon" initials="J.H." surname="Yoon"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.54
<author fullname="J.I. Lee" initials="J.I." surname="Lee"/> 89.xml"/>
<date month="August" year="2005"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.57
<abstract> 46.xml"/>
<t>This document proposes the addition of new cipher suites to the <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.59
Transport Layer Security (TLS) protocol to support the SEED encryption algorith 32.xml"/>
m as a bulk cipher algorithm. [STANDARDS-TRACK]</t> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6
</abstract> 209.xml"/>
</front> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.62
<seriesInfo name="RFC" value="4162"/> 41.xml"/>
<seriesInfo name="DOI" value="10.17487/RFC4162"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.63
</reference> 67.xml"/>
<reference anchor="RFC4279" target="https://www.rfc-editor.org/info/rfc4 <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.66
279" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4279.xml"> 55.xml"/>
<front> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.72
<title>Pre-Shared Key Ciphersuites for Transport Layer Security (TLS 51.xml"/>
)</title> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.75
<author fullname="P. Eronen" initials="P." role="editor" surname="Er 07.xml"/>
onen"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.79
<author fullname="H. Tschofenig" initials="H." role="editor" surname 05.xml"/>
="Tschofenig"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.80
<date month="December" year="2005"/> 40.xml"/>
<abstract> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.84
<t>This document specifies three sets of new ciphersuites for the 42.xml"/>
Transport Layer Security (TLS) protocol to support authentication based on pre-s <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.84
hared keys (PSKs). These pre-shared keys are symmetric keys, shared in advance a 92.xml"/>
mong the communicating parties. The first set of ciphersuites uses only symmetri <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.89
c key operations for authentication. The second set uses a Diffie-Hellman exchan 98.xml"/>
ge authenticated with a pre-shared key, and the third set combines public key au <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.91
thentication of the server with pre-shared key authentication of the client. [ST 50.xml"/>
ANDARDS-TRACK]</t> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.91
</abstract> 89.xml"/>
</front> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9
<seriesInfo name="RFC" value="4279"/> 367.xml"/>
<seriesInfo name="DOI" value="10.17487/RFC4279"/> -->
</reference>
<reference anchor="RFC4346" target="https://www.rfc-editor.org/info/rfc4 <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.84
346" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4346.xml"> 46.xml"/>
<front>
<title>The Transport Layer Security (TLS) Protocol Version 1.1</titl <!-- [I-D.ietf-netconf-crypto-types] companion document RFC 9640 -->
e> <reference anchor="RFC9640" target="https://www.rfc-editor.org/info/rfc9
<author fullname="T. Dierks" initials="T." surname="Dierks"/> 640">
<author fullname="E. Rescorla" initials="E." surname="Rescorla"/> <front>
<date month="April" year="2006"/> <title>YANG Data Types and Groupings for Cryptography</title>
<abstract> <author initials="K." surname="Watsen" fullname="Kent Watsen">
<t>This document specifies Version 1.1 of the Transport Layer Secu <organization>Watsen Networks</organization>
rity (TLS) protocol. The TLS protocol provides communications security over the </author>
Internet. The protocol allows client/server applications to communicate in a way <date month="August" year="2024"/>
that is designed to prevent eavesdropping, tampering, or message forgery.</t> </front>
</abstract> <seriesInfo name="RFC" value="9640"/>
</front> <seriesInfo name="DOI" value="10.17487/RFC9640"/>
<seriesInfo name="RFC" value="4346"/> </reference>
<seriesInfo name="DOI" value="10.17487/RFC4346"/>
</reference> <!-- [I-D.ietf-netconf-trust-anchors] companion document RFC 9641 -->
<reference anchor="RFC4785" target="https://www.rfc-editor.org/info/rfc4 <reference anchor="RFC9641" target="https://www.rfc-editor.org/info/rfc9
785" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4785.xml"> 641">
<front> <front>
<title>Pre-Shared Key (PSK) Ciphersuites with NULL Encryption for Tr <title>A YANG Data Model for a Truststore</title>
ansport Layer Security (TLS)</title> <author initials="K." surname="Watsen" fullname="Kent Watsen">
<author fullname="U. Blumenthal" initials="U." surname="Blumenthal"/ <organization>Watsen Networks</organization>
> </author>
<author fullname="P. Goel" initials="P." surname="Goel"/> <date month="August" year="2024"/>
<date month="January" year="2007"/> </front>
<abstract> <seriesInfo name="RFC" value="9641"/>
<t>This document specifies authentication-only ciphersuites (with <seriesInfo name="DOI" value="10.17487/RFC9641"/>
no encryption) for the Pre-Shared Key (PSK) based Transport Layer Security (TLS) </reference>
protocol. These ciphersuites are useful when authentication and integrity prote
ction is desired, but confidentiality is not needed or not permitted. [STANDARDS <!-- [I-D.ietf-netconf-keystore] companion document RFC 9642 -->
-TRACK]</t> <reference anchor="RFC9642" target="https://www.rfc-editor.org/info/rfc9
</abstract> 642">
</front> <front>
<seriesInfo name="RFC" value="4785"/> <title>A YANG Data Model for a Keystore and Keystore Operations</titl
<seriesInfo name="DOI" value="10.17487/RFC4785"/> e>
</reference> <author initials="K." surname="Watsen" fullname="Kent Watsen">
<reference anchor="RFC5054" target="https://www.rfc-editor.org/info/rfc5 <organization>Watsen Networks</organization>
054" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5054.xml"> </author>
<front> <date month="August" year="2024"/>
<title>Using the Secure Remote Password (SRP) Protocol for TLS Authe </front>
ntication</title> <seriesInfo name="RFC" value="9642"/>
<author fullname="D. Taylor" initials="D." surname="Taylor"/> <seriesInfo name="DOI" value="10.17487/RFC9642"/>
<author fullname="T. Wu" initials="T." surname="Wu"/> </reference>
<author fullname="N. Mavrogiannopoulos" initials="N." surname="Mavro
giannopoulos"/> <!-- <reference anchor="FIPS180-4" target="https://nvlpubs.nist.gov/nistpubs/F
<author fullname="T. Perrin" initials="T." surname="Perrin"/> IPS/NIST.FIPS.180-4.pdf" quoteTitle="true" derivedAnchor="FIPS180-4">
<date month="November" year="2007"/>
<abstract>
<t>This memo presents a technique for using the Secure Remote Pass
word protocol as an authentication method for the Transport Layer Security proto
col. This memo provides information for the Internet community.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="5054"/>
<seriesInfo name="DOI" value="10.17487/RFC5054"/>
</reference>
<reference anchor="RFC5288" target="https://www.rfc-editor.org/info/rfc5
288" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5288.xml">
<front>
<title>AES Galois Counter Mode (GCM) Cipher Suites for TLS</title>
<author fullname="J. Salowey" initials="J." surname="Salowey"/>
<author fullname="A. Choudhury" initials="A." surname="Choudhury"/>
<author fullname="D. McGrew" initials="D." surname="McGrew"/>
<date month="August" year="2008"/>
<abstract>
<t>This memo describes the use of the Advanced Encryption Standard
(AES) in Galois/Counter Mode (GCM) as a Transport Layer Security (TLS) authenti
cated encryption operation. GCM provides both confidentiality and data origin au
thentication, can be efficiently implemented in hardware for speeds of 10 gigabi
ts per second and above, and is also well-suited to software implementations. Th
is memo defines TLS cipher suites that use AES-GCM with RSA, DSA, and Diffie-Hel
lman-based key exchange mechanisms. [STANDARDS-TRACK]</t>
</abstract>
</front>
<seriesInfo name="RFC" value="5288"/>
<seriesInfo name="DOI" value="10.17487/RFC5288"/>
</reference>
<reference anchor="RFC5289" target="https://www.rfc-editor.org/info/rfc5
289" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5289.xml">
<front>
<title>TLS Elliptic Curve Cipher Suites with SHA-256/384 and AES Gal
ois Counter Mode (GCM)</title>
<author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
<date month="August" year="2008"/>
<abstract>
<t>RFC 4492 describes elliptic curve cipher suites for Transport L
ayer Security (TLS). However, all those cipher suites use HMAC-SHA-1 as their Me
ssage Authentication Code (MAC) algorithm. This document describes sixteen new c
ipher suites for TLS that specify stronger MAC algorithms. Eight use Hashed Mess
age Authentication Code (HMAC) with SHA-256 or SHA-384, and eight use AES in Gal
ois Counter Mode (GCM). This memo provides information for the Internet communit
y.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="5289"/>
<seriesInfo name="DOI" value="10.17487/RFC5289"/>
</reference>
<reference anchor="RFC5469" target="https://www.rfc-editor.org/info/rfc5
469" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5469.xml">
<front>
<title>DES and IDEA Cipher Suites for Transport Layer Security (TLS)
</title>
<author fullname="P. Eronen" initials="P." role="editor" surname="Er
onen"/>
<date month="February" year="2009"/>
<abstract>
<t>Transport Layer Security (TLS) versions 1.0 (RFC 2246) and 1.1
(RFC 4346) include cipher suites based on DES (Data Encryption Standard) and IDE
A (International Data Encryption Algorithm) algorithms. DES (when used in single
-DES mode) and IDEA are no longer recommended for general use in TLS, and have b
een removed from TLS version 1.2 (RFC 5246). This document specifies these ciphe
r suites for completeness and discusses reasons why their use is no longer recom
mended. This memo provides information for the Internet community.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="5469"/>
<seriesInfo name="DOI" value="10.17487/RFC5469"/>
</reference>
<reference anchor="RFC5487" target="https://www.rfc-editor.org/info/rfc5
487" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5487.xml">
<front>
<title>Pre-Shared Key Cipher Suites for TLS with SHA-256/384 and AES
Galois Counter Mode</title>
<author fullname="M. Badra" initials="M." surname="Badra"/>
<date month="March" year="2009"/>
<abstract>
<t>RFC 4279 and RFC 4785 describe pre-shared key cipher suites for
Transport Layer Security (TLS). However, all those cipher suites use SHA-1 in t
heir Message Authentication Code (MAC) algorithm. This document describes a set
of pre-shared key cipher suites for TLS that uses stronger digest algorithms (i.
e., SHA-256 or SHA-384) and another set that uses the Advanced Encryption Standa
rd (AES) in Galois Counter Mode (GCM). [STANDARDS-TRACK]</t>
</abstract>
</front>
<seriesInfo name="RFC" value="5487"/>
<seriesInfo name="DOI" value="10.17487/RFC5487"/>
</reference>
<reference anchor="RFC5489" target="https://www.rfc-editor.org/info/rfc5
489" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5489.xml">
<front>
<title>ECDHE_PSK Cipher Suites for Transport Layer Security (TLS)</t
itle>
<author fullname="M. Badra" initials="M." surname="Badra"/>
<author fullname="I. Hajjeh" initials="I." surname="Hajjeh"/>
<date month="March" year="2009"/>
<abstract>
<t>This document extends RFC 4279, RFC 4492, and RFC 4785 and spec
ifies a set of cipher suites that use a pre-shared key (PSK) to authenticate an
Elliptic Curve Diffie-Hellman exchange with Ephemeral keys (ECDHE). These cipher
suites provide Perfect Forward Secrecy (PFS). This memo provides information fo
r the Internet community.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="5489"/>
<seriesInfo name="DOI" value="10.17487/RFC5489"/>
</reference>
<reference anchor="RFC5746" target="https://www.rfc-editor.org/info/rfc5
746" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5746.xml">
<front>
<title>Transport Layer Security (TLS) Renegotiation Indication Exten
sion</title>
<author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
<author fullname="M. Ray" initials="M." surname="Ray"/>
<author fullname="S. Dispensa" initials="S." surname="Dispensa"/>
<author fullname="N. Oskov" initials="N." surname="Oskov"/>
<date month="February" year="2010"/>
<abstract>
<t>Secure Socket Layer (SSL) and Transport Layer Security (TLS) re
negotiation are vulnerable to an attack in which the attacker forms a TLS connec
tion with the target server, injects content of his choice, and then splices in
a new TLS connection from a client. The server treats the client's initial TLS h
andshake as a renegotiation and thus believes that the initial data transmitted
by the attacker is from the same entity as the subsequent client data. This spec
ification defines a TLS extension to cryptographically tie renegotiations to the
TLS connections they are being performed over, thus preventing this attack. [ST
ANDARDS-TRACK]</t>
</abstract>
</front>
<seriesInfo name="RFC" value="5746"/>
<seriesInfo name="DOI" value="10.17487/RFC5746"/>
</reference>
<reference anchor="RFC5932" target="https://www.rfc-editor.org/info/rfc5
932" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5932.xml">
<front>
<title>Camellia Cipher Suites for TLS</title>
<author fullname="A. Kato" initials="A." surname="Kato"/>
<author fullname="M. Kanda" initials="M." surname="Kanda"/>
<author fullname="S. Kanno" initials="S." surname="Kanno"/>
<date month="June" year="2010"/>
<abstract>
<t>This document specifies a set of cipher suites for the Transpor
t Security Layer (TLS) protocol to support the Camellia encryption algorithm as
a block cipher. It amends the cipher suites originally specified in RFC 4132 by
introducing counterparts using the newer cryptographic hash algorithms from the
SHA-2 family. This document obsoletes RFC 4132. [STANDARDS-TRACK]</t>
</abstract>
</front>
<seriesInfo name="RFC" value="5932"/>
<seriesInfo name="DOI" value="10.17487/RFC5932"/>
</reference>
<reference anchor="RFC6020" target="https://www.rfc-editor.org/info/rfc6
020" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6020.xml">
<front>
<title>YANG - A Data Modeling Language for the Network Configuration
Protocol (NETCONF)</title>
<author fullname="M. Bjorklund" initials="M." role="editor" surname=
"Bjorklund"/>
<date month="October" year="2010"/>
<abstract>
<t>YANG is a data modeling language used to model configuration an
d state data manipulated by the Network Configuration Protocol (NETCONF), NETCON
F remote procedure calls, and NETCONF notifications. [STANDARDS-TRACK]</t>
</abstract>
</front>
<seriesInfo name="RFC" value="6020"/>
<seriesInfo name="DOI" value="10.17487/RFC6020"/>
</reference>
<reference anchor="RFC6209" target="https://www.rfc-editor.org/info/rfc6
209" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6209.xml">
<front>
<title>Addition of the ARIA Cipher Suites to Transport Layer Securit
y (TLS)</title>
<author fullname="W. Kim" initials="W." surname="Kim"/>
<author fullname="J. Lee" initials="J." surname="Lee"/>
<author fullname="J. Park" initials="J." surname="Park"/>
<author fullname="D. Kwon" initials="D." surname="Kwon"/>
<date month="April" year="2011"/>
<abstract>
<t>This document specifies a set of cipher suites for the Transpor
t Layer Security (TLS) protocol to support the ARIA encryption algorithm as a bl
ock cipher. This document is not an Internet Standards Track specification; it i
s published for informational purposes.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="6209"/>
<seriesInfo name="DOI" value="10.17487/RFC6209"/>
</reference>
<reference anchor="RFC6367" target="https://www.rfc-editor.org/info/rfc6
367" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6367.xml">
<front>
<title>Addition of the Camellia Cipher Suites to Transport Layer Sec
urity (TLS)</title>
<author fullname="S. Kanno" initials="S." surname="Kanno"/>
<author fullname="M. Kanda" initials="M." surname="Kanda"/>
<date month="September" year="2011"/>
<abstract>
<t>This document specifies forty-two cipher suites for the Transpo
rt Security Layer (TLS) protocol to support the Camellia encryption algorithm as
a block cipher. This document is not an Internet Standards Track specification;
it is published for informational purposes.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="6367"/>
<seriesInfo name="DOI" value="10.17487/RFC6367"/>
</reference>
<reference anchor="RFC6655" target="https://www.rfc-editor.org/info/rfc6
655" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6655.xml">
<front>
<title>AES-CCM Cipher Suites for Transport Layer Security (TLS)</tit
le>
<author fullname="D. McGrew" initials="D." surname="McGrew"/>
<author fullname="D. Bailey" initials="D." surname="Bailey"/>
<date month="July" year="2012"/>
<abstract>
<t>This memo describes the use of the Advanced Encryption Standard
(AES) in the Counter with Cipher Block Chaining - Message Authentication Code (
CBC-MAC) Mode (CCM) of operation within Transport Layer Security (TLS) and Datag
ram TLS (DTLS) to provide confidentiality and data origin authentication. The AE
S-CCM algorithm is amenable to compact implementations, making it suitable for c
onstrained environments. [STANDARDS-TRACK]</t>
</abstract>
</front>
<seriesInfo name="RFC" value="6655"/>
<seriesInfo name="DOI" value="10.17487/RFC6655"/>
</reference>
<reference anchor="RFC7251" target="https://www.rfc-editor.org/info/rfc7
251" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7251.xml">
<front>
<title>AES-CCM Elliptic Curve Cryptography (ECC) Cipher Suites for T
LS</title>
<author fullname="D. McGrew" initials="D." surname="McGrew"/>
<author fullname="D. Bailey" initials="D." surname="Bailey"/>
<author fullname="M. Campagna" initials="M." surname="Campagna"/>
<author fullname="R. Dugal" initials="R." surname="Dugal"/>
<date month="June" year="2014"/>
<abstract>
<t>This memo describes the use of the Advanced Encryption Standard
(AES) in the Counter and CBC-MAC Mode (CCM) of operation within Transport Layer
Security (TLS) to provide confidentiality and data-origin authentication. The A
ES-CCM algorithm is amenable to compact implementations, making it suitable for
constrained environments, while at the same time providing a high level of secur
ity. The cipher suites defined in this document use Elliptic Curve Cryptography
(ECC) and are advantageous in networks with limited bandwidth.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="7251"/>
<seriesInfo name="DOI" value="10.17487/RFC7251"/>
</reference>
<reference anchor="RFC7507" target="https://www.rfc-editor.org/info/rfc7
507" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7507.xml">
<front>
<title>TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventi
ng Protocol Downgrade Attacks</title>
<author fullname="B. Moeller" initials="B." surname="Moeller"/>
<author fullname="A. Langley" initials="A." surname="Langley"/>
<date month="April" year="2015"/>
<abstract>
<t>This document defines a Signaling Cipher Suite Value (SCSV) tha
t prevents protocol downgrade attacks on the Transport Layer Security (TLS) and
Datagram Transport Layer Security (DTLS) protocols. It updates RFCs 2246, 4346,
4347, 5246, and 6347. Server update considerations are included.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="7507"/>
<seriesInfo name="DOI" value="10.17487/RFC7507"/>
</reference>
<reference anchor="RFC7589" target="https://www.rfc-editor.org/info/rfc7
589" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7589.xml">
<front>
<title>Using the NETCONF Protocol over Transport Layer Security (TLS
) with Mutual X.509 Authentication</title>
<author fullname="M. Badra" initials="M." surname="Badra"/>
<author fullname="A. Luchuk" initials="A." surname="Luchuk"/>
<author fullname="J. Schoenwaelder" initials="J." surname="Schoenwae
lder"/>
<date month="June" year="2015"/>
<abstract>
<t>The Network Configuration Protocol (NETCONF) provides mechanism
s to install, manipulate, and delete the configuration of network devices. This
document describes how to use the Transport Layer Security (TLS) protocol with m
utual X.509 authentication to secure the exchange of NETCONF messages. This revi
sion of RFC 5539 documents the new message framing used by NETCONF 1.1 and it ob
soletes RFC 5539.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="7589"/>
<seriesInfo name="DOI" value="10.17487/RFC7589"/>
</reference>
<reference anchor="RFC7905" target="https://www.rfc-editor.org/info/rfc7
905" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7905.xml">
<front>
<title>ChaCha20-Poly1305 Cipher Suites for Transport Layer Security
(TLS)</title>
<author fullname="A. Langley" initials="A." surname="Langley"/>
<author fullname="W. Chang" initials="W." surname="Chang"/>
<author fullname="N. Mavrogiannopoulos" initials="N." surname="Mavro
giannopoulos"/>
<author fullname="J. Strombergson" initials="J." surname="Strombergs
on"/>
<author fullname="S. Josefsson" initials="S." surname="Josefsson"/>
<date month="June" year="2016"/>
<abstract>
<t>This document describes the use of the ChaCha stream cipher and
Poly1305 authenticator in the Transport Layer Security (TLS) and Datagram Trans
port Layer Security (DTLS) protocols.</t>
<t>This document updates RFCs 5246 and 6347.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="7905"/>
<seriesInfo name="DOI" value="10.17487/RFC7905"/>
</reference>
<reference anchor="RFC7950" target="https://www.rfc-editor.org/info/rfc7
950" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7950.xml">
<front>
<title>The YANG 1.1 Data Modeling Language</title>
<author fullname="M. Bjorklund" initials="M." role="editor" surname=
"Bjorklund"/>
<date month="August" year="2016"/>
<abstract>
<t>YANG is a data modeling language used to model configuration da
ta, state data, Remote Procedure Calls, and notifications for network management
protocols. This document describes the syntax and semantics of version 1.1 of t
he YANG language. YANG version 1.1 is a maintenance release of the YANG language
, addressing ambiguities and defects in the original specification. There are a
small number of backward incompatibilities from YANG version 1. This document al
so specifies the YANG mappings to the Network Configuration Protocol (NETCONF).<
/t>
</abstract>
</front>
<seriesInfo name="RFC" value="7950"/>
<seriesInfo name="DOI" value="10.17487/RFC7950"/>
</reference>
<reference anchor="RFC8174" target="https://www.rfc-editor.org/info/rfc8
174" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml">
<front>
<title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</ti
tle>
<author fullname="B. Leiba" initials="B." surname="Leiba"/>
<date month="May" year="2017"/>
<abstract>
<t>RFC 2119 specifies common key words that may be used in protoco
l specifications. This document aims to reduce the ambiguity by clarifying that
only UPPERCASE usage of the key words have the defined special meanings.</t>
</abstract>
</front>
<seriesInfo name="BCP" value="14"/>
<seriesInfo name="RFC" value="8174"/>
<seriesInfo name="DOI" value="10.17487/RFC8174"/>
</reference>
<reference anchor="RFC8341" target="https://www.rfc-editor.org/info/rfc8
341" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8341.xml">
<front>
<title>Network Configuration Access Control Model</title>
<author fullname="A. Bierman" initials="A." surname="Bierman"/>
<author fullname="M. Bjorklund" initials="M." surname="Bjorklund"/>
<date month="March" year="2018"/>
<abstract>
<t>The standardization of network configuration interfaces for use
with the Network Configuration Protocol (NETCONF) or the RESTCONF protocol requ
ires a structured and secure operating environment that promotes human usability
and multi-vendor interoperability. There is a need for standard mechanisms to r
estrict NETCONF or RESTCONF protocol access for particular users to a preconfigu
red subset of all available NETCONF or RESTCONF protocol operations and content.
This document defines such an access control model.</t>
<t>This document obsoletes RFC 6536.</t>
</abstract>
</front>
<seriesInfo name="STD" value="91"/>
<seriesInfo name="RFC" value="8341"/>
<seriesInfo name="DOI" value="10.17487/RFC8341"/>
</reference>
<reference anchor="RFC8422" target="https://www.rfc-editor.org/info/rfc8
422" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8422.xml">
<front>
<title>Elliptic Curve Cryptography (ECC) Cipher Suites for Transport
Layer Security (TLS) Versions 1.2 and Earlier</title>
<author fullname="Y. Nir" initials="Y." surname="Nir"/>
<author fullname="S. Josefsson" initials="S." surname="Josefsson"/>
<author fullname="M. Pegourie-Gonnard" initials="M." surname="Pegour
ie-Gonnard"/>
<date month="August" year="2018"/>
<abstract>
<t>This document describes key exchange algorithms based on Ellipt
ic Curve Cryptography (ECC) for the Transport Layer Security (TLS) protocol. In
particular, it specifies the use of Ephemeral Elliptic Curve Diffie-Hellman (ECD
HE) key agreement in a TLS handshake and the use of the Elliptic Curve Digital S
ignature Algorithm (ECDSA) and Edwards-curve Digital Signature Algorithm (EdDSA)
as authentication mechanisms.</t>
<t>This document obsoletes RFC 4492.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="8422"/>
<seriesInfo name="DOI" value="10.17487/RFC8422"/>
</reference>
<reference anchor="RFC8442" target="https://www.rfc-editor.org/info/rfc8
442" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8442.xml">
<front>
<title>ECDHE_PSK with AES-GCM and AES-CCM Cipher Suites for TLS 1.2
and DTLS 1.2</title>
<author fullname="J. Mattsson" initials="J." surname="Mattsson"/>
<author fullname="D. Migault" initials="D." surname="Migault"/>
<date month="September" year="2018"/>
<abstract>
<t>This document defines several new cipher suites for version 1.2
of the Transport Layer Security (TLS) protocol and version 1.2 of the Datagram
Transport Layer Security (DTLS) protocol. These cipher suites are based on the E
phemeral Elliptic Curve Diffie-Hellman with Pre-Shared Key (ECDHE_PSK) key excha
nge together with the Authenticated Encryption with Associated Data (AEAD) algor
ithms AES-GCM and AES-CCM. PSK provides light and efficient authentication, ECDH
E provides forward secrecy, and AES-GCM and AES-CCM provide encryption and integ
rity protection.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="8442"/>
<seriesInfo name="DOI" value="10.17487/RFC8442"/>
</reference>
<reference anchor="RFC8446" target="https://www.rfc-editor.org/info/rfc8
446" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8446.xml">
<front>
<title>The Transport Layer Security (TLS) Protocol Version 1.3</titl
e>
<author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
<date month="August" year="2018"/>
<abstract>
<t>This document specifies version 1.3 of the Transport Layer Secu
rity (TLS) protocol. TLS allows client/server applications to communicate over t
he Internet in a way that is designed to prevent eavesdropping, tampering, and m
essage forgery.</t>
<t>This document updates RFCs 5705 and 6066, and obsoletes RFCs 50
77, 5246, and 6961. This document also specifies new requirements for TLS 1.2 im
plementations.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="8446"/>
<seriesInfo name="DOI" value="10.17487/RFC8446"/>
</reference>
<reference anchor="RFC8492" target="https://www.rfc-editor.org/info/rfc8
492" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8492.xml">
<front>
<title>Secure Password Ciphersuites for Transport Layer Security (TL
S)</title>
<author fullname="D. Harkins" initials="D." role="editor" surname="H
arkins"/>
<date month="February" year="2019"/>
<abstract>
<t>This memo defines several new ciphersuites for the Transport La
yer Security (TLS) protocol to support certificateless, secure authentication us
ing only a simple, low-entropy password. The exchange is called "TLS-PWD". The c
iphersuites are all based on an authentication and key exchange protocol, named
"dragonfly", that is resistant to offline dictionary attacks.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="8492"/>
<seriesInfo name="DOI" value="10.17487/RFC8492"/>
</reference>
<reference anchor="RFC8998" target="https://www.rfc-editor.org/info/rfc8
998" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8998.xml">
<front>
<title>ShangMi (SM) Cipher Suites for TLS 1.3</title>
<author fullname="P. Yang" initials="P." surname="Yang"/>
<date month="March" year="2021"/>
<abstract>
<t>This document specifies how to use the ShangMi (SM) cryptograph
ic algorithms with Transport Layer Security (TLS) protocol version 1.3.</t>
<t>The use of these algorithms with TLS 1.3 is not endorsed by the
IETF. The SM algorithms are becoming mandatory in China, so this document provi
des a description of how to use the SM algorithms with TLS 1.3 and specifies a p
rofile of TLS 1.3 so that implementers can produce interworking implementations.
</t>
</abstract>
</front>
<seriesInfo name="RFC" value="8998"/>
<seriesInfo name="DOI" value="10.17487/RFC8998"/>
</reference>
<reference anchor="RFC9150" target="https://www.rfc-editor.org/info/rfc9
150" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9150.xml">
<front> <front>
<title>TLS 1.3 Authentication and Integrity-Only Cipher Suites</titl <title>Secure Hash Standard (SHS)</title>
e> <author>
<author fullname="N. Cam-Winget" initials="N." surname="Cam-Winget"/ <organization>National Institute of Standards and Technology (NIST
> )</organization>
<author fullname="J. Visoky" initials="J." surname="Visoky"/> </author>
<date month="April" year="2022"/> <date year="2015" month="August"/>
<abstract>
<t>This document defines the use of cipher suites for TLS 1.3 base
d on Hashed Message Authentication Code (HMAC). Using these cipher suites provid
es server and, optionally, mutual authentication and data authenticity, but not
data confidentiality. Cipher suites with these properties are not of general app
licability, but there are use cases, specifically in Internet of Things (IoT) an
d constrained environments, that do not require confidentiality of exchanged mes
sages while still requiring integrity protection, server authentication, and opt
ional client authentication. This document gives examples of such use cases, wit
h the caveat that prior to using these integrity-only cipher suites, a threat mo
del for the situation at hand is needed, and a threat analysis must be performed
within that model to determine whether the use of integrity-only cipher suites
is appropriate. The approach described in this document is not endorsed by the I
ETF and does not have IETF consensus, but it is presented here to enable interop
erable implementation of a reduced-security mechanism that provides authenticati
on and message integrity without supporting confidentiality.</t>
</abstract>
</front> </front>
<seriesInfo name="RFC" value="9150"/> <seriesInfo name="FIPS PUB" value="180-4"/>
<seriesInfo name="DOI" value="10.17487/RFC9150"/> <seriesInfo name="DOI" value="10.6028/NIST.FIPS.180-4"/>
</reference> </reference>
<reference anchor="RFC9189" target="https://www.rfc-editor.org/info/rfc9 -->
189" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9189.xml">
<!-- <reference anchor="FIPS186-5" target="https://nvlpubs.nist.gov/nistpubs/FI
PS/NIST.FIPS.186-5.pdf" quoteTitle="true" derivedAnchor="FIPS186-5">
<front> <front>
<title>GOST Cipher Suites for Transport Layer Security (TLS) Protoco <title>Digital Signature Standard (DSS)</title>
l Version 1.2</title> <author>
<author fullname="S. Smyshlyaev" initials="S." role="editor" surname <organization>National Institute of Standards and Technology (NIST
="Smyshlyaev"/> )</organization>
<author fullname="D. Belyavsky" initials="D." surname="Belyavsky"/> </author>
<author fullname="E. Alekseev" initials="E." surname="Alekseev"/> <date year="2023" month="February"/>
<date month="March" year="2022"/>
<abstract>
<t>This document specifies three new cipher suites, two new signat
ure algorithms, seven new supported groups, and two new certificate types for th
e Transport Layer Security (TLS) protocol version 1.2 to support the Russian cry
ptographic standard algorithms (called "GOST" algorithms). This document specifi
es a profile of TLS 1.2 with GOST algorithms so that implementers can produce in
teroperable implementations.</t>
<t>This specification facilitates implementations that aim to supp
ort the GOST algorithms. This document does not imply IETF endorsement of the ci
pher suites, signature algorithms, supported groups, and certificate types.</t>
</abstract>
</front> </front>
<seriesInfo name="RFC" value="9189"/> <seriesInfo name="FIPS" value="186-5"/>
<seriesInfo name="DOI" value="10.17487/RFC9189"/> <seriesInfo name="DOI" value="10.6028/NIST.FIPS.186-5"/>
</reference> </reference>
<xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D -->
.ietf-netconf-crypto-types.xml"/>
<xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D
.ietf-netconf-trust-anchors.xml"/>
<xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D
.ietf-netconf-keystore.xml"/>
</references> </references>
<references> <references>
<name>Informative References</name> <name>Informative References</name>
<reference anchor="RFC2818" target="https://www.rfc-editor.org/info/rfc2
818" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2818.xml"> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.28
<front> 18.xml"/>
<title>HTTP Over TLS</title> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.36
<author fullname="E. Rescorla" initials="E." surname="Rescorla"/> 88.xml"/>
<date month="May" year="2000"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.52
<abstract> 46.xml"/>
<t>This memo describes how to use Transport Layer Security (TLS) t <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.80
o secure Hypertext Transfer Protocol (HTTP) connections over the Internet. This 71.xml"/>
memo provides information for the Internet community.</t> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.83
</abstract> 40.xml"/>
</front> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.83
<seriesInfo name="RFC" value="2818"/> 42.xml"/>
<seriesInfo name="DOI" value="10.17487/RFC2818"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.84
</reference> 07.xml"/>
<reference anchor="RFC3688" target="https://www.rfc-editor.org/info/rfc3 <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.92
688" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.3688.xml"> 57.xml"/>
<front> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.92
<title>The IETF XML Registry</title> 58.xml"/>
<author fullname="M. Mealling" initials="M." surname="Mealling"/>
<date month="January" year="2004"/> <!-- Removed
<abstract> [I-D.irtf-cfrg-aegis-aead] IESG state: I-D exists as of 7/15/24
<t>This document describes an IANA maintained registry for IETF st <xi:include href="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.irt
andards which use Extensible Markup Language (XML) related items such as Namespa f-cfrg-aegis-aead.xml"/>-->
ces, Document Type Declarations (DTDs), Schemas, and Resource Description Framew
ork (RDF) Schemas.</t> <!--[I-D.ietf-netconf-tcp-client-server] companion document RFC 9643-->
</abstract> <reference anchor="RFC9643" target="https://www.rfc-editor.org/info/rfc9
</front> 643">
<seriesInfo name="BCP" value="81"/> <front>
<seriesInfo name="RFC" value="3688"/> <title>YANG Groupings for TCP Clients and TCP Servers</title>
<seriesInfo name="DOI" value="10.17487/RFC3688"/> <author initials="K." surname="Watsen" fullname="Kent Watsen">
</reference> <organization>Watsen Networks</organization>
<reference anchor="RFC5246" target="https://www.rfc-editor.org/info/rfc5 </author>
246" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5246.xml"> <author initials="M." surname="Scharf" fullname="Michael Scharf">
<front> <organization>Hochschule Esslingen - University of Applied Sciences
<title>The Transport Layer Security (TLS) Protocol Version 1.2</titl </organization>
e> </author>
<author fullname="T. Dierks" initials="T." surname="Dierks"/> <date month="August" year="2024"/>
<author fullname="E. Rescorla" initials="E." surname="Rescorla"/> </front>
<date month="August" year="2008"/> <seriesInfo name="RFC" value="9643"/>
<abstract> <seriesInfo name="DOI" value="10.17487/RFC9643"/>
<t>This document specifies Version 1.2 of the Transport Layer Secu </reference>
rity (TLS) protocol. The TLS protocol provides communications security over the
Internet. The protocol allows client/server applications to communicate in a way <!-- [I-D.ietf-netconf-ssh-client-server] companion document RFC 9644-->
that is designed to prevent eavesdropping, tampering, or message forgery. [STAN <reference anchor="RFC9644" target="https://www.rfc-editor.org/info/rfc9
DARDS-TRACK]</t> 644">
</abstract> <front>
</front> <title>YANG Groupings for SSH Clients and SSH Servers</title>
<seriesInfo name="RFC" value="5246"/> <author initials="K." surname="Watsen" fullname="Kent Watsen">
<seriesInfo name="DOI" value="10.17487/RFC5246"/> <organization>Watsen Networks</organization>
</reference> </author>
<reference anchor="RFC6241" target="https://www.rfc-editor.org/info/rfc6 <date month="August" year="2024"/>
241" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6241.xml"> </front>
<front> <seriesInfo name="RFC" value="9644"/>
<title>Network Configuration Protocol (NETCONF)</title> <seriesInfo name="DOI" value="10.17487/RFC9644"/>
<author fullname="R. Enns" initials="R." role="editor" surname="Enns </reference>
"/>
<author fullname="M. Bjorklund" initials="M." role="editor" surname= <!-- [I-D.ietf-netconf-http-client-server] IESG state: IESG Evaluation::AD Follo
"Bjorklund"/> wup as of 07/15/24 (changes are being made to the doc - shows "WITHDRAWN" status
<author fullname="J. Schoenwaelder" initials="J." role="editor" surn in the db) -->
ame="Schoenwaelder"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-net
<author fullname="A. Bierman" initials="A." role="editor" surname="B conf-http-client-server"/>
ierman"/>
<date month="June" year="2011"/> <!-- [I-D.ietf-netconf-netconf-client-server] IESG state: AD Evaluation as of 07
<abstract> /15/24-->
<t>The Network Configuration Protocol (NETCONF) defined in this do <xi:include
cument provides mechanisms to install, manipulate, and delete the configuration href="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-netconf-netconf
of network devices. It uses an Extensible Markup Language (XML)-based data encod -client-server"/>
ing for the configuration data as well as the protocol messages. The NETCONF pro
tocol operations are realized as remote procedure calls (RPCs). This document ob <!-- [I-D.ietf-netconf-restconf-client-server] IESG state: AD Evaluation as of 0
soletes RFC 4741. [STANDARDS-TRACK]</t> 7/15/24 -->
</abstract> <xi:include href="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-net
</front> conf-restconf-client-server"/>
<seriesInfo name="RFC" value="6241"/>
<seriesInfo name="DOI" value="10.17487/RFC6241"/> <!-- [I-D.ietf-netmod-system-config] IESG state: I-D Exists as of 03/26/24-->
</reference> <xi:include href="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.
<reference anchor="RFC8040" target="https://www.rfc-editor.org/info/rfc8 ietf-netmod-system-config.xml"/>
040" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8040.xml">
<front> <!-- [I-D.ietf-netmod-rfc8407bis] IESG state: I-D Exists as of 03/26/24-->
<title>RESTCONF Protocol</title> <xi:include href="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.
<author fullname="A. Bierman" initials="A." surname="Bierman"/> ietf-netmod-rfc8407bis.xml"/>
<author fullname="M. Bjorklund" initials="M." surname="Bjorklund"/>
<author fullname="K. Watsen" initials="K." surname="Watsen"/> <reference anchor="IANA-CIPHER-ALGS" target="https://www.iana.org/assign
<date month="January" year="2017"/> ments/tls-parameters/">
<abstract>
<t>This document describes an HTTP-based protocol that provides a
programmatic interface for accessing data defined in YANG, using the datastore c
oncepts defined in the Network Configuration Protocol (NETCONF).</t>
</abstract>
</front>
<seriesInfo name="RFC" value="8040"/>
<seriesInfo name="DOI" value="10.17487/RFC8040"/>
</reference>
<reference anchor="RFC8071" target="https://www.rfc-editor.org/info/rfc8
071" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8071.xml">
<front>
<title>NETCONF Call Home and RESTCONF Call Home</title>
<author fullname="K. Watsen" initials="K." surname="Watsen"/>
<date month="February" year="2017"/>
<abstract>
<t>This RFC presents NETCONF Call Home and RESTCONF Call Home, whi
ch enable a NETCONF or RESTCONF server to initiate a secure connection to a NETC
ONF or RESTCONF client, respectively.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="8071"/>
<seriesInfo name="DOI" value="10.17487/RFC8071"/>
</reference>
<reference anchor="RFC8340" target="https://www.rfc-editor.org/info/rfc8
340" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8340.xml">
<front>
<title>YANG Tree Diagrams</title>
<author fullname="M. Bjorklund" initials="M." surname="Bjorklund"/>
<author fullname="L. Berger" initials="L." role="editor" surname="Be
rger"/>
<date month="March" year="2018"/>
<abstract>
<t>This document captures the current syntax used in YANG module t
ree diagrams. The purpose of this document is to provide a single location for t
his definition. This syntax may be updated from time to time based on the evolut
ion of the YANG language.</t>
</abstract>
</front>
<seriesInfo name="BCP" value="215"/>
<seriesInfo name="RFC" value="8340"/>
<seriesInfo name="DOI" value="10.17487/RFC8340"/>
</reference>
<reference anchor="RFC8342" target="https://www.rfc-editor.org/info/rfc8
342" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8342.xml">
<front>
<title>Network Management Datastore Architecture (NMDA)</title>
<author fullname="M. Bjorklund" initials="M." surname="Bjorklund"/>
<author fullname="J. Schoenwaelder" initials="J." surname="Schoenwae
lder"/>
<author fullname="P. Shafer" initials="P." surname="Shafer"/>
<author fullname="K. Watsen" initials="K." surname="Watsen"/>
<author fullname="R. Wilton" initials="R." surname="Wilton"/>
<date month="March" year="2018"/>
<abstract>
<t>Datastores are a fundamental concept binding the data models wr
itten in the YANG data modeling language to network management protocols such as
the Network Configuration Protocol (NETCONF) and RESTCONF. This document define
s an architectural framework for datastores based on the experience gained with
the initial simpler model, addressing requirements that were not well supported
in the initial model. This document updates RFC 7950.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="8342"/>
<seriesInfo name="DOI" value="10.17487/RFC8342"/>
</reference>
<reference anchor="RFC8407" target="https://www.rfc-editor.org/info/rfc8
407" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8407.xml">
<front>
<title>Guidelines for Authors and Reviewers of Documents Containing
YANG Data Models</title>
<author fullname="A. Bierman" initials="A." surname="Bierman"/>
<date month="October" year="2018"/>
<abstract>
<t>This memo provides guidelines for authors and reviewers of spec
ifications containing YANG modules. Recommendations and procedures are defined,
which are intended to increase interoperability and usability of Network Configu
ration Protocol (NETCONF) and RESTCONF protocol implementations that utilize YAN
G modules. This document obsoletes RFC 6087.</t>
</abstract>
</front>
<seriesInfo name="BCP" value="216"/>
<seriesInfo name="RFC" value="8407"/>
<seriesInfo name="DOI" value="10.17487/RFC8407"/>
</reference>
<reference anchor="RFC9257" target="https://www.rfc-editor.org/info/rfc9
257" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9257.xml">
<front>
<title>Guidance for External Pre-Shared Key (PSK) Usage in TLS</titl
e>
<author fullname="R. Housley" initials="R." surname="Housley"/>
<author fullname="J. Hoyland" initials="J." surname="Hoyland"/>
<author fullname="M. Sethi" initials="M." surname="Sethi"/>
<author fullname="C. A. Wood" initials="C. A." surname="Wood"/>
<date month="July" year="2022"/>
<abstract>
<t>This document provides usage guidance for external Pre-Shared K
eys (PSKs) in Transport Layer Security (TLS) 1.3 as defined in RFC 8446. It list
s TLS security properties provided by PSKs under certain assumptions, then it de
monstrates how violations of these assumptions lead to attacks. Advice for appli
cations to help meet these assumptions is provided. This document also discusses
PSK use cases and provisioning processes. Finally, it lists the privacy and sec
urity properties that are not provided by TLS 1.3 when external PSKs are used.</
t>
</abstract>
</front>
<seriesInfo name="RFC" value="9257"/>
<seriesInfo name="DOI" value="10.17487/RFC9257"/>
</reference>
<reference anchor="RFC9258" target="https://www.rfc-editor.org/info/rfc9
258" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9258.xml">
<front>
<title>Importing External Pre-Shared Keys (PSKs) for TLS 1.3</title>
<author fullname="D. Benjamin" initials="D." surname="Benjamin"/>
<author fullname="C. A. Wood" initials="C. A." surname="Wood"/>
<date month="July" year="2022"/>
<abstract>
<t>This document describes an interface for importing external Pre
-Shared Keys (PSKs) into TLS 1.3.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="9258"/>
<seriesInfo name="DOI" value="10.17487/RFC9258"/>
</reference>
<xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D
.ietf-netconf-tcp-client-server.xml"/>
<xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D
.ietf-netconf-ssh-client-server.xml"/>
<xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D
.ietf-netconf-tls-client-server.xml"/>
<xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D
.ietf-netconf-http-client-server.xml"/>
<xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D
.ietf-netconf-netconf-client-server.xml"/>
<xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D
.ietf-netconf-restconf-client-server.xml"/>
<xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D
.ietf-netmod-system-config.xml"/>
<xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D
.ietf-netmod-rfc8407bis.xml"/>
<reference anchor="IANA-CIPHER-ALGS" target="https://www.iana.org/assign
ments/tls-parameters/tls-parameters.xhtml#tls-parameters-4">
<front> <front>
<title>IANA "TLS Cipher Suites" Sub-registry of the "Transport Layer <title>TLS Cipher Suites</title>
Security (TLS) Parameters" Registry</title> <author>
<author fullname="Internet Assigned Numbers Authority (IANA)"/> <organization>IANA</organization>
</author>
</front> </front>
</reference> </reference>
<reference anchor="IANA-YANG-PARAMETERS" target="https://www.iana.org/as signments/yang-parameters"> <reference anchor="IANA-YANG-PARAMETERS" target="https://www.iana.org/as signments/yang-parameters">
<front> <front>
<title>YANG Parameters</title> <title>YANG Parameters</title>
<author> <author>
<organization/> <organization>IANA</organization>
</author> </author>
<date>n.d.</date>
</front> </front>
</reference> </reference>
</references>
</references>
</references> </references>
<section anchor="iana-script"> <section anchor="iana-script">
<name>Script to Generate IANA-Maintained YANG Modules</name> <name>Script to Generate IANA-Maintained YANG Modules</name>
<t>This section is not Normative.</t> <t>This section is not normative.</t>
<t>The Python <eref target="https://www.python.org"/> script contained in
this <!--[rfced] Should this sentence be updated because Appendix A.1 has been remove
section will create the IANA-maintained module described in this docume d per the note? Perhaps the text should refer to Section 6.3 or [IANA-YANG-PARA
nt.</t> METERS]? Note that we would make similar a update in RFC-to-be 9644.
<t>Run the script using the command `python gen-yang-modules.py`, to produ
ce the Original:
The Python https://www.python.org script contained in this section
will create the IANA-maintained module described in this document.
Perhaps:
The Python <https://www.python.org> script contained in this section
was used to create the initial IANA-maintained "iana-tls-cipher-suite-algs" Y
ANG
module maintained at [IANA-YANG-PARAMETERS].
-->
<t>The Python <eref target="https://www.python.org" brackets="angle"/> scr
ipt contained in this
section will create the IANA-maintained module described in this documen
t.</t>
<t>Run the script using the command 'python gen-yang-modules.py' to produc
e the
YANG module file in the current directory.</t> YANG module file in the current directory.</t>
<t>Be aware that the script does not attempt to copy the "revision" statem ents <t>Be aware that the script does not attempt to copy the "revision" statem ents
from the previous/current YANG module. Copying the revision statements must from the previous/current YANG module. Copying the revision statements must
be done manually.</t> be done manually.</t>
<!--[rfced] Appendix A. Should "hypenated_name" be "hyphenated_name"
in the following?
Original:
\tls-parameters-4.csv",
"spaced_name": "cipher-suite",
"hypenated_name": "cipher-suite",
"prefix": "tlscsa",
Perhaps:
\tls-parameters-4.csv",
"spaced_name": "cipher-suite",
"hyphenated_name": "cipher-suite",
"prefix": "tlscsa",
-->
<sourcecode type="python" markers="true"><![CDATA[ <sourcecode type="python" markers="true"><![CDATA[
=============== NOTE: '\\' line wrapping per RFC 8792 =============== =============== NOTE: '\\' line wrapping per RFC 8792 ===============
import re import re
import csv import csv
import requests import requests
import textwrap import textwrap
import requests_cache import requests_cache
from io import StringIO from io import StringIO
from datetime import datetime from datetime import datetime
skipping to change at line 3405 skipping to change at line 3231
organization organization
"Internet Assigned Numbers Authority (IANA)"; "Internet Assigned Numbers Authority (IANA)";
contact contact
"Postal: ICANN "Postal: ICANN
12025 Waterfront Drive, Suite 300 12025 Waterfront Drive, Suite 300
Los Angeles, CA 90094-2536 Los Angeles, CA 90094-2536
United States of America United States of America
Tel: +1 310 301 5800 Tel: +1 310 301 5800
Email: iana@iana.org"; Email: <iana@iana.org>";
description description
"This module defines enumerations for the Cipher Suite "This module defines enumerations for the cipher suite
algorithms defined in the 'TLS Cipher Suites' sub-registry algorithms defined in the 'TLS Cipher Suites' registry
of the 'Transport Layer Security (TLS) Parameters' registry under the 'Transport Layer Security (TLS) Parameters'
maintained by IANA. registry group maintained by IANA.
Copyright (c) YEAR IETF Trust and the persons identified as Copyright (c) 2024 IETF Trust and the persons identified as
authors of the code. All rights reserved. authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with Redistribution and use in source and binary forms, with
or without modification, is permitted pursuant to, and or without modification, is permitted pursuant to, and
subject to the license terms contained in, the Revised subject to the license terms contained in, the Revised
BSD License set forth in Section 4.c of the IETF Trust's BSD License set forth in Section 4.c of the IETF Trust's
Legal Provisions Relating to IETF Documents Legal Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info). (https://trustee.ietf.org/license-info).
The initial version of this YANG module is part of RFC FFFF The initial version of this YANG module is part of RFC 9645
(https://www.rfc-editor.org/info/rfcFFFF); see the RFC (https://www.rfc-editor.org/info/rfc9645); see the RFC
itself for full legal notices. itself for full legal notices.
All versions of this module are published by IANA at All versions of this module are published by IANA
https://www.iana.org/assignments/yang-parameters."; (https://www.iana.org/assignments/yang-parameters).";
revision DATE { revision DATE {
description description
"This initial version of the module was created using "This initial version of the module was created using
the script defined in RFC FFFF to reflect the contents the script defined in RFC 9645 to reflect the contents
of the SNAME algorithms registry maintained by IANA."; of the SNAME algorithms registry maintained by IANA.";
reference reference
"RFC FFFF: YANG Groupings for TLS Clients and TLS Servers"; "RFC 9645: YANG Groupings for TLS Clients and TLS Servers";
} }
typedef tls-HNAME-algorithm { typedef tls-HNAME-algorithm {
type enumeration { type enumeration {
""" """
# Replacements # Replacements
rep = { rep = {
"DATE": datetime.today().strftime('%Y-%m-%d'), "DATE": datetime.today().strftime('%Y-%m-%d'),
"YEAR": datetime.today().strftime('%Y'), "YEAR": datetime.today().strftime('%Y'),
"SNAME": module["spaced_name"], "SNAME": module["spaced_name"],
skipping to change at line 3521 skipping to change at line 3347
\1>', item) \1>', item)
if title.startswith("ECDHE\_PSK"): if title.startswith("ECDHE\_PSK"):
title = re.sub("ECDHE\\\\_PSK", \ title = re.sub("ECDHE\\\\_PSK", \
\"ECDHE_PSK", title) \"ECDHE_PSK", title)
titles.append(re.sub('.*{{(.*)}}.*',\ titles.append(re.sub('.*{{(.*)}}.*',\
\ r'\g<1>', title)) \ r'\g<1>', title))
break break
else: else:
raise Exception("RFC title not found") raise Exception("RFC title not found")
# Insert a space: "RFCXXXX" --> "RFC XXXX" # Insert a space: "RFC9645" --> "RFC 9645"
index = refs.index(ref) index = refs.index(ref)
refs[index] = "RFC " + ref[3:] refs[index] = "RFC " + ref[3:]
elif ref == "IESG Action 2018-08-16": elif ref == "IESG Action 2018-08-16":
# Rewrite the ref value # Rewrite the ref value
index = refs.index(ref) index = refs.index(ref)
refs[index] = "IESG Action" refs[index] = "IESG Action"
# Let title be something descriptive # Let title be something descriptive
titles.append("IESG Action 2018-08-16") titles.append("IESG Action 2018-08-16")
elif ref == "draft-irtf-cfrg-aegis-aead-08": elif ref == "draft-irtf-cfrg-aegis-aead-08":
# Manually set the draft's title # Manually set the document's title
titles.append("The AEGIS Family of Authentic\ titles.append("The AEGIS Family of Authentic\
\ated Encryption Algorithms") \ated Encryption Algorithms")
elif ref: elif ref:
raise Exception(f'ref "{ref}" not found') raise Exception(f'ref "{ref}" not found')
else: else:
raise Exception(f'ref missing: {row}') raise Exception(f'ref missing: {row}')
# Write out the enum # Write out the enum
skipping to change at line 3592 skipping to change at line 3418
\algorithms.";\n') \algorithms.";\n')
f.write(" }\n") f.write(" }\n")
f.write('\n') f.write('\n')
f.write('}\n') f.write('}\n')
def create_module(module): def create_module(module):
# Install cache for 8x speedup # Install cache for 8x speedup
requests_cache.install_cache() requests_cache.install_cache()
# Ascertain yang module's name # Ascertain the yang module's name
yang_module_name = "iana-tls-" + module["hypenated_name"] + "-al\ yang_module_name = "iana-tls-" + module["hypenated_name"] + "-al\
\gs.yang" \gs.yang"
# Create yang module file # Create yang module file
with open(yang_module_name, "w") as f: with open(yang_module_name, "w") as f:
create_module_begin(module, f) create_module_begin(module, f)
create_module_body(module, f) create_module_body(module, f)
create_module_end(module, f) create_module_end(module, f)
def main(): def main():
for module in MODULES: for module in MODULES:
create_module(module) create_module(module)
if __name__ == "__main__": if __name__ == "__main__":
main() main()
]]></sourcecode> ]]></sourcecode>
<section anchor="tls-cipher-algs-model"> </section>
<name>Initial Module for the "TLS Cipher Suites" Registry</name>
<t>Following are the complete contents to the initial IANA-maintained YA
NG module.
Please note that the date "2024-03-16" reflects the day on which the
extraction
occurred. Applications SHOULD use the IANA-maintained module, not t
he module
defined in this draft.</t>
<t>This YANG module has normative references to <xref target="RFC2712"/>
,
<xref target="RFC4162"/>, <xref target="RFC4279"/>, <xref target="RFC4
346"/>,
<xref target="RFC4785"/>, <xref target="RFC5054"/>, <xref target="RFC5
246"/>,
<xref target="RFC5288"/>, <xref target="RFC5289"/>, <xref target="RFC5
469"/>,
<xref target="RFC5487"/>, <xref target="RFC5489"/>, <xref target="RFC5
746"/>,
<xref target="RFC5932"/>, <xref target="RFC6209"/>, <xref target="RFC6
367"/>,
<xref target="RFC6655"/>, <xref target="RFC7251"/>, <xref target="RFC7
507"/>,
<xref target="RFC7905"/>, <xref target="RFC8422"/>, <xref target="RFC8
442"/>,
<xref target="RFC8446"/>, <xref target="RFC8492"/>, <xref target="RFC8
998"/>,
<xref target="RFC9150"/>, <xref target="RFC9189"/>, and <xref target="
RFC8340"/>.</t>
<t keepWithNext="true">&lt;CODE BEGINS&gt; file "iana-tls-cipher-suite-a
lgs@2024-03-16.yang"</t>
<artwork><![CDATA[
module iana-tls-cipher-suite-algs {
yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:iana-tls-cipher-suite-algs";
prefix tlscsa;
organization
"Internet Assigned Numbers Authority (IANA)";
contact
"Postal: ICANN
12025 Waterfront Drive, Suite 300
Los Angeles, CA 90094-2536
United States of America
Tel: +1 310 301 5800
Email: iana@iana.org";
description
"This module defines enumerations for the Cipher Suite
algorithms defined in the 'TLS Cipher Suites' sub-registry
of the 'Transport Layer Security (TLS) Parameters' registry
maintained by IANA.
Copyright (c) 2024 IETF Trust and the persons identified as
authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with
or without modification, is permitted pursuant to, and
subject to the license terms contained in, the Revised
BSD License set forth in Section 4.c of the IETF Trust's
Legal Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info).
The initial version of this YANG module is part of RFC FFFF <!--[rfced] Per the author's note, we removed Appendix A.1. Note that
(https://www.rfc-editor.org/info/rfcFFFF); see the RFC "Appendix A.1" is referenced three times in the running
itself for full legal notices. text. Should the first instances in the Abstract and Introduction
not include a pointer, or perhaps point to Section 6.3 or Appendix A
(instead of Appendix A.1)? Note that we removed the sentence in Section 6.3.
All versions of this module are published by IANA at Original:
https://www.iana.org/assignments/yang-parameters."; (Abstract and Introduction)
The IANA module is iana-tls-cipher-suite-algs (Appendix A.1). This
module defines YANG enumerations providing support for an
IANA-maintained algorithm registry.
revision 2024-03-16 { (Section 6.3)
description An initial version of this module can be found in Appendix A.1.
"This initial version of the module was created using
the script defined in RFC FFFF to reflect the contents
of the cipher-suite algorithms registry maintained by IANA.";
reference
"RFC FFFF: YANG Groupings for TLS Clients and TLS Servers";
}
typedef tls-cipher-suite-algorithm { Current:
type enumeration { (Abstract and Introduction)
enum TLS_NULL_WITH_NULL_NULL { The IANA module is "iana-tls-cipher-suite-algs". This
status deprecated; module defines YANG enumerations that provide
description support for an IANA-maintained algorithm registry.
"Enumeration for the 'TLS_NULL_WITH_NULL_NULL' algorithm."; -->
reference
"RFC 5246:
The Transport Layer Security (TLS) Protocol Version
1.2";
}
enum TLS_RSA_WITH_NULL_MD5 {
status deprecated;
description
"Enumeration for the 'TLS_RSA_WITH_NULL_MD5' algorithm.";
reference
"RFC 5246:
The Transport Layer Security (TLS) Protocol Version
1.2";
}
enum TLS_RSA_WITH_NULL_SHA {
status deprecated;
description
"Enumeration for the 'TLS_RSA_WITH_NULL_SHA' algorithm.";
reference
"RFC 5246:
The Transport Layer Security (TLS) Protocol Version
1.2";
}
enum TLS_RSA_EXPORT_WITH_RC4_40_MD5 {
status deprecated;
description
"Enumeration for the 'TLS_RSA_EXPORT_WITH_RC4_40_MD5'
algorithm.";
reference
"RFC 4346:
The Transport Layer Security (TLS) Protocol Version 1.1
RFC 6347:
Datagram Transport Layer Security Version 1.2";
}
enum TLS_RSA_WITH_RC4_128_MD5 {
status deprecated;
description
"Enumeration for the 'TLS_RSA_WITH_RC4_128_MD5'
algorithm.";
reference
"RFC 5246:
The Transport Layer Security (TLS) Protocol Version 1.2
RFC 6347:
Datagram Transport Layer Security Version 1.2";
}
enum TLS_RSA_WITH_RC4_128_SHA {
status deprecated;
description
"Enumeration for the 'TLS_RSA_WITH_RC4_128_SHA'
algorithm.";
reference
"RFC 5246:
The Transport Layer Security (TLS) Protocol Version 1.2
RFC 6347:
Datagram Transport Layer Security Version 1.2";
}
enum TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 {
status deprecated;
description
"Enumeration for the 'TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5'
algorithm.";
reference
"RFC 4346:
The Transport Layer Security (TLS) Protocol Version
1.1";
}
enum TLS_RSA_WITH_IDEA_CBC_SHA {
status deprecated;
description
"Enumeration for the 'TLS_RSA_WITH_IDEA_CBC_SHA'
algorithm.";
reference
"RFC 8996:
Deprecating TLS 1.0 and TLS 1.1";
}
enum TLS_RSA_EXPORT_WITH_DES40_CBC_SHA {
status deprecated;
description
"Enumeration for the 'TLS_RSA_EXPORT_WITH_DES40_CBC_SHA'
algorithm.";
reference
"RFC 4346:
The Transport Layer Security (TLS) Protocol Version
1.1";
}
enum TLS_RSA_WITH_DES_CBC_SHA {
status deprecated;
description
"Enumeration for the 'TLS_RSA_WITH_DES_CBC_SHA'
algorithm.";
reference
"RFC 8996:
Deprecating TLS 1.0 and TLS 1.1";
}
enum TLS_RSA_WITH_3DES_EDE_CBC_SHA {
status deprecated;
description
"Enumeration for the 'TLS_RSA_WITH_3DES_EDE_CBC_SHA'
algorithm.";
reference
"RFC 5246:
The Transport Layer Security (TLS) Protocol Version
1.2";
}
enum TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA {
status deprecated;
description
"Enumeration for the 'TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA'
algorithm.";
reference
"RFC 4346:
The Transport Layer Security (TLS) Protocol Version
1.1";
}
enum TLS_DH_DSS_WITH_DES_CBC_SHA {
status deprecated;
description
"Enumeration for the 'TLS_DH_DSS_WITH_DES_CBC_SHA'
algorithm.";
reference
"RFC 8996:
Deprecating TLS 1.0 and TLS 1.1";
}
enum TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA {
status deprecated;
description
"Enumeration for the 'TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA'
algorithm.";
reference
"RFC 5246:
The Transport Layer Security (TLS) Protocol Version
1.2";
}
enum TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA {
status deprecated;
description
"Enumeration for the 'TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA'
algorithm.";
reference
"RFC 4346:
The Transport Layer Security (TLS) Protocol Version
1.1";
}
enum TLS_DH_RSA_WITH_DES_CBC_SHA {
status deprecated;
description
"Enumeration for the 'TLS_DH_RSA_WITH_DES_CBC_SHA'
algorithm.";
reference
"RFC 8996:
Deprecating TLS 1.0 and TLS 1.1";
}
enum TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA {
status deprecated;
description
"Enumeration for the 'TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA'
algorithm.";
reference
"RFC 5246:
The Transport Layer Security (TLS) Protocol Version
1.2";
}
enum TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA {
status deprecated;
description
"Enumeration for the
'TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA' algorithm.";
reference
"RFC 4346:
The Transport Layer Security (TLS) Protocol Version
1.1";
}
enum TLS_DHE_DSS_WITH_DES_CBC_SHA {
status deprecated;
description
"Enumeration for the 'TLS_DHE_DSS_WITH_DES_CBC_SHA'
algorithm.";
reference
"RFC 8996:
Deprecating TLS 1.0 and TLS 1.1";
}
enum TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA {
status deprecated;
description
"Enumeration for the 'TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA'
algorithm.";
reference
"RFC 5246:
The Transport Layer Security (TLS) Protocol Version
1.2";
}
enum TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA {
status deprecated;
description
"Enumeration for the
'TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA' algorithm.";
reference
"RFC 4346:
The Transport Layer Security (TLS) Protocol Version
1.1";
}
enum TLS_DHE_RSA_WITH_DES_CBC_SHA {
status deprecated;
description
"Enumeration for the 'TLS_DHE_RSA_WITH_DES_CBC_SHA'
algorithm.";
reference
"RFC 8996:
Deprecating TLS 1.0 and TLS 1.1";
}
enum TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA {
status deprecated;
description
"Enumeration for the 'TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA'
algorithm.";
reference
"RFC 5246:
The Transport Layer Security (TLS) Protocol Version
1.2";
}
enum TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 {
status deprecated;
description
"Enumeration for the 'TLS_DH_anon_EXPORT_WITH_RC4_40_MD5'
algorithm.";
reference
"RFC 4346:
The Transport Layer Security (TLS) Protocol Version 1.1
RFC 6347:
Datagram Transport Layer Security Version 1.2";
}
enum TLS_DH_anon_WITH_RC4_128_MD5 {
status deprecated;
description
"Enumeration for the 'TLS_DH_anon_WITH_RC4_128_MD5'
algorithm.";
reference
"RFC 5246:
The Transport Layer Security (TLS) Protocol Version 1.2
RFC 6347:
Datagram Transport Layer Security Version 1.2";
}
enum TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA {
status deprecated;
description
"Enumeration for the
'TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA' algorithm.";
reference
"RFC 4346:
The Transport Layer Security (TLS) Protocol Version
1.1";
}
enum TLS_DH_anon_WITH_DES_CBC_SHA {
status deprecated;
description
"Enumeration for the 'TLS_DH_anon_WITH_DES_CBC_SHA'
algorithm.";
reference
"RFC 8996:
Deprecating TLS 1.0 and TLS 1.1";
}
enum TLS_DH_anon_WITH_3DES_EDE_CBC_SHA {
status deprecated;
description
"Enumeration for the 'TLS_DH_anon_WITH_3DES_EDE_CBC_SHA'
algorithm.";
reference
"RFC 5246:
The Transport Layer Security (TLS) Protocol Version
1.2";
}
enum TLS_KRB5_WITH_DES_CBC_SHA {
status deprecated;
description
"Enumeration for the 'TLS_KRB5_WITH_DES_CBC_SHA'
algorithm.";
reference
"RFC 2712:
Addition of Kerberos Cipher Suites to Transport Layer
Security (TLS)";
}
enum TLS_KRB5_WITH_3DES_EDE_CBC_SHA {
status deprecated;
description
"Enumeration for the 'TLS_KRB5_WITH_3DES_EDE_CBC_SHA'
algorithm.";
reference
"RFC 2712:
Addition of Kerberos Cipher Suites to Transport Layer
Security (TLS)";
}
enum TLS_KRB5_WITH_RC4_128_SHA {
status deprecated;
description
"Enumeration for the 'TLS_KRB5_WITH_RC4_128_SHA'
algorithm.";
reference
"RFC 2712:
Addition of Kerberos Cipher Suites to Transport Layer
Security (TLS)
RFC 6347:
Datagram Transport Layer Security Version 1.2";
}
enum TLS_KRB5_WITH_IDEA_CBC_SHA {
status deprecated;
description
"Enumeration for the 'TLS_KRB5_WITH_IDEA_CBC_SHA'
algorithm.";
reference
"RFC 2712:
Addition of Kerberos Cipher Suites to Transport Layer
Security (TLS)";
}
enum TLS_KRB5_WITH_DES_CBC_MD5 {
status deprecated;
description
"Enumeration for the 'TLS_KRB5_WITH_DES_CBC_MD5'
algorithm.";
reference
"RFC 2712:
Addition of Kerberos Cipher Suites to Transport Layer
Security (TLS)";
}
enum TLS_KRB5_WITH_3DES_EDE_CBC_MD5 {
status deprecated;
description
"Enumeration for the 'TLS_KRB5_WITH_3DES_EDE_CBC_MD5'
algorithm.";
reference
"RFC 2712:
Addition of Kerberos Cipher Suites to Transport Layer
Security (TLS)";
}
enum TLS_KRB5_WITH_RC4_128_MD5 {
status deprecated;
description
"Enumeration for the 'TLS_KRB5_WITH_RC4_128_MD5'
algorithm.";
reference
"RFC 2712:
Addition of Kerberos Cipher Suites to Transport Layer
Security (TLS)
RFC 6347:
Datagram Transport Layer Security Version 1.2";
}
enum TLS_KRB5_WITH_IDEA_CBC_MD5 {
status deprecated;
description
"Enumeration for the 'TLS_KRB5_WITH_IDEA_CBC_MD5'
algorithm.";
reference
"RFC 2712:
Addition of Kerberos Cipher Suites to Transport Layer
Security (TLS)";
}
enum TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA {
status deprecated;
description
"Enumeration for the 'TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA'
algorithm.";
reference
"RFC 2712:
Addition of Kerberos Cipher Suites to Transport Layer
Security (TLS)";
}
enum TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA {
status deprecated;
description
"Enumeration for the 'TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA'
algorithm.";
reference
"RFC 2712:
Addition of Kerberos Cipher Suites to Transport Layer
Security (TLS)";
}
enum TLS_KRB5_EXPORT_WITH_RC4_40_SHA {
status deprecated;
description
"Enumeration for the 'TLS_KRB5_EXPORT_WITH_RC4_40_SHA'
algorithm.";
reference
"RFC 2712:
Addition of Kerberos Cipher Suites to Transport Layer
Security (TLS)
RFC 6347:
Datagram Transport Layer Security Version 1.2";
}
enum TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 {
status deprecated;
description
"Enumeration for the 'TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5'
algorithm.";
reference
"RFC 2712:
Addition of Kerberos Cipher Suites to Transport Layer
Security (TLS)";
}
enum TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5 {
status deprecated;
description
"Enumeration for the 'TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5'
algorithm.";
reference
"RFC 2712:
Addition of Kerberos Cipher Suites to Transport Layer
Security (TLS)";
}
enum TLS_KRB5_EXPORT_WITH_RC4_40_MD5 {
status deprecated;
description
"Enumeration for the 'TLS_KRB5_EXPORT_WITH_RC4_40_MD5'
algorithm.";
reference
"RFC 2712:
Addition of Kerberos Cipher Suites to Transport Layer
Security (TLS)
RFC 6347:
Datagram Transport Layer Security Version 1.2";
}
enum TLS_PSK_WITH_NULL_SHA {
status deprecated;
description
"Enumeration for the 'TLS_PSK_WITH_NULL_SHA' algorithm.";
reference
"RFC 4785:
Pre-Shared Key (PSK) Ciphersuites with NULL Encryption
for Transport Layer Security (TLS)";
}
enum TLS_DHE_PSK_WITH_NULL_SHA {
status deprecated;
description
"Enumeration for the 'TLS_DHE_PSK_WITH_NULL_SHA'
algorithm.";
reference
"RFC 4785:
Pre-Shared Key (PSK) Ciphersuites with NULL Encryption
for Transport Layer Security (TLS)";
}
enum TLS_RSA_PSK_WITH_NULL_SHA {
status deprecated;
description
"Enumeration for the 'TLS_RSA_PSK_WITH_NULL_SHA'
algorithm.";
reference
"RFC 4785:
Pre-Shared Key (PSK) Ciphersuites with NULL Encryption
for Transport Layer Security (TLS)";
}
enum TLS_RSA_WITH_AES_128_CBC_SHA {
status deprecated;
description
"Enumeration for the 'TLS_RSA_WITH_AES_128_CBC_SHA'
algorithm.";
reference
"RFC 5246:
The Transport Layer Security (TLS) Protocol Version
1.2";
}
enum TLS_DH_DSS_WITH_AES_128_CBC_SHA {
status deprecated;
description
"Enumeration for the 'TLS_DH_DSS_WITH_AES_128_CBC_SHA'
algorithm.";
reference
"RFC 5246:
The Transport Layer Security (TLS) Protocol Version
1.2";
}
enum TLS_DH_RSA_WITH_AES_128_CBC_SHA {
status deprecated;
description
"Enumeration for the 'TLS_DH_RSA_WITH_AES_128_CBC_SHA'
algorithm.";
reference
"RFC 5246:
The Transport Layer Security (TLS) Protocol Version
1.2";
}
enum TLS_DHE_DSS_WITH_AES_128_CBC_SHA {
status deprecated;
description
"Enumeration for the 'TLS_DHE_DSS_WITH_AES_128_CBC_SHA'
algorithm.";
reference
"RFC 5246:
The Transport Layer Security (TLS) Protocol Version
1.2";
}
enum TLS_DHE_RSA_WITH_AES_128_CBC_SHA {
status deprecated;
description
"Enumeration for the 'TLS_DHE_RSA_WITH_AES_128_CBC_SHA'
algorithm.";
reference
"RFC 5246:
The Transport Layer Security (TLS) Protocol Version
1.2";
}
enum TLS_DH_anon_WITH_AES_128_CBC_SHA {
status deprecated;
description
"Enumeration for the 'TLS_DH_anon_WITH_AES_128_CBC_SHA'
algorithm.";
reference
"RFC 5246:
The Transport Layer Security (TLS) Protocol Version
1.2";
}
enum TLS_RSA_WITH_AES_256_CBC_SHA {
status deprecated;
description
"Enumeration for the 'TLS_RSA_WITH_AES_256_CBC_SHA'
algorithm.";
reference
"RFC 5246:
The Transport Layer Security (TLS) Protocol Version
1.2";
}
enum TLS_DH_DSS_WITH_AES_256_CBC_SHA {
status deprecated;
description
"Enumeration for the 'TLS_DH_DSS_WITH_AES_256_CBC_SHA'
algorithm.";
reference
"RFC 5246:
The Transport Layer Security (TLS) Protocol Version
1.2";
}
enum TLS_DH_RSA_WITH_AES_256_CBC_SHA {
status deprecated;
description
"Enumeration for the 'TLS_DH_RSA_WITH_AES_256_CBC_SHA'
algorithm.";
reference
"RFC 5246:
The Transport Layer Security (TLS) Protocol Version
1.2";
}
enum TLS_DHE_DSS_WITH_AES_256_CBC_SHA {
status deprecated;
description
"Enumeration for the 'TLS_DHE_DSS_WITH_AES_256_CBC_SHA'
algorithm.";
reference
"RFC 5246:
The Transport Layer Security (TLS) Protocol Version
1.2";
}
enum TLS_DHE_RSA_WITH_AES_256_CBC_SHA {
status deprecated;
description
"Enumeration for the 'TLS_DHE_RSA_WITH_AES_256_CBC_SHA'
algorithm.";
reference
"RFC 5246:
The Transport Layer Security (TLS) Protocol Version
1.2";
}
enum TLS_DH_anon_WITH_AES_256_CBC_SHA {
status deprecated;
description
"Enumeration for the 'TLS_DH_anon_WITH_AES_256_CBC_SHA'
algorithm.";
reference
"RFC 5246:
The Transport Layer Security (TLS) Protocol Version
1.2";
}
enum TLS_RSA_WITH_NULL_SHA256 {
status deprecated;
description
"Enumeration for the 'TLS_RSA_WITH_NULL_SHA256'
algorithm.";
reference
"RFC 5246:
The Transport Layer Security (TLS) Protocol Version
1.2";
}
enum TLS_RSA_WITH_AES_128_CBC_SHA256 {
status deprecated;
description
"Enumeration for the 'TLS_RSA_WITH_AES_128_CBC_SHA256'
algorithm.";
reference
"RFC 5246:
The Transport Layer Security (TLS) Protocol Version
1.2";
}
enum TLS_RSA_WITH_AES_256_CBC_SHA256 {
status deprecated;
description
"Enumeration for the 'TLS_RSA_WITH_AES_256_CBC_SHA256'
algorithm.";
reference
"RFC 5246:
The Transport Layer Security (TLS) Protocol Version
1.2";
}
enum TLS_DH_DSS_WITH_AES_128_CBC_SHA256 {
status deprecated;
description
"Enumeration for the 'TLS_DH_DSS_WITH_AES_128_CBC_SHA256'
algorithm.";
reference
"RFC 5246:
The Transport Layer Security (TLS) Protocol Version
1.2";
}
enum TLS_DH_RSA_WITH_AES_128_CBC_SHA256 {
status deprecated;
description
"Enumeration for the 'TLS_DH_RSA_WITH_AES_128_CBC_SHA256'
algorithm.";
reference
"RFC 5246:
The Transport Layer Security (TLS) Protocol Version
1.2";
}
enum TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 {
status deprecated;
description
"Enumeration for the 'TLS_DHE_DSS_WITH_AES_128_CBC_SHA256'
algorithm.";
reference
"RFC 5246:
The Transport Layer Security (TLS) Protocol Version
1.2";
}
enum TLS_RSA_WITH_CAMELLIA_128_CBC_SHA {
status deprecated;
description
"Enumeration for the 'TLS_RSA_WITH_CAMELLIA_128_CBC_SHA'
algorithm.";
reference
"RFC 5932:
Camellia Cipher Suites for TLS";
}
enum TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA {
status deprecated;
description
"Enumeration for the 'TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA'
algorithm.";
reference
"RFC 5932:
Camellia Cipher Suites for TLS";
}
enum TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA {
status deprecated;
description
"Enumeration for the 'TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA'
algorithm.";
reference
"RFC 5932:
Camellia Cipher Suites for TLS";
}
enum TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA {
status deprecated;
description
"Enumeration for the
'TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA' algorithm.";
reference
"RFC 5932:
Camellia Cipher Suites for TLS";
}
enum TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA {
status deprecated;
description
"Enumeration for the
'TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA' algorithm.";
reference
"RFC 5932:
Camellia Cipher Suites for TLS";
}
enum TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA {
status deprecated;
description
"Enumeration for the
'TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA' algorithm.";
reference
"RFC 5932:
Camellia Cipher Suites for TLS";
}
enum TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 {
status deprecated;
description
"Enumeration for the 'TLS_DHE_RSA_WITH_AES_128_CBC_SHA256'
algorithm.";
reference
"RFC 5246:
The Transport Layer Security (TLS) Protocol Version
1.2";
}
enum TLS_DH_DSS_WITH_AES_256_CBC_SHA256 {
status deprecated;
description
"Enumeration for the 'TLS_DH_DSS_WITH_AES_256_CBC_SHA256'
algorithm.";
reference
"RFC 5246:
The Transport Layer Security (TLS) Protocol Version
1.2";
}
enum TLS_DH_RSA_WITH_AES_256_CBC_SHA256 {
status deprecated;
description
"Enumeration for the 'TLS_DH_RSA_WITH_AES_256_CBC_SHA256'
algorithm.";
reference
"RFC 5246:
The Transport Layer Security (TLS) Protocol Version
1.2";
}
enum TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 {
status deprecated;
description
"Enumeration for the 'TLS_DHE_DSS_WITH_AES_256_CBC_SHA256'
algorithm.";
reference
"RFC 5246:
The Transport Layer Security (TLS) Protocol Version
1.2";
}
enum TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 {
status deprecated;
description
"Enumeration for the 'TLS_DHE_RSA_WITH_AES_256_CBC_SHA256'
algorithm.";
reference
"RFC 5246:
The Transport Layer Security (TLS) Protocol Version
1.2";
}
enum TLS_DH_anon_WITH_AES_128_CBC_SHA256 {
status deprecated;
description
"Enumeration for the 'TLS_DH_anon_WITH_AES_128_CBC_SHA256'
algorithm.";
reference
"RFC 5246:
The Transport Layer Security (TLS) Protocol Version
1.2";
}
enum TLS_DH_anon_WITH_AES_256_CBC_SHA256 {
status deprecated;
description
"Enumeration for the 'TLS_DH_anon_WITH_AES_256_CBC_SHA256'
algorithm.";
reference
"RFC 5246:
The Transport Layer Security (TLS) Protocol Version
1.2";
}
enum TLS_RSA_WITH_CAMELLIA_256_CBC_SHA {
status deprecated;
description
"Enumeration for the 'TLS_RSA_WITH_CAMELLIA_256_CBC_SHA'
algorithm.";
reference
"RFC 5932:
Camellia Cipher Suites for TLS";
}
enum TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA {
status deprecated;
description
"Enumeration for the 'TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA'
algorithm.";
reference
"RFC 5932:
Camellia Cipher Suites for TLS";
}
enum TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA {
status deprecated;
description
"Enumeration for the 'TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA'
algorithm.";
reference
"RFC 5932:
Camellia Cipher Suites for TLS";
}
enum TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA {
status deprecated;
description
"Enumeration for the
'TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA' algorithm.";
reference
"RFC 5932:
Camellia Cipher Suites for TLS";
}
enum TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA {
status deprecated;
description
"Enumeration for the
'TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA' algorithm.";
reference
"RFC 5932:
Camellia Cipher Suites for TLS";
}
enum TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA {
status deprecated;
description
"Enumeration for the
'TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA' algorithm.";
reference
"RFC 5932:
Camellia Cipher Suites for TLS";
}
enum TLS_PSK_WITH_RC4_128_SHA {
status deprecated;
description
"Enumeration for the 'TLS_PSK_WITH_RC4_128_SHA'
algorithm.";
reference
"RFC 4279:
Pre-Shared Key Ciphersuites for Transport Layer Security
(TLS)
RFC 6347:
Datagram Transport Layer Security Version 1.2";
}
enum TLS_PSK_WITH_3DES_EDE_CBC_SHA {
status deprecated;
description
"Enumeration for the 'TLS_PSK_WITH_3DES_EDE_CBC_SHA'
algorithm.";
reference
"RFC 4279:
Pre-Shared Key Ciphersuites for Transport Layer Security
(TLS)";
}
enum TLS_PSK_WITH_AES_128_CBC_SHA {
status deprecated;
description
"Enumeration for the 'TLS_PSK_WITH_AES_128_CBC_SHA'
algorithm.";
reference
"RFC 4279:
Pre-Shared Key Ciphersuites for Transport Layer Security
(TLS)";
}
enum TLS_PSK_WITH_AES_256_CBC_SHA {
status deprecated;
description
"Enumeration for the 'TLS_PSK_WITH_AES_256_CBC_SHA'
algorithm.";
reference
"RFC 4279:
Pre-Shared Key Ciphersuites for Transport Layer Security
(TLS)";
}
enum TLS_DHE_PSK_WITH_RC4_128_SHA {
status deprecated;
description
"Enumeration for the 'TLS_DHE_PSK_WITH_RC4_128_SHA'
algorithm.";
reference
"RFC 4279:
Pre-Shared Key Ciphersuites for Transport Layer Security
(TLS)
RFC 6347:
Datagram Transport Layer Security Version 1.2";
}
enum TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA {
status deprecated;
description
"Enumeration for the 'TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA'
algorithm.";
reference
"RFC 4279:
Pre-Shared Key Ciphersuites for Transport Layer Security
(TLS)";
}
enum TLS_DHE_PSK_WITH_AES_128_CBC_SHA {
status deprecated;
description
"Enumeration for the 'TLS_DHE_PSK_WITH_AES_128_CBC_SHA'
algorithm.";
reference
"RFC 4279:
Pre-Shared Key Ciphersuites for Transport Layer Security
(TLS)";
}
enum TLS_DHE_PSK_WITH_AES_256_CBC_SHA {
status deprecated;
description
"Enumeration for the 'TLS_DHE_PSK_WITH_AES_256_CBC_SHA'
algorithm.";
reference
"RFC 4279:
Pre-Shared Key Ciphersuites for Transport Layer Security
(TLS)";
}
enum TLS_RSA_PSK_WITH_RC4_128_SHA {
status deprecated;
description
"Enumeration for the 'TLS_RSA_PSK_WITH_RC4_128_SHA'
algorithm.";
reference
"RFC 4279:
Pre-Shared Key Ciphersuites for Transport Layer Security
(TLS)
RFC 6347:
Datagram Transport Layer Security Version 1.2";
}
enum TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA {
status deprecated;
description
"Enumeration for the 'TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA'
algorithm.";
reference
"RFC 4279:
Pre-Shared Key Ciphersuites for Transport Layer Security
(TLS)";
}
enum TLS_RSA_PSK_WITH_AES_128_CBC_SHA {
status deprecated;
description
"Enumeration for the 'TLS_RSA_PSK_WITH_AES_128_CBC_SHA'
algorithm.";
reference
"RFC 4279:
Pre-Shared Key Ciphersuites for Transport Layer Security
(TLS)";
}
enum TLS_RSA_PSK_WITH_AES_256_CBC_SHA {
status deprecated;
description
"Enumeration for the 'TLS_RSA_PSK_WITH_AES_256_CBC_SHA'
algorithm.";
reference
"RFC 4279:
Pre-Shared Key Ciphersuites for Transport Layer Security
(TLS)";
}
enum TLS_RSA_WITH_SEED_CBC_SHA {
status deprecated;
description
"Enumeration for the 'TLS_RSA_WITH_SEED_CBC_SHA'
algorithm.";
reference
"RFC 4162:
Addition of SEED Cipher Suites to Transport Layer
Security (TLS)";
}
enum TLS_DH_DSS_WITH_SEED_CBC_SHA {
status deprecated;
description
"Enumeration for the 'TLS_DH_DSS_WITH_SEED_CBC_SHA'
algorithm.";
reference
"RFC 4162:
Addition of SEED Cipher Suites to Transport Layer
Security (TLS)";
}
enum TLS_DH_RSA_WITH_SEED_CBC_SHA {
status deprecated;
description
"Enumeration for the 'TLS_DH_RSA_WITH_SEED_CBC_SHA'
algorithm.";
reference
"RFC 4162:
Addition of SEED Cipher Suites to Transport Layer
Security (TLS)";
}
enum TLS_DHE_DSS_WITH_SEED_CBC_SHA {
status deprecated;
description
"Enumeration for the 'TLS_DHE_DSS_WITH_SEED_CBC_SHA'
algorithm.";
reference
"RFC 4162:
Addition of SEED Cipher Suites to Transport Layer
Security (TLS)";
}
enum TLS_DHE_RSA_WITH_SEED_CBC_SHA {
status deprecated;
description
"Enumeration for the 'TLS_DHE_RSA_WITH_SEED_CBC_SHA'
algorithm.";
reference
"RFC 4162:
Addition of SEED Cipher Suites to Transport Layer
Security (TLS)";
}
enum TLS_DH_anon_WITH_SEED_CBC_SHA {
status deprecated;
description
"Enumeration for the 'TLS_DH_anon_WITH_SEED_CBC_SHA'
algorithm.";
reference
"RFC 4162:
Addition of SEED Cipher Suites to Transport Layer
Security (TLS)";
}
enum TLS_RSA_WITH_AES_128_GCM_SHA256 {
status deprecated;
description
"Enumeration for the 'TLS_RSA_WITH_AES_128_GCM_SHA256'
algorithm.";
reference
"RFC 5288:
AES Galois Counter Mode (GCM) Cipher Suites for TLS";
}
enum TLS_RSA_WITH_AES_256_GCM_SHA384 {
status deprecated;
description
"Enumeration for the 'TLS_RSA_WITH_AES_256_GCM_SHA384'
algorithm.";
reference
"RFC 5288:
AES Galois Counter Mode (GCM) Cipher Suites for TLS";
}
enum TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 {
description
"Enumeration for the 'TLS_DHE_RSA_WITH_AES_128_GCM_SHA256'
algorithm.";
reference
"RFC 5288:
AES Galois Counter Mode (GCM) Cipher Suites for TLS";
}
enum TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 {
description
"Enumeration for the 'TLS_DHE_RSA_WITH_AES_256_GCM_SHA384'
algorithm.";
reference
"RFC 5288:
AES Galois Counter Mode (GCM) Cipher Suites for TLS";
}
enum TLS_DH_RSA_WITH_AES_128_GCM_SHA256 {
status deprecated;
description
"Enumeration for the 'TLS_DH_RSA_WITH_AES_128_GCM_SHA256'
algorithm.";
reference
"RFC 5288:
AES Galois Counter Mode (GCM) Cipher Suites for TLS";
}
enum TLS_DH_RSA_WITH_AES_256_GCM_SHA384 {
status deprecated;
description
"Enumeration for the 'TLS_DH_RSA_WITH_AES_256_GCM_SHA384'
algorithm.";
reference
"RFC 5288:
AES Galois Counter Mode (GCM) Cipher Suites for TLS";
}
enum TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 {
status deprecated;
description
"Enumeration for the 'TLS_DHE_DSS_WITH_AES_128_GCM_SHA256'
algorithm.";
reference
"RFC 5288:
AES Galois Counter Mode (GCM) Cipher Suites for TLS";
}
enum TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 {
status deprecated;
description
"Enumeration for the 'TLS_DHE_DSS_WITH_AES_256_GCM_SHA384'
algorithm.";
reference
"RFC 5288:
AES Galois Counter Mode (GCM) Cipher Suites for TLS";
}
enum TLS_DH_DSS_WITH_AES_128_GCM_SHA256 {
status deprecated;
description
"Enumeration for the 'TLS_DH_DSS_WITH_AES_128_GCM_SHA256'
algorithm.";
reference
"RFC 5288:
AES Galois Counter Mode (GCM) Cipher Suites for TLS";
}
enum TLS_DH_DSS_WITH_AES_256_GCM_SHA384 {
status deprecated;
description
"Enumeration for the 'TLS_DH_DSS_WITH_AES_256_GCM_SHA384'
algorithm.";
reference
"RFC 5288:
AES Galois Counter Mode (GCM) Cipher Suites for TLS";
}
enum TLS_DH_anon_WITH_AES_128_GCM_SHA256 {
status deprecated;
description
"Enumeration for the 'TLS_DH_anon_WITH_AES_128_GCM_SHA256'
algorithm.";
reference
"RFC 5288:
AES Galois Counter Mode (GCM) Cipher Suites for TLS";
}
enum TLS_DH_anon_WITH_AES_256_GCM_SHA384 {
status deprecated;
description
"Enumeration for the 'TLS_DH_anon_WITH_AES_256_GCM_SHA384'
algorithm.";
reference
"RFC 5288:
AES Galois Counter Mode (GCM) Cipher Suites for TLS";
}
enum TLS_PSK_WITH_AES_128_GCM_SHA256 {
status deprecated;
description
"Enumeration for the 'TLS_PSK_WITH_AES_128_GCM_SHA256'
algorithm.";
reference
"RFC 5487:
Pre-Shared Key Cipher Suites for TLS with SHA-256/384
and AES Galois Counter Mode";
}
enum TLS_PSK_WITH_AES_256_GCM_SHA384 {
status deprecated;
description
"Enumeration for the 'TLS_PSK_WITH_AES_256_GCM_SHA384'
algorithm.";
reference
"RFC 5487:
Pre-Shared Key Cipher Suites for TLS with SHA-256/384
and AES Galois Counter Mode";
}
enum TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 {
description
"Enumeration for the 'TLS_DHE_PSK_WITH_AES_128_GCM_SHA256'
algorithm.";
reference
"RFC 5487:
Pre-Shared Key Cipher Suites for TLS with SHA-256/384
and AES Galois Counter Mode";
}
enum TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 {
description
"Enumeration for the 'TLS_DHE_PSK_WITH_AES_256_GCM_SHA384'
algorithm.";
reference
"RFC 5487:
Pre-Shared Key Cipher Suites for TLS with SHA-256/384
and AES Galois Counter Mode";
}
enum TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 {
status deprecated;
description
"Enumeration for the 'TLS_RSA_PSK_WITH_AES_128_GCM_SHA256'
algorithm.";
reference
"RFC 5487:
Pre-Shared Key Cipher Suites for TLS with SHA-256/384
and AES Galois Counter Mode";
}
enum TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 {
status deprecated;
description
"Enumeration for the 'TLS_RSA_PSK_WITH_AES_256_GCM_SHA384'
algorithm.";
reference
"RFC 5487:
Pre-Shared Key Cipher Suites for TLS with SHA-256/384
and AES Galois Counter Mode";
}
enum TLS_PSK_WITH_AES_128_CBC_SHA256 {
status deprecated;
description
"Enumeration for the 'TLS_PSK_WITH_AES_128_CBC_SHA256'
algorithm.";
reference
"RFC 5487:
Pre-Shared Key Cipher Suites for TLS with SHA-256/384
and AES Galois Counter Mode";
}
enum TLS_PSK_WITH_AES_256_CBC_SHA384 {
status deprecated;
description
"Enumeration for the 'TLS_PSK_WITH_AES_256_CBC_SHA384'
algorithm.";
reference
"RFC 5487:
Pre-Shared Key Cipher Suites for TLS with SHA-256/384
and AES Galois Counter Mode";
}
enum TLS_PSK_WITH_NULL_SHA256 {
status deprecated;
description
"Enumeration for the 'TLS_PSK_WITH_NULL_SHA256'
algorithm.";
reference
"RFC 5487:
Pre-Shared Key Cipher Suites for TLS with SHA-256/384
and AES Galois Counter Mode";
}
enum TLS_PSK_WITH_NULL_SHA384 {
status deprecated;
description
"Enumeration for the 'TLS_PSK_WITH_NULL_SHA384'
algorithm.";
reference
"RFC 5487:
Pre-Shared Key Cipher Suites for TLS with SHA-256/384
and AES Galois Counter Mode";
}
enum TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 {
status deprecated;
description
"Enumeration for the 'TLS_DHE_PSK_WITH_AES_128_CBC_SHA256'
algorithm.";
reference
"RFC 5487:
Pre-Shared Key Cipher Suites for TLS with SHA-256/384
and AES Galois Counter Mode";
}
enum TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 {
status deprecated;
description
"Enumeration for the 'TLS_DHE_PSK_WITH_AES_256_CBC_SHA384'
algorithm.";
reference
"RFC 5487:
Pre-Shared Key Cipher Suites for TLS with SHA-256/384
and AES Galois Counter Mode";
}
enum TLS_DHE_PSK_WITH_NULL_SHA256 {
status deprecated;
description
"Enumeration for the 'TLS_DHE_PSK_WITH_NULL_SHA256'
algorithm.";
reference
"RFC 5487:
Pre-Shared Key Cipher Suites for TLS with SHA-256/384
and AES Galois Counter Mode";
}
enum TLS_DHE_PSK_WITH_NULL_SHA384 {
status deprecated;
description
"Enumeration for the 'TLS_DHE_PSK_WITH_NULL_SHA384'
algorithm.";
reference
"RFC 5487:
Pre-Shared Key Cipher Suites for TLS with SHA-256/384
and AES Galois Counter Mode";
}
enum TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 {
status deprecated;
description
"Enumeration for the 'TLS_RSA_PSK_WITH_AES_128_CBC_SHA256'
algorithm.";
reference
"RFC 5487:
Pre-Shared Key Cipher Suites for TLS with SHA-256/384
and AES Galois Counter Mode";
}
enum TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 {
status deprecated;
description
"Enumeration for the 'TLS_RSA_PSK_WITH_AES_256_CBC_SHA384'
algorithm.";
reference
"RFC 5487:
Pre-Shared Key Cipher Suites for TLS with SHA-256/384
and AES Galois Counter Mode";
}
enum TLS_RSA_PSK_WITH_NULL_SHA256 {
status deprecated;
description
"Enumeration for the 'TLS_RSA_PSK_WITH_NULL_SHA256'
algorithm.";
reference
"RFC 5487:
Pre-Shared Key Cipher Suites for TLS with SHA-256/384
and AES Galois Counter Mode";
}
enum TLS_RSA_PSK_WITH_NULL_SHA384 {
status deprecated;
description
"Enumeration for the 'TLS_RSA_PSK_WITH_NULL_SHA384'
algorithm.";
reference
"RFC 5487:
Pre-Shared Key Cipher Suites for TLS with SHA-256/384
and AES Galois Counter Mode";
}
enum TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 {
status deprecated;
description
"Enumeration for the 'TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256'
algorithm.";
reference
"RFC 5932:
Camellia Cipher Suites for TLS";
}
enum TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256 {
status deprecated;
description
"Enumeration for the
'TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256' algorithm.";
reference
"RFC 5932:
Camellia Cipher Suites for TLS";
}
enum TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256 {
status deprecated;
description
"Enumeration for the
'TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256' algorithm.";
reference
"RFC 5932:
Camellia Cipher Suites for TLS";
}
enum TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256 {
status deprecated;
description
"Enumeration for the
'TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256' algorithm.";
reference
"RFC 5932:
Camellia Cipher Suites for TLS";
}
enum TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 {
status deprecated;
description
"Enumeration for the
'TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256' algorithm.";
reference
"RFC 5932:
Camellia Cipher Suites for TLS";
}
enum TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256 {
status deprecated;
description
"Enumeration for the
'TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256' algorithm.";
reference
"RFC 5932:
Camellia Cipher Suites for TLS";
}
enum TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 {
status deprecated;
description
"Enumeration for the 'TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256'
algorithm.";
reference
"RFC 5932:
Camellia Cipher Suites for TLS";
}
enum TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256 {
status deprecated;
description
"Enumeration for the
'TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256' algorithm.";
reference
"RFC 5932:
Camellia Cipher Suites for TLS";
}
enum TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256 {
status deprecated;
description
"Enumeration for the
'TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256' algorithm.";
reference
"RFC 5932:
Camellia Cipher Suites for TLS";
}
enum TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256 {
status deprecated;
description
"Enumeration for the
'TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256' algorithm.";
reference
"RFC 5932:
Camellia Cipher Suites for TLS";
}
enum TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 {
status deprecated;
description
"Enumeration for the
'TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256' algorithm.";
reference
"RFC 5932:
Camellia Cipher Suites for TLS";
}
enum TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256 {
status deprecated;
description
"Enumeration for the
'TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256' algorithm.";
reference
"RFC 5932:
Camellia Cipher Suites for TLS";
}
enum TLS_SM4_GCM_SM3 {
status deprecated;
description
"Enumeration for the 'TLS_SM4_GCM_SM3' algorithm.";
reference
"RFC 8998:
ShangMi (SM) Cipher Suites for TLS 1.3";
}
enum TLS_SM4_CCM_SM3 {
status deprecated;
description
"Enumeration for the 'TLS_SM4_CCM_SM3' algorithm.";
reference
"RFC 8998:
ShangMi (SM) Cipher Suites for TLS 1.3";
}
enum TLS_EMPTY_RENEGOTIATION_INFO_SCSV {
status deprecated;
description
"Enumeration for the 'TLS_EMPTY_RENEGOTIATION_INFO_SCSV'
algorithm.";
reference
"RFC 5746:
Transport Layer Security (TLS) Renegotiation Indication
Extension";
}
enum TLS_AES_128_GCM_SHA256 {
description
"Enumeration for the 'TLS_AES_128_GCM_SHA256' algorithm.";
reference
"RFC 8446:
The Transport Layer Security (TLS) Protocol Version
1.3";
}
enum TLS_AES_256_GCM_SHA384 {
description
"Enumeration for the 'TLS_AES_256_GCM_SHA384' algorithm.";
reference
"RFC 8446:
The Transport Layer Security (TLS) Protocol Version
1.3";
}
enum TLS_CHACHA20_POLY1305_SHA256 {
description
"Enumeration for the 'TLS_CHACHA20_POLY1305_SHA256'
algorithm.";
reference
"RFC 8446:
The Transport Layer Security (TLS) Protocol Version
1.3";
}
enum TLS_AES_128_CCM_SHA256 {
description
"Enumeration for the 'TLS_AES_128_CCM_SHA256' algorithm.";
reference
"RFC 8446:
The Transport Layer Security (TLS) Protocol Version
1.3";
}
enum TLS_AES_128_CCM_8_SHA256 {
status deprecated;
description
"Enumeration for the 'TLS_AES_128_CCM_8_SHA256'
algorithm.";
reference
"RFC 8446:
The Transport Layer Security (TLS) Protocol Version 1.3
IESG Action:
IESG Action 2018-08-16";
}
enum TLS_AEGIS_256_SHA512 {
status deprecated;
description
"Enumeration for the 'TLS_AEGIS_256_SHA512' algorithm.";
reference
"draft-irtf-cfrg-aegis-aead-08:
The AEGIS Family of Authenticated Encryption
Algorithms";
}
enum TLS_AEGIS_128L_SHA256 {
status deprecated;
description
"Enumeration for the 'TLS_AEGIS_128L_SHA256' algorithm.";
reference
"draft-irtf-cfrg-aegis-aead-08:
The AEGIS Family of Authenticated Encryption
Algorithms";
}
enum TLS_FALLBACK_SCSV {
status deprecated;
description
"Enumeration for the 'TLS_FALLBACK_SCSV' algorithm.";
reference
"RFC 7507:
TLS Fallback Signaling Cipher Suite Value (SCSV) for
Preventing Protocol Downgrade Attacks";
}
enum TLS_ECDH_ECDSA_WITH_NULL_SHA {
status deprecated;
description
"Enumeration for the 'TLS_ECDH_ECDSA_WITH_NULL_SHA'
algorithm.";
reference
"RFC 8422:
Elliptic Curve Cryptography (ECC) Cipher Suites for
Transport Layer Security (TLS) Versions 1.2 and
Earlier";
}
enum TLS_ECDH_ECDSA_WITH_RC4_128_SHA {
status deprecated;
description
"Enumeration for the 'TLS_ECDH_ECDSA_WITH_RC4_128_SHA'
algorithm.";
reference
"RFC 8422:
Elliptic Curve Cryptography (ECC) Cipher Suites for
Transport Layer Security (TLS) Versions 1.2 and Earlier
RFC 6347:
Datagram Transport Layer Security Version 1.2";
}
enum TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA {
status deprecated;
description
"Enumeration for the 'TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA'
algorithm.";
reference
"RFC 8422:
Elliptic Curve Cryptography (ECC) Cipher Suites for
Transport Layer Security (TLS) Versions 1.2 and
Earlier";
}
enum TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA {
status deprecated;
description
"Enumeration for the 'TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA'
algorithm.";
reference
"RFC 8422:
Elliptic Curve Cryptography (ECC) Cipher Suites for
Transport Layer Security (TLS) Versions 1.2 and
Earlier";
}
enum TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA {
status deprecated;
description
"Enumeration for the 'TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA'
algorithm.";
reference
"RFC 8422:
Elliptic Curve Cryptography (ECC) Cipher Suites for
Transport Layer Security (TLS) Versions 1.2 and
Earlier";
}
enum TLS_ECDHE_ECDSA_WITH_NULL_SHA {
status deprecated;
description
"Enumeration for the 'TLS_ECDHE_ECDSA_WITH_NULL_SHA'
algorithm.";
reference
"RFC 8422:
Elliptic Curve Cryptography (ECC) Cipher Suites for
Transport Layer Security (TLS) Versions 1.2 and
Earlier";
}
enum TLS_ECDHE_ECDSA_WITH_RC4_128_SHA {
status deprecated;
description
"Enumeration for the 'TLS_ECDHE_ECDSA_WITH_RC4_128_SHA'
algorithm.";
reference
"RFC 8422:
Elliptic Curve Cryptography (ECC) Cipher Suites for
Transport Layer Security (TLS) Versions 1.2 and Earlier
RFC 6347:
Datagram Transport Layer Security Version 1.2";
}
enum TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA {
status deprecated;
description
"Enumeration for the
'TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA' algorithm.";
reference
"RFC 8422:
Elliptic Curve Cryptography (ECC) Cipher Suites for
Transport Layer Security (TLS) Versions 1.2 and
Earlier";
}
enum TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA {
status deprecated;
description
"Enumeration for the 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA'
algorithm.";
reference
"RFC 8422:
Elliptic Curve Cryptography (ECC) Cipher Suites for
Transport Layer Security (TLS) Versions 1.2 and
Earlier";
}
enum TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA {
status deprecated;
description
"Enumeration for the 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA'
algorithm.";
reference
"RFC 8422:
Elliptic Curve Cryptography (ECC) Cipher Suites for
Transport Layer Security (TLS) Versions 1.2 and
Earlier";
}
enum TLS_ECDH_RSA_WITH_NULL_SHA {
status deprecated;
description
"Enumeration for the 'TLS_ECDH_RSA_WITH_NULL_SHA'
algorithm.";
reference
"RFC 8422:
Elliptic Curve Cryptography (ECC) Cipher Suites for
Transport Layer Security (TLS) Versions 1.2 and
Earlier";
}
enum TLS_ECDH_RSA_WITH_RC4_128_SHA {
status deprecated;
description
"Enumeration for the 'TLS_ECDH_RSA_WITH_RC4_128_SHA'
algorithm.";
reference
"RFC 8422:
Elliptic Curve Cryptography (ECC) Cipher Suites for
Transport Layer Security (TLS) Versions 1.2 and Earlier
RFC 6347:
Datagram Transport Layer Security Version 1.2";
}
enum TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA {
status deprecated;
description
"Enumeration for the 'TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA'
algorithm.";
reference
"RFC 8422:
Elliptic Curve Cryptography (ECC) Cipher Suites for
Transport Layer Security (TLS) Versions 1.2 and
Earlier";
}
enum TLS_ECDH_RSA_WITH_AES_128_CBC_SHA {
status deprecated;
description
"Enumeration for the 'TLS_ECDH_RSA_WITH_AES_128_CBC_SHA'
algorithm.";
reference
"RFC 8422:
Elliptic Curve Cryptography (ECC) Cipher Suites for
Transport Layer Security (TLS) Versions 1.2 and
Earlier";
}
enum TLS_ECDH_RSA_WITH_AES_256_CBC_SHA {
status deprecated;
description
"Enumeration for the 'TLS_ECDH_RSA_WITH_AES_256_CBC_SHA'
algorithm.";
reference
"RFC 8422:
Elliptic Curve Cryptography (ECC) Cipher Suites for
Transport Layer Security (TLS) Versions 1.2 and
Earlier";
}
enum TLS_ECDHE_RSA_WITH_NULL_SHA {
status deprecated;
description
"Enumeration for the 'TLS_ECDHE_RSA_WITH_NULL_SHA'
algorithm.";
reference
"RFC 8422:
Elliptic Curve Cryptography (ECC) Cipher Suites for
Transport Layer Security (TLS) Versions 1.2 and
Earlier";
}
enum TLS_ECDHE_RSA_WITH_RC4_128_SHA {
status deprecated;
description
"Enumeration for the 'TLS_ECDHE_RSA_WITH_RC4_128_SHA'
algorithm.";
reference
"RFC 8422:
Elliptic Curve Cryptography (ECC) Cipher Suites for
Transport Layer Security (TLS) Versions 1.2 and Earlier
RFC 6347:
Datagram Transport Layer Security Version 1.2";
}
enum TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA {
status deprecated;
description
"Enumeration for the 'TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA'
algorithm.";
reference
"RFC 8422:
Elliptic Curve Cryptography (ECC) Cipher Suites for
Transport Layer Security (TLS) Versions 1.2 and
Earlier";
}
enum TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA {
status deprecated;
description
"Enumeration for the 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA'
algorithm.";
reference
"RFC 8422:
Elliptic Curve Cryptography (ECC) Cipher Suites for
Transport Layer Security (TLS) Versions 1.2 and
Earlier";
}
enum TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA {
status deprecated;
description
"Enumeration for the 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA'
algorithm.";
reference
"RFC 8422:
Elliptic Curve Cryptography (ECC) Cipher Suites for
Transport Layer Security (TLS) Versions 1.2 and
Earlier";
}
enum TLS_ECDH_anon_WITH_NULL_SHA {
status deprecated;
description
"Enumeration for the 'TLS_ECDH_anon_WITH_NULL_SHA'
algorithm.";
reference
"RFC 8422:
Elliptic Curve Cryptography (ECC) Cipher Suites for
Transport Layer Security (TLS) Versions 1.2 and
Earlier";
}
enum TLS_ECDH_anon_WITH_RC4_128_SHA {
status deprecated;
description
"Enumeration for the 'TLS_ECDH_anon_WITH_RC4_128_SHA'
algorithm.";
reference
"RFC 8422:
Elliptic Curve Cryptography (ECC) Cipher Suites for
Transport Layer Security (TLS) Versions 1.2 and Earlier
RFC 6347:
Datagram Transport Layer Security Version 1.2";
}
enum TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA {
status deprecated;
description
"Enumeration for the 'TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA'
algorithm.";
reference
"RFC 8422:
Elliptic Curve Cryptography (ECC) Cipher Suites for
Transport Layer Security (TLS) Versions 1.2 and
Earlier";
}
enum TLS_ECDH_anon_WITH_AES_128_CBC_SHA {
status deprecated;
description
"Enumeration for the 'TLS_ECDH_anon_WITH_AES_128_CBC_SHA'
algorithm.";
reference
"RFC 8422:
Elliptic Curve Cryptography (ECC) Cipher Suites for
Transport Layer Security (TLS) Versions 1.2 and
Earlier";
}
enum TLS_ECDH_anon_WITH_AES_256_CBC_SHA {
status deprecated;
description
"Enumeration for the 'TLS_ECDH_anon_WITH_AES_256_CBC_SHA'
algorithm.";
reference
"RFC 8422:
Elliptic Curve Cryptography (ECC) Cipher Suites for
Transport Layer Security (TLS) Versions 1.2 and
Earlier";
}
enum TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA {
status deprecated;
description
"Enumeration for the 'TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA'
algorithm.";
reference
"RFC 5054:
Using the Secure Remote Password (SRP) Protocol for TLS
Authentication";
}
enum TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA {
status deprecated;
description
"Enumeration for the
'TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA' algorithm.";
reference
"RFC 5054:
Using the Secure Remote Password (SRP) Protocol for TLS
Authentication";
}
enum TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA {
status deprecated;
description
"Enumeration for the
'TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA' algorithm.";
reference
"RFC 5054:
Using the Secure Remote Password (SRP) Protocol for TLS
Authentication";
}
enum TLS_SRP_SHA_WITH_AES_128_CBC_SHA {
status deprecated;
description
"Enumeration for the 'TLS_SRP_SHA_WITH_AES_128_CBC_SHA'
algorithm.";
reference
"RFC 5054:
Using the Secure Remote Password (SRP) Protocol for TLS
Authentication";
}
enum TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA {
status deprecated;
description
"Enumeration for the 'TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA'
algorithm.";
reference
"RFC 5054:
Using the Secure Remote Password (SRP) Protocol for TLS
Authentication";
}
enum TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA {
status deprecated;
description
"Enumeration for the 'TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA'
algorithm.";
reference
"RFC 5054:
Using the Secure Remote Password (SRP) Protocol for TLS
Authentication";
}
enum TLS_SRP_SHA_WITH_AES_256_CBC_SHA {
status deprecated;
description
"Enumeration for the 'TLS_SRP_SHA_WITH_AES_256_CBC_SHA'
algorithm.";
reference
"RFC 5054:
Using the Secure Remote Password (SRP) Protocol for TLS
Authentication";
}
enum TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA {
status deprecated;
description
"Enumeration for the 'TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA'
algorithm.";
reference
"RFC 5054:
Using the Secure Remote Password (SRP) Protocol for TLS
Authentication";
}
enum TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA {
status deprecated;
description
"Enumeration for the 'TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA'
algorithm.";
reference
"RFC 5054:
Using the Secure Remote Password (SRP) Protocol for TLS
Authentication";
}
enum TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 {
status deprecated;
description
"Enumeration for the
'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256' algorithm.";
reference
"RFC 5289:
TLS Elliptic Curve Cipher Suites with SHA-256/384 and
AES Galois Counter Mode (GCM)";
}
enum TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 {
status deprecated;
description
"Enumeration for the
'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384' algorithm.";
reference
"RFC 5289:
TLS Elliptic Curve Cipher Suites with SHA-256/384 and
AES Galois Counter Mode (GCM)";
}
enum TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 {
status deprecated;
description
"Enumeration for the
'TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256' algorithm.";
reference
"RFC 5289:
TLS Elliptic Curve Cipher Suites with SHA-256/384 and
AES Galois Counter Mode (GCM)";
}
enum TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 {
status deprecated;
description
"Enumeration for the
'TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384' algorithm.";
reference
"RFC 5289:
TLS Elliptic Curve Cipher Suites with SHA-256/384 and
AES Galois Counter Mode (GCM)";
}
enum TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 {
status deprecated;
description
"Enumeration for the
'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256' algorithm.";
reference
"RFC 5289:
TLS Elliptic Curve Cipher Suites with SHA-256/384 and
AES Galois Counter Mode (GCM)";
}
enum TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 {
status deprecated;
description
"Enumeration for the
'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384' algorithm.";
reference
"RFC 5289:
TLS Elliptic Curve Cipher Suites with SHA-256/384 and
AES Galois Counter Mode (GCM)";
}
enum TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 {
status deprecated;
description
"Enumeration for the 'TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256'
algorithm.";
reference
"RFC 5289:
TLS Elliptic Curve Cipher Suites with SHA-256/384 and
AES Galois Counter Mode (GCM)";
}
enum TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 {
status deprecated;
description
"Enumeration for the 'TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384'
algorithm.";
reference
"RFC 5289:
TLS Elliptic Curve Cipher Suites with SHA-256/384 and
AES Galois Counter Mode (GCM)";
}
enum TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 {
description
"Enumeration for the
'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256' algorithm.";
reference
"RFC 5289:
TLS Elliptic Curve Cipher Suites with SHA-256/384 and
AES Galois Counter Mode (GCM)";
}
enum TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 {
description
"Enumeration for the
'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384' algorithm.";
reference
"RFC 5289:
TLS Elliptic Curve Cipher Suites with SHA-256/384 and
AES Galois Counter Mode (GCM)";
}
enum TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 {
status deprecated;
description
"Enumeration for the
'TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256' algorithm.";
reference
"RFC 5289:
TLS Elliptic Curve Cipher Suites with SHA-256/384 and
AES Galois Counter Mode (GCM)";
}
enum TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 {
status deprecated;
description
"Enumeration for the
'TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384' algorithm.";
reference
"RFC 5289:
TLS Elliptic Curve Cipher Suites with SHA-256/384 and
AES Galois Counter Mode (GCM)";
}
enum TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 {
description
"Enumeration for the
'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256' algorithm.";
reference
"RFC 5289:
TLS Elliptic Curve Cipher Suites with SHA-256/384 and
AES Galois Counter Mode (GCM)";
}
enum TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 {
description
"Enumeration for the
'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384' algorithm.";
reference
"RFC 5289:
TLS Elliptic Curve Cipher Suites with SHA-256/384 and
AES Galois Counter Mode (GCM)";
}
enum TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 {
status deprecated;
description
"Enumeration for the 'TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256'
algorithm.";
reference
"RFC 5289:
TLS Elliptic Curve Cipher Suites with SHA-256/384 and
AES Galois Counter Mode (GCM)";
}
enum TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 {
status deprecated;
description
"Enumeration for the 'TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384'
algorithm.";
reference
"RFC 5289:
TLS Elliptic Curve Cipher Suites with SHA-256/384 and
AES Galois Counter Mode (GCM)";
}
enum TLS_ECDHE_PSK_WITH_RC4_128_SHA {
status deprecated;
description
"Enumeration for the 'TLS_ECDHE_PSK_WITH_RC4_128_SHA'
algorithm.";
reference
"RFC 5489:
ECDHE_PSK Cipher Suites for Transport Layer Security
(TLS)
RFC 6347:
Datagram Transport Layer Security Version 1.2";
}
enum TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA {
status deprecated;
description
"Enumeration for the 'TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA'
algorithm.";
reference
"RFC 5489:
ECDHE_PSK Cipher Suites for Transport Layer Security
(TLS)";
}
enum TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA {
status deprecated;
description
"Enumeration for the 'TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA'
algorithm.";
reference
"RFC 5489:
ECDHE_PSK Cipher Suites for Transport Layer Security
(TLS)";
}
enum TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA {
status deprecated;
description
"Enumeration for the 'TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA'
algorithm.";
reference
"RFC 5489:
ECDHE_PSK Cipher Suites for Transport Layer Security
(TLS)";
}
enum TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 {
status deprecated;
description
"Enumeration for the
'TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256' algorithm.";
reference
"RFC 5489:
ECDHE_PSK Cipher Suites for Transport Layer Security
(TLS)";
}
enum TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 {
status deprecated;
description
"Enumeration for the
'TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384' algorithm.";
reference
"RFC 5489:
ECDHE_PSK Cipher Suites for Transport Layer Security
(TLS)";
}
enum TLS_ECDHE_PSK_WITH_NULL_SHA {
status deprecated;
description
"Enumeration for the 'TLS_ECDHE_PSK_WITH_NULL_SHA'
algorithm.";
reference
"RFC 5489:
ECDHE_PSK Cipher Suites for Transport Layer Security
(TLS)";
}
enum TLS_ECDHE_PSK_WITH_NULL_SHA256 {
status deprecated;
description
"Enumeration for the 'TLS_ECDHE_PSK_WITH_NULL_SHA256'
algorithm.";
reference
"RFC 5489:
ECDHE_PSK Cipher Suites for Transport Layer Security
(TLS)";
}
enum TLS_ECDHE_PSK_WITH_NULL_SHA384 {
status deprecated;
description
"Enumeration for the 'TLS_ECDHE_PSK_WITH_NULL_SHA384'
algorithm.";
reference
"RFC 5489:
ECDHE_PSK Cipher Suites for Transport Layer Security
(TLS)";
}
enum TLS_RSA_WITH_ARIA_128_CBC_SHA256 {
status deprecated;
description
"Enumeration for the 'TLS_RSA_WITH_ARIA_128_CBC_SHA256'
algorithm.";
reference
"RFC 6209:
Addition of the ARIA Cipher Suites to Transport Layer
Security (TLS)";
}
enum TLS_RSA_WITH_ARIA_256_CBC_SHA384 {
status deprecated;
description
"Enumeration for the 'TLS_RSA_WITH_ARIA_256_CBC_SHA384'
algorithm.";
reference
"RFC 6209:
Addition of the ARIA Cipher Suites to Transport Layer
Security (TLS)";
}
enum TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256 {
status deprecated;
description
"Enumeration for the 'TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256'
algorithm.";
reference
"RFC 6209:
Addition of the ARIA Cipher Suites to Transport Layer
Security (TLS)";
}
enum TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384 {
status deprecated;
description
"Enumeration for the 'TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384'
algorithm.";
reference
"RFC 6209:
Addition of the ARIA Cipher Suites to Transport Layer
Security (TLS)";
}
enum TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256 {
status deprecated;
description
"Enumeration for the 'TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256'
algorithm.";
reference
"RFC 6209:
Addition of the ARIA Cipher Suites to Transport Layer
Security (TLS)";
}
enum TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384 {
status deprecated;
description
"Enumeration for the 'TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384'
algorithm.";
reference
"RFC 6209:
Addition of the ARIA Cipher Suites to Transport Layer
Security (TLS)";
}
enum TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256 {
status deprecated;
description
"Enumeration for the 'TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256'
algorithm.";
reference
"RFC 6209:
Addition of the ARIA Cipher Suites to Transport Layer
Security (TLS)";
}
enum TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384 {
status deprecated;
description
"Enumeration for the 'TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384'
algorithm.";
reference
"RFC 6209:
Addition of the ARIA Cipher Suites to Transport Layer
Security (TLS)";
}
enum TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256 {
status deprecated;
description
"Enumeration for the 'TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256'
algorithm.";
reference
"RFC 6209:
Addition of the ARIA Cipher Suites to Transport Layer
Security (TLS)";
}
enum TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384 {
status deprecated;
description
"Enumeration for the 'TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384'
algorithm.";
reference
"RFC 6209:
Addition of the ARIA Cipher Suites to Transport Layer
Security (TLS)";
}
enum TLS_DH_anon_WITH_ARIA_128_CBC_SHA256 {
status deprecated;
description
"Enumeration for the 'TLS_DH_anon_WITH_ARIA_128_CBC_SHA256'
algorithm.";
reference
"RFC 6209:
Addition of the ARIA Cipher Suites to Transport Layer
Security (TLS)";
}
enum TLS_DH_anon_WITH_ARIA_256_CBC_SHA384 {
status deprecated;
description
"Enumeration for the 'TLS_DH_anon_WITH_ARIA_256_CBC_SHA384'
algorithm.";
reference
"RFC 6209:
Addition of the ARIA Cipher Suites to Transport Layer
Security (TLS)";
}
enum TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256 {
status deprecated;
description
"Enumeration for the
'TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256' algorithm.";
reference
"RFC 6209:
Addition of the ARIA Cipher Suites to Transport Layer
Security (TLS)";
}
enum TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384 {
status deprecated;
description
"Enumeration for the
'TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384' algorithm.";
reference
"RFC 6209:
Addition of the ARIA Cipher Suites to Transport Layer
Security (TLS)";
}
enum TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256 {
status deprecated;
description
"Enumeration for the
'TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256' algorithm.";
reference
"RFC 6209:
Addition of the ARIA Cipher Suites to Transport Layer
Security (TLS)";
}
enum TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384 {
status deprecated;
description
"Enumeration for the
'TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384' algorithm.";
reference
"RFC 6209:
Addition of the ARIA Cipher Suites to Transport Layer
Security (TLS)";
}
enum TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256 {
status deprecated;
description
"Enumeration for the
'TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256' algorithm.";
reference
"RFC 6209:
Addition of the ARIA Cipher Suites to Transport Layer
Security (TLS)";
}
enum TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384 {
status deprecated;
description
"Enumeration for the
'TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384' algorithm.";
reference
"RFC 6209:
Addition of the ARIA Cipher Suites to Transport Layer
Security (TLS)";
}
enum TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256 {
status deprecated;
description
"Enumeration for the
'TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256' algorithm.";
reference
"RFC 6209:
Addition of the ARIA Cipher Suites to Transport Layer
Security (TLS)";
}
enum TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384 {
status deprecated;
description
"Enumeration for the
'TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384' algorithm.";
reference
"RFC 6209:
Addition of the ARIA Cipher Suites to Transport Layer
Security (TLS)";
}
enum TLS_RSA_WITH_ARIA_128_GCM_SHA256 {
status deprecated;
description
"Enumeration for the 'TLS_RSA_WITH_ARIA_128_GCM_SHA256'
algorithm.";
reference
"RFC 6209:
Addition of the ARIA Cipher Suites to Transport Layer
Security (TLS)";
}
enum TLS_RSA_WITH_ARIA_256_GCM_SHA384 {
status deprecated;
description
"Enumeration for the 'TLS_RSA_WITH_ARIA_256_GCM_SHA384'
algorithm.";
reference
"RFC 6209:
Addition of the ARIA Cipher Suites to Transport Layer
Security (TLS)";
}
enum TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 {
status deprecated;
description
"Enumeration for the 'TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256'
algorithm.";
reference
"RFC 6209:
Addition of the ARIA Cipher Suites to Transport Layer
Security (TLS)";
}
enum TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 {
status deprecated;
description
"Enumeration for the 'TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384'
algorithm.";
reference
"RFC 6209:
Addition of the ARIA Cipher Suites to Transport Layer
Security (TLS)";
}
enum TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256 {
status deprecated;
description
"Enumeration for the 'TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256'
algorithm.";
reference
"RFC 6209:
Addition of the ARIA Cipher Suites to Transport Layer
Security (TLS)";
}
enum TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384 {
status deprecated;
description
"Enumeration for the 'TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384'
algorithm.";
reference
"RFC 6209:
Addition of the ARIA Cipher Suites to Transport Layer
Security (TLS)";
}
enum TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256 {
status deprecated;
description
"Enumeration for the 'TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256'
algorithm.";
reference
"RFC 6209:
Addition of the ARIA Cipher Suites to Transport Layer
Security (TLS)";
}
enum TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384 {
status deprecated;
description
"Enumeration for the 'TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384'
algorithm.";
reference
"RFC 6209:
Addition of the ARIA Cipher Suites to Transport Layer
Security (TLS)";
}
enum TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256 {
status deprecated;
description
"Enumeration for the 'TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256'
algorithm.";
reference
"RFC 6209:
Addition of the ARIA Cipher Suites to Transport Layer
Security (TLS)";
}
enum TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384 {
status deprecated;
description
"Enumeration for the 'TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384'
algorithm.";
reference
"RFC 6209:
Addition of the ARIA Cipher Suites to Transport Layer
Security (TLS)";
}
enum TLS_DH_anon_WITH_ARIA_128_GCM_SHA256 {
status deprecated;
description
"Enumeration for the 'TLS_DH_anon_WITH_ARIA_128_GCM_SHA256'
algorithm.";
reference
"RFC 6209:
Addition of the ARIA Cipher Suites to Transport Layer
Security (TLS)";
}
enum TLS_DH_anon_WITH_ARIA_256_GCM_SHA384 {
status deprecated;
description
"Enumeration for the 'TLS_DH_anon_WITH_ARIA_256_GCM_SHA384'
algorithm.";
reference
"RFC 6209:
Addition of the ARIA Cipher Suites to Transport Layer
Security (TLS)";
}
enum TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256 {
status deprecated;
description
"Enumeration for the
'TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256' algorithm.";
reference
"RFC 6209:
Addition of the ARIA Cipher Suites to Transport Layer
Security (TLS)";
}
enum TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384 {
status deprecated;
description
"Enumeration for the
'TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384' algorithm.";
reference
"RFC 6209:
Addition of the ARIA Cipher Suites to Transport Layer
Security (TLS)";
}
enum TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256 {
status deprecated;
description
"Enumeration for the
'TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256' algorithm.";
reference
"RFC 6209:
Addition of the ARIA Cipher Suites to Transport Layer
Security (TLS)";
}
enum TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384 {
status deprecated;
description
"Enumeration for the
'TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384' algorithm.";
reference
"RFC 6209:
Addition of the ARIA Cipher Suites to Transport Layer
Security (TLS)";
}
enum TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 {
status deprecated;
description
"Enumeration for the
'TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256' algorithm.";
reference
"RFC 6209:
Addition of the ARIA Cipher Suites to Transport Layer
Security (TLS)";
}
enum TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 {
status deprecated;
description
"Enumeration for the
'TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384' algorithm.";
reference
"RFC 6209:
Addition of the ARIA Cipher Suites to Transport Layer
Security (TLS)";
}
enum TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256 {
status deprecated;
description
"Enumeration for the
'TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256' algorithm.";
reference
"RFC 6209:
Addition of the ARIA Cipher Suites to Transport Layer
Security (TLS)";
}
enum TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384 {
status deprecated;
description
"Enumeration for the
'TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384' algorithm.";
reference
"RFC 6209:
Addition of the ARIA Cipher Suites to Transport Layer
Security (TLS)";
}
enum TLS_PSK_WITH_ARIA_128_CBC_SHA256 {
status deprecated;
description
"Enumeration for the 'TLS_PSK_WITH_ARIA_128_CBC_SHA256'
algorithm.";
reference
"RFC 6209:
Addition of the ARIA Cipher Suites to Transport Layer
Security (TLS)";
}
enum TLS_PSK_WITH_ARIA_256_CBC_SHA384 {
status deprecated;
description
"Enumeration for the 'TLS_PSK_WITH_ARIA_256_CBC_SHA384'
algorithm.";
reference
"RFC 6209:
Addition of the ARIA Cipher Suites to Transport Layer
Security (TLS)";
}
enum TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256 {
status deprecated;
description
"Enumeration for the 'TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256'
algorithm.";
reference
"RFC 6209:
Addition of the ARIA Cipher Suites to Transport Layer
Security (TLS)";
}
enum TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384 {
status deprecated;
description
"Enumeration for the 'TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384'
algorithm.";
reference
"RFC 6209:
Addition of the ARIA Cipher Suites to Transport Layer
Security (TLS)";
}
enum TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256 {
status deprecated;
description
"Enumeration for the 'TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256'
algorithm.";
reference
"RFC 6209:
Addition of the ARIA Cipher Suites to Transport Layer
Security (TLS)";
}
enum TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384 {
status deprecated;
description
"Enumeration for the 'TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384'
algorithm.";
reference
"RFC 6209:
Addition of the ARIA Cipher Suites to Transport Layer
Security (TLS)";
}
enum TLS_PSK_WITH_ARIA_128_GCM_SHA256 {
status deprecated;
description
"Enumeration for the 'TLS_PSK_WITH_ARIA_128_GCM_SHA256'
algorithm.";
reference
"RFC 6209:
Addition of the ARIA Cipher Suites to Transport Layer
Security (TLS)";
}
enum TLS_PSK_WITH_ARIA_256_GCM_SHA384 {
status deprecated;
description
"Enumeration for the 'TLS_PSK_WITH_ARIA_256_GCM_SHA384'
algorithm.";
reference
"RFC 6209:
Addition of the ARIA Cipher Suites to Transport Layer
Security (TLS)";
}
enum TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256 {
status deprecated;
description
"Enumeration for the 'TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256'
algorithm.";
reference
"RFC 6209:
Addition of the ARIA Cipher Suites to Transport Layer
Security (TLS)";
}
enum TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384 {
status deprecated;
description
"Enumeration for the 'TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384'
algorithm.";
reference
"RFC 6209:
Addition of the ARIA Cipher Suites to Transport Layer
Security (TLS)";
}
enum TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256 {
status deprecated;
description
"Enumeration for the 'TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256'
algorithm.";
reference
"RFC 6209:
Addition of the ARIA Cipher Suites to Transport Layer
Security (TLS)";
}
enum TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384 {
status deprecated;
description
"Enumeration for the 'TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384'
algorithm.";
reference
"RFC 6209:
Addition of the ARIA Cipher Suites to Transport Layer
Security (TLS)";
}
enum TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256 {
status deprecated;
description
"Enumeration for the
'TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256' algorithm.";
reference
"RFC 6209:
Addition of the ARIA Cipher Suites to Transport Layer
Security (TLS)";
}
enum TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384 {
status deprecated;
description
"Enumeration for the
'TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384' algorithm.";
reference
"RFC 6209:
Addition of the ARIA Cipher Suites to Transport Layer
Security (TLS)";
}
enum TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 {
status deprecated;
description
"Enumeration for the
'TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256'
algorithm.";
reference
"RFC 6367:
Addition of the Camellia Cipher Suites to Transport
Layer Security (TLS)";
}
enum TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 {
status deprecated;
description
"Enumeration for the
'TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384'
algorithm.";
reference
"RFC 6367:
Addition of the Camellia Cipher Suites to Transport
Layer Security (TLS)";
}
enum TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 {
status deprecated;
description
"Enumeration for the
'TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256' algorithm.";
reference
"RFC 6367:
Addition of the Camellia Cipher Suites to Transport
Layer Security (TLS)";
}
enum TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 {
status deprecated;
description
"Enumeration for the
'TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384' algorithm.";
reference
"RFC 6367:
Addition of the Camellia Cipher Suites to Transport
Layer Security (TLS)";
}
enum TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 {
status deprecated;
description
"Enumeration for the
'TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256' algorithm.";
reference
"RFC 6367:
Addition of the Camellia Cipher Suites to Transport
Layer Security (TLS)";
}
enum TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 {
status deprecated;
description
"Enumeration for the
'TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384' algorithm.";
reference
"RFC 6367:
Addition of the Camellia Cipher Suites to Transport
Layer Security (TLS)";
}
enum TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256 {
status deprecated;
description
"Enumeration for the
'TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256' algorithm.";
reference
"RFC 6367:
Addition of the Camellia Cipher Suites to Transport
Layer Security (TLS)";
}
enum TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 {
status deprecated;
description
"Enumeration for the
'TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384' algorithm.";
reference
"RFC 6367:
Addition of the Camellia Cipher Suites to Transport
Layer Security (TLS)";
}
enum TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 {
status deprecated;
description
"Enumeration for the 'TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256'
algorithm.";
reference
"RFC 6367:
Addition of the Camellia Cipher Suites to Transport
Layer Security (TLS)";
}
enum TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 {
status deprecated;
description
"Enumeration for the 'TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384'
algorithm.";
reference
"RFC 6367:
Addition of the Camellia Cipher Suites to Transport
Layer Security (TLS)";
}
enum TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 {
status deprecated;
description
"Enumeration for the
'TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256' algorithm.";
reference
"RFC 6367:
Addition of the Camellia Cipher Suites to Transport
Layer Security (TLS)";
}
enum TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 {
status deprecated;
description
"Enumeration for the
'TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384' algorithm.";
reference
"RFC 6367:
Addition of the Camellia Cipher Suites to Transport
Layer Security (TLS)";
}
enum TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256 {
status deprecated;
description
"Enumeration for the
'TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256' algorithm.";
reference
"RFC 6367:
Addition of the Camellia Cipher Suites to Transport
Layer Security (TLS)";
}
enum TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384 {
status deprecated;
description
"Enumeration for the
'TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384' algorithm.";
reference
"RFC 6367:
Addition of the Camellia Cipher Suites to Transport
Layer Security (TLS)";
}
enum TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256 {
status deprecated;
description
"Enumeration for the
'TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256' algorithm.";
reference
"RFC 6367:
Addition of the Camellia Cipher Suites to Transport
Layer Security (TLS)";
}
enum TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384 {
status deprecated;
description
"Enumeration for the
'TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384' algorithm.";
reference
"RFC 6367:
Addition of the Camellia Cipher Suites to Transport
Layer Security (TLS)";
}
enum TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256 {
status deprecated;
description
"Enumeration for the
'TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256' algorithm.";
reference
"RFC 6367:
Addition of the Camellia Cipher Suites to Transport
Layer Security (TLS)";
}
enum TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384 {
status deprecated;
description
"Enumeration for the
'TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384' algorithm.";
reference
"RFC 6367:
Addition of the Camellia Cipher Suites to Transport
Layer Security (TLS)";
}
enum TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256 {
status deprecated;
description
"Enumeration for the
'TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256' algorithm.";
reference
"RFC 6367:
Addition of the Camellia Cipher Suites to Transport
Layer Security (TLS)";
}
enum TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384 {
status deprecated;
description
"Enumeration for the
'TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384' algorithm.";
reference
"RFC 6367:
Addition of the Camellia Cipher Suites to Transport
Layer Security (TLS)";
}
enum TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 {
status deprecated;
description
"Enumeration for the
'TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256'
algorithm.";
reference
"RFC 6367:
Addition of the Camellia Cipher Suites to Transport
Layer Security (TLS)";
}
enum TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 {
status deprecated;
description
"Enumeration for the
'TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384'
algorithm.";
reference
"RFC 6367:
Addition of the Camellia Cipher Suites to Transport
Layer Security (TLS)";
}
enum TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 {
status deprecated;
description
"Enumeration for the
'TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256' algorithm.";
reference
"RFC 6367:
Addition of the Camellia Cipher Suites to Transport
Layer Security (TLS)";
}
enum TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 {
status deprecated;
description
"Enumeration for the
'TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384' algorithm.";
reference
"RFC 6367:
Addition of the Camellia Cipher Suites to Transport
Layer Security (TLS)";
}
enum TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 {
status deprecated;
description
"Enumeration for the
'TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256' algorithm.";
reference
"RFC 6367:
Addition of the Camellia Cipher Suites to Transport
Layer Security (TLS)";
}
enum TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 {
status deprecated;
description
"Enumeration for the
'TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384' algorithm.";
reference
"RFC 6367:
Addition of the Camellia Cipher Suites to Transport
Layer Security (TLS)";
}
enum TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 {
status deprecated;
description
"Enumeration for the
'TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256' algorithm.";
reference
"RFC 6367:
Addition of the Camellia Cipher Suites to Transport
Layer Security (TLS)";
}
enum TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384 {
status deprecated;
description
"Enumeration for the
'TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384' algorithm.";
reference
"RFC 6367:
Addition of the Camellia Cipher Suites to Transport
Layer Security (TLS)";
}
enum TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 {
status deprecated;
description
"Enumeration for the 'TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256'
algorithm.";
reference
"RFC 6367:
Addition of the Camellia Cipher Suites to Transport
Layer Security (TLS)";
}
enum TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384 {
status deprecated;
description
"Enumeration for the 'TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384'
algorithm.";
reference
"RFC 6367:
Addition of the Camellia Cipher Suites to Transport
Layer Security (TLS)";
}
enum TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 {
status deprecated;
description
"Enumeration for the
'TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256' algorithm.";
reference
"RFC 6367:
Addition of the Camellia Cipher Suites to Transport
Layer Security (TLS)";
}
enum TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 {
status deprecated;
description
"Enumeration for the
'TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384' algorithm.";
reference
"RFC 6367:
Addition of the Camellia Cipher Suites to Transport
Layer Security (TLS)";
}
enum TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256 {
status deprecated;
description
"Enumeration for the
'TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256' algorithm.";
reference
"RFC 6367:
Addition of the Camellia Cipher Suites to Transport
Layer Security (TLS)";
}
enum TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384 {
status deprecated;
description
"Enumeration for the
'TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384' algorithm.";
reference
"RFC 6367:
Addition of the Camellia Cipher Suites to Transport
Layer Security (TLS)";
}
enum TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 {
status deprecated;
description
"Enumeration for the 'TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256'
algorithm.";
reference
"RFC 6367:
Addition of the Camellia Cipher Suites to Transport
Layer Security (TLS)";
}
enum TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384 {
status deprecated;
description
"Enumeration for the 'TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384'
algorithm.";
reference
"RFC 6367:
Addition of the Camellia Cipher Suites to Transport
Layer Security (TLS)";
}
enum TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 {
status deprecated;
description
"Enumeration for the
'TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256' algorithm.";
reference
"RFC 6367:
Addition of the Camellia Cipher Suites to Transport
Layer Security (TLS)";
}
enum TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 {
status deprecated;
description
"Enumeration for the
'TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384' algorithm.";
reference
"RFC 6367:
Addition of the Camellia Cipher Suites to Transport
Layer Security (TLS)";
}
enum TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 {
status deprecated;
description
"Enumeration for the
'TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256' algorithm.";
reference
"RFC 6367:
Addition of the Camellia Cipher Suites to Transport
Layer Security (TLS)";
}
enum TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 {
status deprecated;
description
"Enumeration for the
'TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384' algorithm.";
reference
"RFC 6367:
Addition of the Camellia Cipher Suites to Transport
Layer Security (TLS)";
}
enum TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 {
status deprecated;
description
"Enumeration for the
'TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256' algorithm.";
reference
"RFC 6367:
Addition of the Camellia Cipher Suites to Transport
Layer Security (TLS)";
}
enum TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 {
status deprecated;
description
"Enumeration for the
'TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384' algorithm.";
reference
"RFC 6367:
Addition of the Camellia Cipher Suites to Transport
Layer Security (TLS)";
}
enum TLS_RSA_WITH_AES_128_CCM {
status deprecated;
description
"Enumeration for the 'TLS_RSA_WITH_AES_128_CCM'
algorithm.";
reference
"RFC 6655:
AES-CCM Cipher Suites for Transport Layer Security
(TLS)";
}
enum TLS_RSA_WITH_AES_256_CCM {
status deprecated;
description
"Enumeration for the 'TLS_RSA_WITH_AES_256_CCM'
algorithm.";
reference
"RFC 6655:
AES-CCM Cipher Suites for Transport Layer Security
(TLS)";
}
enum TLS_DHE_RSA_WITH_AES_128_CCM {
description
"Enumeration for the 'TLS_DHE_RSA_WITH_AES_128_CCM'
algorithm.";
reference
"RFC 6655:
AES-CCM Cipher Suites for Transport Layer Security
(TLS)";
}
enum TLS_DHE_RSA_WITH_AES_256_CCM {
description
"Enumeration for the 'TLS_DHE_RSA_WITH_AES_256_CCM'
algorithm.";
reference
"RFC 6655:
AES-CCM Cipher Suites for Transport Layer Security
(TLS)";
}
enum TLS_RSA_WITH_AES_128_CCM_8 {
status deprecated;
description
"Enumeration for the 'TLS_RSA_WITH_AES_128_CCM_8'
algorithm.";
reference
"RFC 6655:
AES-CCM Cipher Suites for Transport Layer Security
(TLS)";
}
enum TLS_RSA_WITH_AES_256_CCM_8 {
status deprecated;
description
"Enumeration for the 'TLS_RSA_WITH_AES_256_CCM_8'
algorithm.";
reference
"RFC 6655:
AES-CCM Cipher Suites for Transport Layer Security
(TLS)";
}
enum TLS_DHE_RSA_WITH_AES_128_CCM_8 {
status deprecated;
description
"Enumeration for the 'TLS_DHE_RSA_WITH_AES_128_CCM_8'
algorithm.";
reference
"RFC 6655:
AES-CCM Cipher Suites for Transport Layer Security
(TLS)";
}
enum TLS_DHE_RSA_WITH_AES_256_CCM_8 {
status deprecated;
description
"Enumeration for the 'TLS_DHE_RSA_WITH_AES_256_CCM_8'
algorithm.";
reference
"RFC 6655:
AES-CCM Cipher Suites for Transport Layer Security
(TLS)";
}
enum TLS_PSK_WITH_AES_128_CCM {
status deprecated;
description
"Enumeration for the 'TLS_PSK_WITH_AES_128_CCM'
algorithm.";
reference
"RFC 6655:
AES-CCM Cipher Suites for Transport Layer Security
(TLS)";
}
enum TLS_PSK_WITH_AES_256_CCM {
status deprecated;
description
"Enumeration for the 'TLS_PSK_WITH_AES_256_CCM'
algorithm.";
reference
"RFC 6655:
AES-CCM Cipher Suites for Transport Layer Security
(TLS)";
}
enum TLS_DHE_PSK_WITH_AES_128_CCM {
description
"Enumeration for the 'TLS_DHE_PSK_WITH_AES_128_CCM'
algorithm.";
reference
"RFC 6655:
AES-CCM Cipher Suites for Transport Layer Security
(TLS)";
}
enum TLS_DHE_PSK_WITH_AES_256_CCM {
description
"Enumeration for the 'TLS_DHE_PSK_WITH_AES_256_CCM'
algorithm.";
reference
"RFC 6655:
AES-CCM Cipher Suites for Transport Layer Security
(TLS)";
}
enum TLS_PSK_WITH_AES_128_CCM_8 {
status deprecated;
description
"Enumeration for the 'TLS_PSK_WITH_AES_128_CCM_8'
algorithm.";
reference
"RFC 6655:
AES-CCM Cipher Suites for Transport Layer Security
(TLS)";
}
enum TLS_PSK_WITH_AES_256_CCM_8 {
status deprecated;
description
"Enumeration for the 'TLS_PSK_WITH_AES_256_CCM_8'
algorithm.";
reference
"RFC 6655:
AES-CCM Cipher Suites for Transport Layer Security
(TLS)";
}
enum TLS_PSK_DHE_WITH_AES_128_CCM_8 {
status deprecated;
description
"Enumeration for the 'TLS_PSK_DHE_WITH_AES_128_CCM_8'
algorithm.";
reference
"RFC 6655:
AES-CCM Cipher Suites for Transport Layer Security
(TLS)";
}
enum TLS_PSK_DHE_WITH_AES_256_CCM_8 {
status deprecated;
description
"Enumeration for the 'TLS_PSK_DHE_WITH_AES_256_CCM_8'
algorithm.";
reference
"RFC 6655:
AES-CCM Cipher Suites for Transport Layer Security
(TLS)";
}
enum TLS_ECDHE_ECDSA_WITH_AES_128_CCM {
status deprecated;
description
"Enumeration for the 'TLS_ECDHE_ECDSA_WITH_AES_128_CCM'
algorithm.";
reference
"RFC 7251:
AES-CCM Elliptic Curve Cryptography (ECC) Cipher Suites
for TLS";
}
enum TLS_ECDHE_ECDSA_WITH_AES_256_CCM {
status deprecated;
description
"Enumeration for the 'TLS_ECDHE_ECDSA_WITH_AES_256_CCM'
algorithm.";
reference
"RFC 7251:
AES-CCM Elliptic Curve Cryptography (ECC) Cipher Suites
for TLS";
}
enum TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 {
status deprecated;
description
"Enumeration for the 'TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8'
algorithm.";
reference
"RFC 7251:
AES-CCM Elliptic Curve Cryptography (ECC) Cipher Suites
for TLS";
}
enum TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 {
status deprecated;
description
"Enumeration for the 'TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8'
algorithm.";
reference
"RFC 7251:
AES-CCM Elliptic Curve Cryptography (ECC) Cipher Suites
for TLS";
}
enum TLS_ECCPWD_WITH_AES_128_GCM_SHA256 {
status deprecated;
description
"Enumeration for the 'TLS_ECCPWD_WITH_AES_128_GCM_SHA256'
algorithm.";
reference
"RFC 8492:
Secure Password Ciphersuites for Transport Layer
Security (TLS)";
}
enum TLS_ECCPWD_WITH_AES_256_GCM_SHA384 {
status deprecated;
description
"Enumeration for the 'TLS_ECCPWD_WITH_AES_256_GCM_SHA384'
algorithm.";
reference
"RFC 8492:
Secure Password Ciphersuites for Transport Layer
Security (TLS)";
}
enum TLS_ECCPWD_WITH_AES_128_CCM_SHA256 {
status deprecated;
description
"Enumeration for the 'TLS_ECCPWD_WITH_AES_128_CCM_SHA256'
algorithm.";
reference
"RFC 8492:
Secure Password Ciphersuites for Transport Layer
Security (TLS)";
}
enum TLS_ECCPWD_WITH_AES_256_CCM_SHA384 {
status deprecated;
description
"Enumeration for the 'TLS_ECCPWD_WITH_AES_256_CCM_SHA384'
algorithm.";
reference
"RFC 8492:
Secure Password Ciphersuites for Transport Layer
Security (TLS)";
}
enum TLS_SHA256_SHA256 {
status deprecated;
description
"Enumeration for the 'TLS_SHA256_SHA256' algorithm.";
reference
"RFC 9150:
TLS 1.3 Authentication and Integrity-Only Cipher
Suites";
}
enum TLS_SHA384_SHA384 {
status deprecated;
description
"Enumeration for the 'TLS_SHA384_SHA384' algorithm.";
reference
"RFC 9150:
TLS 1.3 Authentication and Integrity-Only Cipher
Suites";
}
enum TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC {
status deprecated;
description
"Enumeration for the
'TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC'
algorithm.";
reference
"RFC 9189:
GOST Cipher Suites for Transport Layer Security (TLS)
Protocol Version 1.2";
}
enum TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC {
status deprecated;
description
"Enumeration for the
'TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC' algorithm.";
reference
"RFC 9189:
GOST Cipher Suites for Transport Layer Security (TLS)
Protocol Version 1.2";
}
enum TLS_GOSTR341112_256_WITH_28147_CNT_IMIT {
status deprecated;
description
"Enumeration for the
'TLS_GOSTR341112_256_WITH_28147_CNT_IMIT' algorithm.";
reference
"RFC 9189:
GOST Cipher Suites for Transport Layer Security (TLS)
Protocol Version 1.2";
}
enum TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_L {
status deprecated;
description
"Enumeration for the
'TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_L' algorithm.";
reference
"RFC 9367:
GOST Cipher Suites for Transport Layer Security (TLS)
Protocol Version 1.3";
}
enum TLS_GOSTR341112_256_WITH_MAGMA_MGM_L {
status deprecated;
description
"Enumeration for the 'TLS_GOSTR341112_256_WITH_MAGMA_MGM_L'
algorithm.";
reference
"RFC 9367:
GOST Cipher Suites for Transport Layer Security (TLS)
Protocol Version 1.3";
}
enum TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_S {
status deprecated;
description
"Enumeration for the
'TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_S' algorithm.";
reference
"RFC 9367:
GOST Cipher Suites for Transport Layer Security (TLS)
Protocol Version 1.3";
}
enum TLS_GOSTR341112_256_WITH_MAGMA_MGM_S {
status deprecated;
description
"Enumeration for the 'TLS_GOSTR341112_256_WITH_MAGMA_MGM_S'
algorithm.";
reference
"RFC 9367:
GOST Cipher Suites for Transport Layer Security (TLS)
Protocol Version 1.3";
}
enum TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 {
description
"Enumeration for the
'TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256' algorithm.";
reference
"RFC 7905:
ChaCha20-Poly1305 Cipher Suites for Transport Layer
Security (TLS)";
}
enum TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 {
description
"Enumeration for the
'TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256'
algorithm.";
reference
"RFC 7905:
ChaCha20-Poly1305 Cipher Suites for Transport Layer
Security (TLS)";
}
enum TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 {
description
"Enumeration for the
'TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256' algorithm.";
reference
"RFC 7905:
ChaCha20-Poly1305 Cipher Suites for Transport Layer
Security (TLS)";
}
enum TLS_PSK_WITH_CHACHA20_POLY1305_SHA256 {
status deprecated;
description
"Enumeration for the
'TLS_PSK_WITH_CHACHA20_POLY1305_SHA256' algorithm.";
reference
"RFC 7905:
ChaCha20-Poly1305 Cipher Suites for Transport Layer
Security (TLS)";
}
enum TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 {
description
"Enumeration for the
'TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256' algorithm.";
reference
"RFC 7905:
ChaCha20-Poly1305 Cipher Suites for Transport Layer
Security (TLS)";
}
enum TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 {
description
"Enumeration for the
'TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256' algorithm.";
reference
"RFC 7905:
ChaCha20-Poly1305 Cipher Suites for Transport Layer
Security (TLS)";
}
enum TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256 {
status deprecated;
description
"Enumeration for the
'TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256' algorithm.";
reference
"RFC 7905:
ChaCha20-Poly1305 Cipher Suites for Transport Layer
Security (TLS)";
}
enum TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256 {
description
"Enumeration for the
'TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256' algorithm.";
reference
"RFC 8442:
ECDHE_PSK with AES-GCM and AES-CCM Cipher Suites for TLS
1.2 and DTLS 1.2";
}
enum TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384 {
description
"Enumeration for the
'TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384' algorithm.";
reference
"RFC 8442:
ECDHE_PSK with AES-GCM and AES-CCM Cipher Suites for TLS
1.2 and DTLS 1.2";
}
enum TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256 {
status deprecated;
description
"Enumeration for the
'TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256' algorithm.";
reference
"RFC 8442:
ECDHE_PSK with AES-GCM and AES-CCM Cipher Suites for TLS
1.2 and DTLS 1.2";
}
enum TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256 {
description
"Enumeration for the
'TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256' algorithm.";
reference
"RFC 8442:
ECDHE_PSK with AES-GCM and AES-CCM Cipher Suites for TLS
1.2 and DTLS 1.2";
}
}
description
"An enumeration for TLS cipher-suite algorithms.";
}
}
]]></artwork>
<t keepWithPrevious="true">&lt;CODE ENDS&gt;</t>
</section>
</section>
<section anchor="change-log">
<name>Change Log</name>
<section>
<name>00 to 01</name>
<ul spacing="normal">
<li>Noted that '0.0.0.0' and '::' might have special meanings.</li>
<li>Renamed "keychain" to "keystore".</li>
</ul>
</section>
<section>
<name>01 to 02</name>
<ul spacing="normal">
<li>Removed the groupings containing transport-level configuration.
Now modules contain only the transport-independent groupings.</li>
<li>Filled in previously incomplete 'ietf-tls-client' module.</li>
<li>Added cipher suites for various algorithms into new
'ietf-tls-common' module.</li>
</ul>
</section>
<section>
<name>02 to 03</name>
<ul spacing="normal">
<li>Added a 'must' statement to container 'server-auth' asserting
that at least one of the various auth mechanisms must be
specified.</li>
<li>Fixed description statement for leaf 'trusted-ca-certs'.</li>
</ul>
</section>
<section>
<name>03 to 04</name>
<ul spacing="normal">
<li>Updated title to "YANG Groupings for TLS Clients and TLS
Servers"</li>
<li>Updated leafref paths to point to new keystore path</li>
<li>Changed the YANG prefix for ietf-tls-common from 'tlscom' to
'tlscmn'.</li>
<li>Added TLS protocol verions 1.0 and 1.1.</li>
<li>Made author lists consistent</li>
<li>Now tree diagrams reference ietf-netmod-yang-tree-diagrams</li>
<li>Updated YANG to use typedefs around leafrefs to common keystore
paths</li>
<li>Now inlines key and certificates (no longer a leafref to
keystore)</li>
</ul>
</section>
<section>
<name>04 to 05</name>
<ul spacing="normal">
<li>Merged changes from co-author.</li>
</ul>
</section>
<section>
<name>05 to 06</name>
<ul spacing="normal">
<li>Updated to use trust anchors from trust-anchors draft (was
keystore draft)</li>
<li>Now Uses new keystore grouping enabling asymmetric key to be
either locally defined or a reference to the keystore.</li>
</ul>
</section>
<section>
<name>06 to 07</name>
<ul spacing="normal">
<li>factored the tls-[client|server]-groupings into more reusable
groupings.</li>
<li>added if-feature statements for the new "x509-certificates"
feature defined in draft-ietf-netconf-trust-anchors.</li>
</ul>
</section>
<section>
<name>07 to 08</name>
<ul spacing="normal">
<li>Added a number of compatibility matrices to Section 5 (thanks Fran
k!)</li>
<li>Clarified that any configured "cipher-suite" values need to be
compatible with the configured private key.</li>
</ul>
</section>
<section>
<name>08 to 09</name>
<ul spacing="normal">
<li>Updated examples to reflect update to groupings defined in the key
store draft.</li>
<li>Add TLS keepalives features and groupings.</li>
<li>Prefixed top-level TLS grouping nodes with 'tls-' and support mash
ups.</li>
<li>Updated copyright date, boilerplate template, affiliation, and fol
ding algorithm.</li>
</ul>
</section>
<section>
<name>09 to 10</name>
<ul spacing="normal">
<li>Reformatted the YANG modules.</li>
</ul>
</section>
<section>
<name>10 to 11</name>
<ul spacing="normal">
<li>Collapsed all the inner groupings into the top-level grouping.</li
>
<li>Added a top-level "demux container" inside the top-level grouping.
</li>
<li>Added NACM statements and updated the Security Considerations sect
ion.</li>
<li>Added "presence" statements on the "keepalive" containers, as was
needed to address a validation error that appeared after adding th
e
"must" statements into the NETCONF/RESTCONF client/server modules.
</li>
<li>Updated the boilerplate text in module-level "description" stateme
nt
to match copyeditor convention.</li>
</ul>
</section>
<section>
<name>11 to 12</name>
<ul spacing="normal">
<li>In server model, made 'client-authentication' a 'presence' node
indicating that the server supports client authentication.</li>
<li>In the server model, added a 'required-or-optional' choice to
'client-authentication' to better support protocols such as
RESTCONF.</li>
<li>In the server model, added a 'inline-or-external' choice to
'client-authentication' to better support consuming data models
that prefer to keep client auth with client definitions than in
a model principally concerned with the "transport".</li>
<li>In both models, removed the "demux containers", floating the
nacm:default-deny-write to each descendant node, and
adding a note to model designers regarding the potential
need to add their own demux containers.</li>
<li>Fixed a couple references (section 2 --&gt; section 3)</li>
</ul>
</section>
<section>
<name>12 to 13</name>
<ul spacing="normal">
<li>Updated to reflect changes in trust-anchors drafts
(e.g., s/trust-anchors/truststore/g + s/pinned.//)</li>
</ul>
</section>
<section>
<name>12 to 13</name>
<ul spacing="normal">
<li>Removed 'container' under 'client-identity' to match server model.
</li>
<li>Updated examples to reflect change grouping in keystore module.</l
i>
</ul>
</section>
<section>
<name>13 to 14</name>
<ul spacing="normal">
<li>Removed the "certificate" container from "client-identity" in the
ietf-tls-client module.</li>
<li>Updated examples to reflect ietf-crypto-types change
(e.g., identities --&gt; enumerations)</li>
</ul>
</section>
<section>
<name>14 to 15</name>
<ul spacing="normal">
<li>Updated "server-authentication" and "client-authentication" nodes
from
being a leaf of type "ts:certificates-ref" to a container that use
s
"ts:inline-or-truststore-certs-grouping".</li>
</ul>
</section>
<section>
<name>15 to 16</name>
<ul spacing="normal">
<li>Removed unnecessary if-feature statements in the -client and -serv
er modules.</li>
<li>Cleaned up some description statements in the -client and -server
modules.</li>
<li>Fixed a canonical ordering issue in ietf-tls-common detected by ne
w pyang.</li>
</ul>
</section>
<section>
<name>16 to 17</name>
<ul spacing="normal">
<li>Removed choice inline-or-external by removing the 'external' case
and flattening
the 'local' case and adding a "client-auth-supported" feature.</li
>
<li>Removed choice required-or-optional.</li>
<li>Updated examples to include the "*-key-format" nodes.</li>
<li>Augmented-in "must" expressions ensuring that locally-defined publ
ic-key-format
are "ct:tls-public-key-format" (must expr for ref'ed keys are TBD)
.</li>
</ul>
</section>
<section>
<name>17 to 18</name>
<ul spacing="normal">
<li>Removed the unused "external-client-auth-supported" feature.</li>
<li>Made client-indentity optional, as there may be over-the-top auth
instead.</li>
<li>Added augment to uses of inline-or-keystore-symmetric-key-grouping
for a psk "id" node.</li>
<li>Added missing presence container "psks" to ietf-tls-server's "clie
nt-authentication" container.</li>
<li>Updated examples to reflect new "bag" addition to truststore.</li>
<li>Removed feature-limited caseless 'case' statements to improve tree
diagram rendering.</li>
<li>Refined truststore/keystore groupings to ensure the key formats "m
ust" be particular values.</li>
<li>Switched to using truststore's new "public-key" bag (instead of se
parate "ssh-public-key"
and "raw-public-key" bags).</li>
<li>Updated client/server examples to cover ALL cases (local/ref x cer
t/raw-key/psk).</li>
</ul>
</section>
<section>
<name>18 to 19</name>
<ul spacing="normal">
<li>Updated the "keepalives" containers in part to address Michal Vask
o's request to
align with RFC 8071, and in part to better align to RFC 6520.</li>
<li>Removed algorithm-mapping tables from the "TLS Common Model" secti
on</li>
<li>Removed the 'algorithm' node from the examples.</li>
<li>Renamed both "client-certs" and "server-certs" to "ee-certs"</li>
<li>Added a "Note to Reviewers" note to first page.</li>
</ul>
</section>
<section>
<name>19 to 20</name>
<ul spacing="normal">
<li>Modified the 'must' expression in the "ietf-tls-client:server-auth
ention" node to
cover the "raw-public-keys" and "psks" nodes also.</li>
<li>Added a "must 'ca-certs or ee-certs or raw-public-keys or psks'" s
tatement to the
ietf-tls-server:client-authentication" node.</li>
<li>Added "mandatory true" to "choice auth-type" and a "presence" stat
ement to its ancestor.</li>
<li>Expanded "Data Model Overview section(s) [remove "wall" of tree di
agrams].</li>
<li>Moved the "ietf-tls-common" module section to proceed the other tw
o module sections.</li>
<li>Updated the Security Considerations section.</li>
</ul>
</section>
<section>
<name>20 to 21</name>
<ul spacing="normal">
<li>Updated examples to reflect new "cleartext-" prefix in the crypto-
types draft.</li>
</ul>
</section>
<section>
<name>21 to 22</name>
<ul spacing="normal">
<li>In both the "client-authentication" and "server-authentication" su
btrees,
replaced the "psks" node from being a P-container to a leaf of typ
e "empty".</li>
<li>Cleaned up examples (e.g., removed FIXMEs)</li>
<li>Fixed issues found by the SecDir review of the "keystore" draft.</
li>
<li>Updated the "psk" sections in the "ietf-tls-client" and "ietf-tls-
server"
modules to more correctly reflect RFC 4279.</li>
</ul>
</section>
<section>
<name>22 to 23</name>
<ul spacing="normal">
<li>Addressed comments raised by YANG Doctor in the ct/ts/ks drafts.</
li>
</ul>
</section>
<section>
<name>23 to 24</name>
<ul spacing="normal">
<li>Added missing reference to "FIPS PUB 180-4".</li>
<li>Added identity "tls-1.3" and updated description statement in othe
r identities indicating that the protocol version is obsolete and enabling the f
eature is NOT RECOMMENDED.</li>
<li>Added XML-comment above examples explaining the reason for the une
xpected top-most element's presence.</li>
<li>Added missing "client-ident-raw-public-key" and "client-ident-psk"
featutes.</li>
<li>Aligned modules with `pyang -f` formatting.</li>
<li>Fixed nits found by YANG Doctor reviews.</li>
<li>Added a 'Contributors' section.</li>
</ul>
</section>
<section>
<name>24 to 25</name>
<ul spacing="normal">
<li>Added TLS 1.3 references.</li>
<li>Clarified support for various TLS protocol versions.</li>
<li>Moved algorithms in ietf-tls-common (plus more) to IANA-maintained
modules</li>
<li>Added "config false" lists for algorithms supported by the server.
</li>
<li>Fixed issues found during YANG Doctor review.</li>
</ul>
</section>
<section>
<name>25 to 26</name>
<ul spacing="normal">
<li>Replaced "base64encodedvalue==" with "BASE64VALUE=" in examples.</
li>
<li>Minor editorial nits</li>
</ul>
</section>
<section>
<name>26 to 27</name>
<ul spacing="normal">
<li>Fixed up the 'WG Web' and 'WG List' lines in YANG module(s)</li>
<li>Fixed up copyright (i.e., s/Simplified/Revised/) in YANG module(s)
.</li>
<li>Created identityref-based typedef for the IANA alg identity base.<
/li>
<li>Major update to support TLS 1.3.</li>
</ul>
</section>
<section>
<name>27 to 28</name>
<ul spacing="normal">
<li>Fixed draft text to refer to new "identity" values (e.g., s/tls-1.
3/tls13).</li>
<li>Added ietf-tls-common:generate-public-key() RPC.</li>
</ul>
</section>
<section>
<name>28 to 29</name>
<ul spacing="normal">
<li>Updated modules to IANA-maintained module in Appendix A to 2022-06
-16.</li>
</ul>
</section>
<section>
<name>29 to 30</name>
<ul spacing="normal">
<li>Fixed 'must' expressions.</li>
<li>Added missing 'revision' statement.</li>
</ul>
</section>
<section>
<name>30 to 31</name>
<ul spacing="normal">
<li>Updated per Shepherd reviews impacting the suite of drafts.</li>
</ul>
</section>
<section>
<name>31 to 32</name>
<ul spacing="normal">
<li>Updated per Shepherd reviews impacting the suite of drafts.</li>
</ul>
</section>
<section>
<name>32 to 33</name>
<ul spacing="normal">
<li>Updated per Tom Petch review.</li>
<li>Added RPC-reply to 'generate-public-key" RPC example.</li>
</ul>
</section>
<section>
<name>33 to 34</name>
<ul spacing="normal">
<li>Addresses AD review comments.</li>
<li>Added note to Editor to fix line foldings.</li>
<li>Introduction now more clearly identifies the "ietf-" and "iana-" m
odules defined.</li>
<li>Clarified that the modules, when implemented, do not define any pr
otocol-accessible nodes.</li>
<li>Clarified that IANA may deprecate and/or obsolete identities over
time.</li>
<li>Added Security Consideration for the "generate-public-key" RPC.</l
i>
<li>Added Security Considerations text to also look a SC-section from
imported modules.</li>
<li>Added missing if-feature statements.</li>
<li>Fixed private-key "must" expressions to not require public-key nod
es to be present.</li>
<li>Fixed ident-tls12-psk and ident-tls13-psk YANG and references.</li
>
<li>Renamed leaf from "bits" to "num-bits".</li>
<li>Added missing "ordered-by user" statement.</li>
<li>Added container "private-key-encoding" to wrap existing choice.</l
i>
<li>Renamed container "encrypt-with" to "encrypted".</li>
<li>Renamed leaf from "hide" to "hidden".</li>
<li>Removed "public-key-format" and "public-key" nodes from examples.<
/li>
</ul>
</section>
<section>
<name>34 to 35</name>
<ul spacing="normal">
<li>Addresses AD review by Rob Wilton.</li>
</ul>
</section>
<section>
<name>35 to 36</name>
<ul spacing="normal">
<li>Complete tls10/tls11 removal and update Jeff's email.</li>
</ul>
</section>
<section>
<name>36 to 37</name>
<ul spacing="normal">
<li>Addresses 1st-round of IESG reviews.</li>
</ul>
</section>
<section>
<name>37 to 39</name>
<ul spacing="normal">
<li>Addresses issues found in OpsDir review of the ssh-client-server d
raft.</li>
<li>Replaced identities with enums in the IANA module.</li>
<li>Add refs to where the 'operational' and 'system' datastores are de
fined.</li>
<li>Updated Introduction to read more like the Abstract</li>
<li>Updated Editor-notes to NOT remove the script (just remove the ini
tial IANA module)</li>
<li>Renamed Security Considerations section s/Template for/Considerati
ons for/</li>
<li>s/defines/presents/ in a few places.</li>
<li>Renamed script from 'gen-identities.py' to 'gen-yang-module.py'</l
i>
<li>Removed the removeInRFC="true" attribute in Appendix sections</li>
</ul>
</section>
<section>
<name>39 to 40</name>
<ul spacing="normal">
<li>Address IESG review comments.</li>
</ul>
</section>
<section>
<name>40 to 41</name>
<ul spacing="normal">
<li>Updated to reflect comments from Paul Wouters.</li>
<li>Fixed the "generate-asymmetric-key-pair" RPC to return the
location to where hidden keys are created.</li>
</ul>
</section>
</section>
<section numbered="false"> <section numbered="false">
<name>Acknowledgements</name> <name>Acknowledgements</name>
<t>The authors would like to thank the following for lively discussions <t>The authors would like to thank the following for lively discussions
on list and in the halls (ordered by first name): on list and in the halls (ordered by first name):
Alan Luchuk, <contact fullname="Alan Luchuk"/>,
Andy Bierman, <contact fullname="Andy Bierman"/>,
Balázs Kovács, <contact fullname="Balázs Kovács"/>,
Benoit Claise, <contact fullname="Benoit Claise"/>,
Bert Wijnen, <contact fullname="Bert Wijnen"/>,
David Lamparter, <contact fullname="David Lamparter"/>,
Dhruv Dhody, <contact fullname="Dhruv Dhody"/>,
Éric Vyncke, <contact fullname="Éric Vyncke"/>,
Gary Wu, <contact fullname="Gary Wu"/>,
Henk Birkholz, <contact fullname="Henk Birkholz"/>,
Jeff Hartley, <contact fullname="Jeff Hartley"/>,
Jürgen Schönwälder, <contact fullname="Jürgen Schönwälder"/>,
Ladislav Lhotka, <contact fullname="Ladislav Lhotka"/>,
Liang Xia, <contact fullname="Liang Xia"/>,
Martin Björklund, <contact fullname="Martin Björklund"/>,
Martin Thomson, <contact fullname="Martin Thomson"/>,
Mehmet Ersue, <contact fullname="Mehmet Ersue"/>,
Michal Vaško, <contact fullname="Michal Vaško"/>,
Murray Kucherawy, <contact fullname="Murray Kucherawy"/>,
Paul Wouters, <contact fullname="Paul Wouters"/>,
Phil Shafer, <contact fullname="Phil Shafer"/>,
Qin Wu, <contact fullname="Qin Wu"/>,
Radek Krejci, <contact fullname="Radek Krejci"/>,
Rob Wilton, <contact fullname="Rob Wilton"/>,
Roman Danyliw, <contact fullname="Roman Danyliw"/>,
Russ Housley, <contact fullname="Russ Housley"/>,
Sean Turner, <contact fullname="Sean Turner"/>,
Tom Petch, <contact fullname="Thomas Martin"/>, and
and Thomas Martin.</t> <contact fullname="Tom Petch"/>.</t>
</section> </section>
<section numbered="false"> <section numbered="false">
<name>Contributors</name> <name>Contributors</name>
<t>Special acknowledgement goes to Gary Wu who contributed the <t>Special acknowledgement goes to <contact fullname="Gary Wu"/> who contr
"ietf-tls-common" module, and Tom Petch who carefully ensured ibuted the
"ietf-tls-common" module and <contact fullname="Tom Petch"/> who careful
ly ensured
that references were set correctly throughout.</t> that references were set correctly throughout.</t>
</section> </section>
</back> </back>
<!-- [rfced] Terminology
a) Throughout the text, the following terminology appears to be used
inconsistently. Please review these occurrences and let us know if/how
they may be made consistent.
- External PSK vs. external PSK
[Note: there are four instances of "TLS-1.3 External PSKs (pre-shared keys)"
and two instances of "external PSKs (pre-shared keys)". Should
"external" be capitalized for consistency, or should "EPSK" be used
instead for any of these instances? Note that "EPSK" is expanded as
"External Pre-Shared Key (EPSK)".]
b) Note that we updated the following terms to reflect the form on the right for
consistency; please let us know of any objections.
Cipher Suite -> cipher suite (1 instance)
cipher-suite -> cipher suite (4 instances)
ciphersuite -> cipher suite (1 instance)
Hash algorithm -> hash algorithm
pre-configured -> preconfigured
SHA-256 Hash -> SHA-256 hash
SHA-384 Hash -> SHA-384 hash
sub-statement -> substatement
-->
<!-- [rfced] FYI - We have added expansions for the following abbreviations
per Section 3.6 of RFC 7322 ("RFC Style Guide"). Please review each
expansion in the document carefully to ensure correctness.
Key Derivation Function (KDF)
Network Configuration Protocol (NETCONF)
-->
<!-- [rfced] Please review the "Inclusive Language" portion of the online
Style Guide <https://www.rfc-editor.org/styleguide/part2/#inclusive_language>
and let us know if any changes are needed.
Note that our script did not flag any words in particular, but this should
still be reviewed as a best practice.
-->
</rfc> </rfc>
 End of changes. 315 change blocks. 
5638 lines changed or deleted 1270 lines changed or added

This html diff was produced by rfcdiff 1.48.