idnits 2.17.00 (12 Aug 2021) /tmp/idnits37120/draft-ietf-netconf-tls-client-server-26.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (14 December 2021) is 158 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-22) exists of draft-ietf-netconf-crypto-types-21 == Outdated reference: A later version (-24) exists of draft-ietf-netconf-keystore-22 == Outdated reference: A later version (-17) exists of draft-ietf-netconf-trust-anchors-15 == Outdated reference: A later version (-09) exists of draft-ietf-netconf-http-client-server-07 == Outdated reference: A later version (-25) exists of draft-ietf-netconf-netconf-client-server-23 == Outdated reference: A later version (-25) exists of draft-ietf-netconf-restconf-client-server-23 == Outdated reference: A later version (-27) exists of draft-ietf-netconf-ssh-client-server-25 == Outdated reference: A later version (-12) exists of draft-ietf-netconf-tcp-client-server-10 == Outdated reference: A later version (-27) exists of draft-ietf-netconf-tls-client-server-25 == Outdated reference: A later version (-06) exists of draft-ietf-tls-external-psk-guidance-04 == Outdated reference: A later version (-08) exists of draft-ietf-tls-external-psk-importer-06 -- Obsolete informational reference (is this intentional?): RFC 2246 (Obsoleted by RFC 4346) -- Obsolete informational reference (is this intentional?): RFC 4346 (Obsoleted by RFC 5246) -- Obsolete informational reference (is this intentional?): RFC 5246 (Obsoleted by RFC 8446) Summary: 0 errors (**), 0 flaws (~~), 12 warnings (==), 4 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 NETCONF Working Group K. Watsen 3 Internet-Draft Watsen Networks 4 Intended status: Standards Track 14 December 2021 5 Expires: 17 June 2022 7 YANG Groupings for TLS Clients and TLS Servers 8 draft-ietf-netconf-tls-client-server-26 10 Abstract 12 This document defines three YANG 1.1 modules: the first defines 13 features and groupings common to both TLS clients and TLS servers, 14 the second defines a grouping for a generic TLS client, and the third 15 defines a grouping for a generic TLS server. 17 Editorial Note (To be removed by RFC Editor) 19 This draft contains placeholder values that need to be replaced with 20 finalized values at the time of publication. This note summarizes 21 all of the substitutions that are needed. No other RFC Editor 22 instructions are specified elsewhere in this document. 24 Artwork in this document contains shorthand references to drafts in 25 progress. Please apply the following replacements: 27 * AAAA --> the assigned RFC value for draft-ietf-netconf-crypto- 28 types 30 * BBBB --> the assigned RFC value for draft-ietf-netconf-trust- 31 anchors 33 * CCCC --> the assigned RFC value for draft-ietf-netconf-keystore 35 * DDDD --> the assigned RFC value for draft-ietf-netconf-tcp-client- 36 server 38 * FFFF --> the assigned RFC value for this draft 40 Artwork in this document contains placeholder values for the date of 41 publication of this draft. Please apply the following replacement: 43 * 2021-12-14 --> the publication date of this draft 45 The following Appendix section is to be removed prior to publication: 47 * Appendix B. Change Log 49 Status of This Memo 51 This Internet-Draft is submitted in full conformance with the 52 provisions of BCP 78 and BCP 79. 54 Internet-Drafts are working documents of the Internet Engineering 55 Task Force (IETF). Note that other groups may also distribute 56 working documents as Internet-Drafts. The list of current Internet- 57 Drafts is at https://datatracker.ietf.org/drafts/current/. 59 Internet-Drafts are draft documents valid for a maximum of six months 60 and may be updated, replaced, or obsoleted by other documents at any 61 time. It is inappropriate to use Internet-Drafts as reference 62 material or to cite them other than as "work in progress." 64 This Internet-Draft will expire on 17 June 2022. 66 Copyright Notice 68 Copyright (c) 2021 IETF Trust and the persons identified as the 69 document authors. All rights reserved. 71 This document is subject to BCP 78 and the IETF Trust's Legal 72 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 73 license-info) in effect on the date of publication of this document. 74 Please review these documents carefully, as they describe your rights 75 and restrictions with respect to this document. Code Components 76 extracted from this document must include Revised BSD License text as 77 described in Section 4.e of the Trust Legal Provisions and are 78 provided without warranty as described in the Revised BSD License. 80 Table of Contents 82 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 83 1.1. Relation to other RFCs . . . . . . . . . . . . . . . . . 4 84 1.2. Specification Language . . . . . . . . . . . . . . . . . 6 85 1.3. Adherence to the NMDA . . . . . . . . . . . . . . . . . . 6 86 1.4. Conventions . . . . . . . . . . . . . . . . . . . . . . . 6 87 2. The "ietf-tls-common" Module . . . . . . . . . . . . . . . . 7 88 2.1. Data Model Overview . . . . . . . . . . . . . . . . . . . 7 89 2.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 9 90 2.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 10 91 3. The "ietf-tls-client" Module . . . . . . . . . . . . . . . . 14 92 3.1. Data Model Overview . . . . . . . . . . . . . . . . . . . 15 93 3.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 17 94 3.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 21 95 4. The "ietf-tls-server" Module . . . . . . . . . . . . . . . . 29 96 4.1. Data Model Overview . . . . . . . . . . . . . . . . . . . 29 97 4.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 32 98 4.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 36 99 5. Security Considerations . . . . . . . . . . . . . . . . . . . 44 100 5.1. The "iana-tls-cipher-suite-algs" Module . . . . . . . . . 44 101 5.2. The "ietf-tls-common" YANG Module . . . . . . . . . . . . 45 102 5.3. The "ietf-tls-client" YANG Module . . . . . . . . . . . . 45 103 5.4. The "ietf-tls-server" YANG Module . . . . . . . . . . . . 46 104 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 47 105 6.1. The "IETF XML" Registry . . . . . . . . . . . . . . . . . 47 106 6.2. The "YANG Module Names" Registry . . . . . . . . . . . . 48 107 6.3. The "iana-tls-cipher-suite-algs" Module . . . . . . . . . 48 108 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 49 109 7.1. Normative References . . . . . . . . . . . . . . . . . . 49 110 7.2. Informative References . . . . . . . . . . . . . . . . . 50 111 Appendix A. YANG Modules for IANA . . . . . . . . . . . . . . . 53 112 A.1. Initial Module for the "TLS Cipher Suites" Registry . . . 53 113 A.1.1. Data Model Overview . . . . . . . . . . . . . . . . . 53 114 A.1.2. Example Usage . . . . . . . . . . . . . . . . . . . . 54 115 A.1.3. YANG Module . . . . . . . . . . . . . . . . . . . . . 54 116 Appendix B. Change Log . . . . . . . . . . . . . . . . . . . . . 132 117 B.1. 00 to 01 . . . . . . . . . . . . . . . . . . . . . . . . 132 118 B.2. 01 to 02 . . . . . . . . . . . . . . . . . . . . . . . . 132 119 B.3. 02 to 03 . . . . . . . . . . . . . . . . . . . . . . . . 132 120 B.4. 03 to 04 . . . . . . . . . . . . . . . . . . . . . . . . 133 121 B.5. 04 to 05 . . . . . . . . . . . . . . . . . . . . . . . . 133 122 B.6. 05 to 06 . . . . . . . . . . . . . . . . . . . . . . . . 133 123 B.7. 06 to 07 . . . . . . . . . . . . . . . . . . . . . . . . 133 124 B.8. 07 to 08 . . . . . . . . . . . . . . . . . . . . . . . . 133 125 B.9. 08 to 09 . . . . . . . . . . . . . . . . . . . . . . . . 134 126 B.10. 09 to 10 . . . . . . . . . . . . . . . . . . . . . . . . 134 127 B.11. 10 to 11 . . . . . . . . . . . . . . . . . . . . . . . . 134 128 B.12. 11 to 12 . . . . . . . . . . . . . . . . . . . . . . . . 134 129 B.13. 12 to 13 . . . . . . . . . . . . . . . . . . . . . . . . 135 130 B.14. 12 to 13 . . . . . . . . . . . . . . . . . . . . . . . . 135 131 B.15. 13 to 14 . . . . . . . . . . . . . . . . . . . . . . . . 135 132 B.16. 14 to 15 . . . . . . . . . . . . . . . . . . . . . . . . 135 133 B.17. 15 to 16 . . . . . . . . . . . . . . . . . . . . . . . . 135 134 B.18. 16 to 17 . . . . . . . . . . . . . . . . . . . . . . . . 135 135 B.19. 17 to 18 . . . . . . . . . . . . . . . . . . . . . . . . 136 136 B.20. 18 to 19 . . . . . . . . . . . . . . . . . . . . . . . . 136 137 B.21. 19 to 20 . . . . . . . . . . . . . . . . . . . . . . . . 137 138 B.22. 20 to 21 . . . . . . . . . . . . . . . . . . . . . . . . 137 139 B.23. 21 to 22 . . . . . . . . . . . . . . . . . . . . . . . . 137 140 B.24. 22 to 23 . . . . . . . . . . . . . . . . . . . . . . . . 137 141 B.25. 23 to 24 . . . . . . . . . . . . . . . . . . . . . . . . 137 142 B.26. 24 to 25 . . . . . . . . . . . . . . . . . . . . . . . . 138 143 B.27. 25 to 26 . . . . . . . . . . . . . . . . . . . . . . . . 138 144 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 138 145 Contributors . . . . . . . . . . . . . . . . . . . . . . . . . . 139 146 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 139 148 1. Introduction 150 This document defines three YANG 1.1 [RFC7950] modules: the first 151 defines features and groupings common to both TLS clients and TLS 152 servers, the second defines a grouping for a generic TLS client, and 153 the third defines a grouping for a generic TLS server. 155 Any version of TLS may be configured. TLS 1.0 [RFC2246] and TLS 1.1 156 [RFC4346] are historic and hence the YANG "feature" statements 157 enabling them are marked "status obsolete". TLS 1.2 [RFC5246] is 158 obsoleted by TLS 1.3 [RFC8446] but still in common use, and hence its 159 "feature" statement is marked "status deprecated". All the feature 160 statements for 1.0, 1.1, and 1.3 have "description" statements 161 stating that it is NOT RECOMMENDED to enable obsolete protocol 162 versions. 164 It is intended that the YANG groupings will be used by applications 165 needing to configure TLS client and server protocol stacks. For 166 instance, these groupings are used to help define the data model for 167 HTTPS [RFC2818] and NETCONF over TLS [RFC7589] based clients and 168 servers in [I-D.ietf-netconf-http-client-server] and 169 [I-D.ietf-netconf-netconf-client-server] respectively. 171 The client and server YANG modules in this document each define one 172 grouping, which is focused on just TLS-specific configuration, and 173 specifically avoids any transport-level configuration, such as what 174 ports to listen-on or connect-to. This affords applications the 175 opportunity to define their own strategy for how the underlying TCP 176 connection is established. For instance, applications supporting 177 NETCONF Call Home [RFC8071] could use the "tls-server-grouping" 178 grouping for the TLS parts it provides, while adding data nodes for 179 the TCP-level call-home configuration. 181 1.1. Relation to other RFCs 183 This document presents one or more YANG modules [RFC7950] that are 184 part of a collection of RFCs that work together to, ultimately, 185 enable the configuration of the clients and servers of both the 186 NETCONF [RFC6241] and RESTCONF [RFC8040] protocols. 188 The modules have been defined in a modular fashion to enable their 189 use by other efforts, some of which are known to be in progress at 190 the time of this writing, with many more expected to be defined in 191 time. 193 The normative dependency relationship between the various RFCs in the 194 collection is presented in the below diagram. The labels in the 195 diagram represent the primary purpose provided by each RFC. 196 Hyperlinks to each RFC are provided below the diagram. 198 crypto-types 199 ^ ^ 200 / \ 201 / \ 202 truststore keystore 203 ^ ^ ^ ^ 204 | +---------+ | | 205 | | | | 206 | +------------+ | 207 tcp-client-server | / | | 208 ^ ^ ssh-client-server | | 209 | | ^ tls-client-server 210 | | | ^ ^ http-client-server 211 | | | | | ^ 212 | | | +-----+ +---------+ | 213 | | | | | | 214 | +-----------|--------|--------------+ | | 215 | | | | | | 216 +-----------+ | | | | | 217 | | | | | | 218 | | | | | | 219 netconf-client-server restconf-client-server 221 +=======================+===========================================+ 222 |Label in Diagram | Originating RFC | 223 +=======================+===========================================+ 224 |crypto-types | [I-D.ietf-netconf-crypto-types] | 225 +-----------------------+-------------------------------------------+ 226 |truststore | [I-D.ietf-netconf-trust-anchors] | 227 +-----------------------+-------------------------------------------+ 228 |keystore | [I-D.ietf-netconf-keystore] | 229 +-----------------------+-------------------------------------------+ 230 |tcp-client-server | [I-D.ietf-netconf-tcp-client-server] | 231 +-----------------------+-------------------------------------------+ 232 |ssh-client-server | [I-D.ietf-netconf-ssh-client-server] | 233 +-----------------------+-------------------------------------------+ 234 |tls-client-server | [I-D.ietf-netconf-tls-client-server] | 235 +-----------------------+-------------------------------------------+ 236 |http-client-server | [I-D.ietf-netconf-http-client-server] | 237 +-----------------------+-------------------------------------------+ 238 |netconf-client-server | [I-D.ietf-netconf-netconf-client-server] | 239 +-----------------------+-------------------------------------------+ 240 |restconf-client-server | [I-D.ietf-netconf-restconf-client-server] | 241 +-----------------------+-------------------------------------------+ 243 Table 1: Label to RFC Mapping 245 1.2. Specification Language 247 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 248 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 249 "OPTIONAL" in this document are to be interpreted as described in BCP 250 14 [RFC2119] [RFC8174] when, and only when, they appear in all 251 capitals, as shown here. 253 1.3. Adherence to the NMDA 255 This document is compliant with the Network Management Datastore 256 Architecture (NMDA) [RFC8342]. For instance, as described in 257 [I-D.ietf-netconf-trust-anchors] and [I-D.ietf-netconf-keystore], 258 trust anchors and keys installed during manufacturing are expected to 259 appear in . 261 1.4. Conventions 263 Various examples used in this document use a placeholder value for 264 binary data that has been base64 encoded (e.g., "BASE64VALUE="). 265 This placeholder value is used as real base64 encoded structures are 266 often many lines long and hence distracting to the example being 267 presented. 269 2. The "ietf-tls-common" Module 271 The TLS common model presented in this section contains features and 272 groupings common to both TLS clients and TLS servers. The "hello- 273 params-grouping" grouping can be used to configure the list of TLS 274 algorithms permitted by the TLS client or TLS server. The lists of 275 algorithms are ordered such that, if multiple algorithms are 276 permitted by the client, the algorithm that appears first in its list 277 that is also permitted by the server is used for the TLS transport 278 layer connection. The ability to restrict the algorithms allowed is 279 provided in this grouping for TLS clients and TLS servers that are 280 capable of doing so and may serve to make TLS clients and TLS servers 281 compliant with local security policies. This model supports both 282 TLS1.2 [RFC5246] and TLS 1.3 [RFC8446]. 284 Thus, in order to support both TLS1.2 and TLS1.3, the cipher-suites 285 part of the "hello-params-grouping" grouping should include three 286 parameters for configuring its permitted TLS algorithms, which are: 287 TLS Cipher Suites, TLS SignatureScheme, TLS Supported Groups. Note 288 that TLS1.2 only uses TLS Cipher Suites. 290 2.1. Data Model Overview 292 This section provides an overview of the "ietf-tls-common" module in 293 terms of its features, identitiesm and groupings. 295 2.1.1. Features 297 The following diagram lists all the "feature" statements defined in 298 the "ietf-tls-common" module: 300 Features: 301 +-- tls-1_0 302 +-- tls-1_1 303 +-- tls-1_2 304 +-- tls-1_3 305 +-- hello-params 307 | The diagram above uses syntax that is similar to but not 308 | defined in [RFC8340]. 310 2.1.2. Identities 312 The following diagram illustrates the relationship amongst the 313 "identity" statements defined in the "ietf-tls-common" module: 315 Identities: 316 +-- tls-version-base 317 | +-- tls-1.0 318 | +-- tls-1.1 319 | +-- tls-1.2 320 | +-- tls-1.3 321 +-- cipher-suite-base 322 +-- rsa-with-aes-128-cbc-sha 323 +-- rsa-with-aes-256-cbc-sha 324 +-- rsa-with-aes-128-cbc-sha256 325 +-- rsa-with-aes-256-cbc-sha256 326 +-- dhe-rsa-with-aes-128-cbc-sha 327 +-- dhe-rsa-with-aes-256-cbc-sha 328 +-- dhe-rsa-with-aes-128-cbc-sha256 329 +-- dhe-rsa-with-aes-256-cbc-sha256 330 +-- ecdhe-ecdsa-with-aes-128-cbc-sha256 331 +-- ecdhe-ecdsa-with-aes-256-cbc-sha384 332 +-- ecdhe-rsa-with-aes-128-cbc-sha256 333 +-- ecdhe-rsa-with-aes-256-cbc-sha384 334 +-- ecdhe-ecdsa-with-aes-128-gcm-sha256 335 +-- ecdhe-ecdsa-with-aes-256-gcm-sha384 336 +-- ecdhe-rsa-with-aes-128-gcm-sha256 337 +-- ecdhe-rsa-with-aes-256-gcm-sha384 338 +-- rsa-with-3des-ede-cbc-sha 339 +-- ecdhe-rsa-with-3des-ede-cbc-sha 340 +-- ecdhe-rsa-with-aes-128-cbc-sha 341 +-- ecdhe-rsa-with-aes-256-cbc-sha 343 | The diagram above uses syntax that is similar to but not 344 | defined in [RFC8340]. 346 Comments: 348 * The diagram shows that there are two base identities. 349 * One base identity is used to specific TLS versions, while the 350 other is used to specify cipher-suites. 351 * These base identities are "abstract", in the object oriented 352 programming sense, in that they only define a "class" of things, 353 rather than a specific thing. 355 2.1.3. Groupings 357 The "ietf-tls-common" module defines the following "grouping" 358 statement: 360 * hello-params-grouping 362 This grouping is presented in the following subsection. 364 2.1.3.1. The "hello-params-grouping" Grouping 366 The following tree diagram [RFC8340] illustrates the "hello-params- 367 grouping" grouping: 369 grouping hello-params-grouping 370 +-- tls-versions 371 | +-- tls-version* identityref 372 +-- cipher-suites 373 +-- cipher-suite* identityref 375 Comments: 377 * This grouping is used by both the "tls-client-grouping" and the 378 "tls-server-grouping" groupings defined in Section 3.1.2.1 and 379 Section 4.1.2.1, respectively. 381 * This grouping enables client and server configurations to specify 382 the TLS versions and cipher suites that are to be used when 383 establishing TLS sessions. 385 * The "cipher-suites" list is "ordered-by user". 387 2.1.4. Protocol-accessible Nodes 389 The "ietf-tls-common" module defines only "grouping" statements that 390 are used by other modules to instantiate protocol-accessible nodes. 392 2.2. Example Usage 394 This section shows how it would appear if the "hello-params-grouping" 395 grouping were populated with some data. 397 =============== NOTE: '\' line wrapping per RFC 8792 ================ 399 400 402 407 408 tlscmn:tls-1.1 409 tlscmn:tls-1.2 410 411 412 tlscsa:tls-ecdhe-ecdsa-with-aes-256-cbc-sha 414 tlscsa:tls-dhe-rsa-with-aes-128-cbc-sha256 416 tlscsa:tls-rsa-with-3des-ede-cbc-sha 417 418 420 2.3. YANG Module 422 This YANG module has a normative references to [RFC4346], [RFC5288], 423 [RFC5289], [RFC8422], and FIPS PUB 180-4. 425 This YANG module has a informative references to [RFC2246], 426 [RFC4346], [RFC5246], and [RFC8446]. 428 file "ietf-tls-common@2021-12-14.yang" 430 module ietf-tls-common { 431 yang-version 1.1; 432 namespace "urn:ietf:params:xml:ns:yang:ietf-tls-common"; 433 prefix tlscmn; 435 import iana-tls-cipher-suite-algs { 436 prefix tlscsa; 437 reference 438 "RFC FFFF: YANG Groupings for TLS Clients and SSH Servers"; 439 } 441 organization 442 "IETF NETCONF (Network Configuration) Working Group"; 444 contact 445 "WG Web: 446 WG List: 447 Author: Kent Watsen 448 Author: Gary Wu "; 450 description 451 "This module defines a common features and groupings for 452 Transport Layer Security (TLS). 454 Copyright (c) 2021 IETF Trust and the persons identified 455 as authors of the code. All rights reserved. 457 Redistribution and use in source and binary forms, with 458 or without modification, is permitted pursuant to, and 459 subject to the license terms contained in, the Simplified 460 BSD License set forth in Section 4.c of the IETF Trust's 461 Legal Provisions Relating to IETF Documents 462 (https://trustee.ietf.org/license-info). 464 This version of this YANG module is part of RFC FFFF 465 (https://www.rfc-editor.org/info/rfcFFFF); see the RFC 466 itself for full legal notices. 468 The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 469 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 470 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document 471 are to be interpreted as described in BCP 14 (RFC 2119) 472 (RFC 8174) when, and only when, they appear in all 473 capitals, as shown here."; 475 revision 2021-12-14 { 476 description 477 "Initial version"; 478 reference 479 "RFC FFFF: YANG Groupings for TLS Clients and TLS Servers"; 480 } 482 // Features 484 feature tls-1_0 { 485 status "obsolete"; 486 description 487 "TLS Protocol Version 1.0 is supported. TLS 1.0 is obsolete 488 and thus it is NOT RECOMMENDED to enable this feature."; 489 reference 490 "RFC 2246: The TLS Protocol Version 1.0"; 491 } 492 feature tls-1_1 { 493 status "obsolete"; 494 description 495 "TLS Protocol Version 1.1 is supported. TLS 1.1 is obsolete 496 and thus it is NOT RECOMMENDED to enable this feature."; 497 reference 498 "RFC 4346: The Transport Layer Security (TLS) Protocol 499 Version 1.1"; 500 } 502 feature tls-1_2 { 503 status "deprecated"; 504 description 505 "TLS Protocol Version 1.2 is supported TLS 1.2 is obsolete 506 and thus it is NOT RECOMMENDED to enable this feature."; 507 reference 508 "RFC 5246: The Transport Layer Security (TLS) Protocol 509 Version 1.2"; 510 } 512 feature tls-1_3 { 513 description 514 "TLS Protocol Version 1.3 is supported."; 515 reference 516 "RFC 8446: The Transport Layer Security (TLS) Protocol 517 Version 1.3"; 518 } 520 feature hello-params { 521 description 522 "TLS hello message parameters are configurable."; 523 } 525 // Identities 527 identity tls-version-base { 528 description 529 "Base identity used to identify TLS protocol versions."; 530 } 532 identity tls-1.0 { 533 if-feature "tls-1_0"; 534 base tls-version-base; 535 status "obsolete"; 536 description 537 "TLS Protocol Version 1.0."; 538 reference 539 "RFC 2246: The TLS Protocol Version 1.0"; 541 } 543 identity tls-1.1 { 544 if-feature "tls-1_1"; 545 base tls-version-base; 546 status "obsolete"; 547 description 548 "TLS Protocol Version 1.1."; 549 reference 550 "RFC 4346: The Transport Layer Security (TLS) Protocol 551 Version 1.1"; 552 } 554 identity tls-1.2 { 555 if-feature "tls-1_2"; 556 base tls-version-base; 557 status "deprecated"; 558 description 559 "TLS Protocol Version 1.2."; 560 reference 561 "RFC 5246: The Transport Layer Security (TLS) Protocol 562 Version 1.2"; 563 } 565 identity tls-1.3 { 566 if-feature "tls-1_3"; 567 base tls-version-base; 568 description 569 "TLS Protocol Version 1.3."; 570 reference 571 "RFC 8446: The Transport Layer Security (TLS) Protocol 572 Version 1.3"; 573 } 575 // Groupings 577 grouping hello-params-grouping { 578 description 579 "A reusable grouping for TLS hello message parameters."; 580 reference 581 "RFC 5246: The Transport Layer Security (TLS) Protocol 582 Version 1.2 583 RFC 8446: The Transport Layer Security (TLS) Protocol 584 Version 1.3"; 585 container tls-versions { 586 description 587 "Parameters regarding TLS versions."; 589 leaf-list tls-version { 590 type identityref { 591 base tls-version-base; 592 } 593 description 594 "Acceptable TLS protocol versions. 596 If this leaf-list is not configured (has zero elements) 597 the acceptable TLS protocol versions are implementation- 598 defined."; 599 } 600 } 601 container cipher-suites { 602 description 603 "Parameters regarding cipher suites."; 604 leaf-list cipher-suite { 605 type identityref { 606 base tlscsa:cipher-suite-alg-base; 607 } 608 ordered-by user; 609 description 610 "Acceptable cipher suites in order of descending 611 preference. The configured host key algorithms should 612 be compatible with the algorithm used by the configured 613 private key. Please see Section 5 of RFC FFFF for 614 valid combinations. 616 If this leaf-list is not configured (has zero elements) 617 the acceptable cipher suites are implementation- 618 defined."; 619 reference 620 "RFC FFFF: YANG Groupings for TLS Clients and TLS Servers"; 621 } 622 } 623 } // hello-params-grouping 625 } 627 629 3. The "ietf-tls-client" Module 631 This section defines a YANG 1.1 [RFC7950] module called "ietf-tls- 632 client". A high-level overview of the module is provided in 633 Section 3.1. Examples illustrating the module's use are provided in 634 Examples (Section 3.2). The YANG module itself is defined in 635 Section 3.3. 637 3.1. Data Model Overview 639 This section provides an overview of the "ietf-tls-client" module in 640 terms of its features and groupings. 642 3.1.1. Features 644 The following diagram lists all the "feature" statements defined in 645 the "ietf-tls-client" module: 647 Features: 648 +-- tls-client-keepalives 649 +-- client-ident-x509-cert 650 +-- client-ident-raw-public-key 651 +-- client-ident-psk 652 +-- server-auth-x509-cert 653 +-- server-auth-raw-public-key 654 +-- server-auth-psk 656 | The diagram above uses syntax that is similar to but not 657 | defined in [RFC8340]. 659 3.1.2. Groupings 661 The "ietf-tls-client" module defines the following "grouping" 662 statement: 664 * tls-client-grouping 666 This grouping is presented in the following subsection. 668 3.1.2.1. The "tls-client-grouping" Grouping 670 The following tree diagram [RFC8340] illustrates the "tls-client- 671 grouping" grouping: 673 =============== NOTE: '\' line wrapping per RFC 8792 ================ 675 grouping tls-client-grouping 676 +-- client-identity! 677 | +-- (auth-type) 678 | +--:(certificate) {client-ident-x509-cert}? 679 | | +-- certificate 680 | | +---u ks:local-or-keystore-end-entity-cert-with-key-\ 681 grouping 682 | +--:(raw-public-key) {client-ident-raw-public-key}? 683 | | +-- raw-private-key 684 | | +---u ks:local-or-keystore-asymmetric-key-grouping 685 | +--:(psk) {client-ident-psk}? 686 | +-- psk 687 | +---u ks:local-or-keystore-symmetric-key-grouping 688 | +-- id? 689 | string 690 +-- server-authentication 691 | +-- ca-certs! {client-ident-x509-cert}? 692 | | +---u ts:local-or-truststore-certs-grouping 693 | +-- ee-certs! {client-ident-x509-cert}? 694 | | +---u ts:local-or-truststore-certs-grouping 695 | +-- raw-public-keys! {client-ident-raw-public-key}? 696 | | +---u ts:local-or-truststore-public-keys-grouping 697 | +-- psks? empty {client-ident-psk}? 698 +-- hello-params {tlscmn:hello-params}? 699 | +---u tlscmn:hello-params-grouping 700 +-- keepalives {tls-client-keepalives}? 701 +-- peer-allowed-to-send? empty 702 +-- test-peer-aliveness! 703 +-- max-wait? uint16 704 +-- max-attempts? uint8 706 Comments: 708 * The "client-identity" node, which is optionally configured (as 709 client authentication MAY occur at a higher protocol layer), 710 configures identity credentials, each enabled by a "feature" 711 statement defined in Section 3.1.1. 713 * The "server-authentication" node configures trust anchors for 714 authenticating the TLS server, with each option enabled by a 715 "feature" statement. 717 * The "hello-params" node, which must be enabled by a feature, 718 configures parameters for the TLS sessions established by this 719 configuration. 721 * The "keepalives" node, which must be enabled by a feature, 722 configures a "presence" container for testing the aliveness of the 723 TLS server. The aliveness-test occurs at the TLS protocol layer. 725 * For the referenced grouping statement(s): 727 - The "local-or-keystore-end-entity-cert-with-key-grouping" 728 grouping is discussed in Section 2.1.3.6 of 729 [I-D.ietf-netconf-keystore]. 730 - The "local-or-keystore-asymmetric-key-grouping" grouping is 731 discussed in Section 2.1.3.4 of [I-D.ietf-netconf-keystore]. 732 - The "local-or-keystore-symmetric-key-grouping" grouping is 733 discussed in Section 2.1.3.3 of [I-D.ietf-netconf-keystore]. 734 - The "local-or-truststore-certs-grouping" grouping is discussed 735 in Section 2.1.3.1 of [I-D.ietf-netconf-trust-anchors]. 736 - The "local-or-truststore-public-keys-grouping" grouping is 737 discussed in Section 2.1.3.2 of 738 [I-D.ietf-netconf-trust-anchors]. 739 - The "hello-params-grouping" grouping is discussed in 740 Section 2.1.3.1 in this document. 742 3.1.3. Protocol-accessible Nodes 744 The "ietf-tls-client" module defines only "grouping" statements that 745 are used by other modules to instantiate protocol-accessible nodes. 747 3.2. Example Usage 749 This section presents two examples showing the "tls-client-grouping" 750 grouping populated with some data. These examples are effectively 751 the same except the first configures the client identity using a 752 local key while the second uses a key configured in a keystore. Both 753 examples are consistent with the examples presented in Section 2 of 754 [I-D.ietf-netconf-trust-anchors] and Section 3.2 of 755 [I-D.ietf-netconf-keystore]. 757 The following configuration example uses local-definitions for the 758 client identity and server authentication: 760 =============== NOTE: '\' line wrapping per RFC 8792 ================ 762 763 765 768 769 770 771 772 ct:subject-public-key-info-format 774 BASE64VALUE= 775 ct:rsa-private-key-format 777 BASE64VALUE= 778 BASE64VALUE= 779 780 781 799 801 802 803 804 805 806 Server Cert Issuer #1 807 BASE64VALUE= 808 809 810 Server Cert Issuer #2 811 BASE64VALUE= 812 813 814 815 816 817 818 My Application #1 819 BASE64VALUE= 820 821 822 My Application #2 823 BASE64VALUE= 824 825 826 827 828 829 830 corp-fw1 831 ct:subject-public-key-info-format 833 BASE64VALUE= 834 835 836 corp-fw1 837 ct:subject-public-key-info-format 839 BASE64VALUE= 840 841 842 843 844 846 847 848 30 849 3 850 851 853 855 The following configuration example uses keystore-references for the 856 client identity and truststore-references for server authentication: 857 from the keystore: 859 =============== NOTE: '\' line wrapping per RFC 8792 ================ 861 862 864 866 867 868 869 870 rsa-asymmetric-key 871 ex-rsa-cert 872 873 874 883 885 886 887 888 trusted-server-ca-certs 890 891 892 trusted-server-ee-certs 894 895 896 Raw Public Keys for TLS Servers 898 899 900 902 903 904 30 905 3 906 908 910 912 3.3. YANG Module 914 This YANG module has normative references to 915 [I-D.ietf-netconf-trust-anchors] and [I-D.ietf-netconf-keystore], and 916 Informative references to [RFC5246], [RFC8446], 917 [I-D.ietf-tls-external-psk-importer] and 918 [I-D.ietf-tls-external-psk-guidance]. 920 file "ietf-tls-client@2021-12-14.yang" 922 module ietf-tls-client { 923 yang-version 1.1; 924 namespace "urn:ietf:params:xml:ns:yang:ietf-tls-client"; 925 prefix tlsc; 927 import ietf-netconf-acm { 928 prefix nacm; 929 reference 930 "RFC 8341: Network Configuration Access Control Model"; 931 } 933 import ietf-crypto-types { 934 prefix ct; 935 reference 936 "RFC AAAA: YANG Data Types and Groupings for Cryptography"; 937 } 939 import ietf-truststore { 940 prefix ts; 941 reference 942 "RFC BBBB: A YANG Data Model for a Truststore"; 943 } 945 import ietf-keystore { 946 prefix ks; 947 reference 948 "RFC CCCC: A YANG Data Model for a Keystore"; 949 } 951 import ietf-tls-common { 952 prefix tlscmn; 953 revision-date 2021-12-14; // stable grouping definitions 954 reference 955 "RFC FFFF: YANG Groupings for TLS Clients and TLS Servers"; 957 } 959 organization 960 "IETF NETCONF (Network Configuration) Working Group"; 962 contact 963 "WG Web: 964 WG List: 965 Author: Kent Watsen 966 Author: Gary Wu "; 968 description 969 "This module defines reusable groupings for TLS clients that 970 can be used as a basis for specific TLS client instances. 972 Copyright (c) 2021 IETF Trust and the persons identified 973 as authors of the code. All rights reserved. 975 Redistribution and use in source and binary forms, with 976 or without modification, is permitted pursuant to, and 977 subject to the license terms contained in, the Simplified 978 BSD License set forth in Section 4.c of the IETF Trust's 979 Legal Provisions Relating to IETF Documents 980 (https://trustee.ietf.org/license-info). 982 This version of this YANG module is part of RFC FFFF 983 (https://www.rfc-editor.org/info/rfcFFFF); see the RFC 984 itself for full legal notices. 986 The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 987 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 988 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document 989 are to be interpreted as described in BCP 14 (RFC 2119) 990 (RFC 8174) when, and only when, they appear in all 991 capitals, as shown here."; 993 revision 2021-12-14 { 994 description 995 "Initial version"; 996 reference 997 "RFC FFFF: YANG Groupings for TLS Clients and TLS Servers"; 998 } 1000 // Features 1002 feature tls-client-keepalives { 1003 description 1004 "Per socket TLS keepalive parameters are configurable for 1005 TLS clients on the server implementing this feature."; 1006 } 1008 feature client-ident-x509-cert { 1009 description 1010 "Indicates that the client supports identifying itself 1011 using X.509 certificates."; 1012 reference 1013 "RFC 5280: 1014 Internet X.509 Public Key Infrastructure Certificate 1015 and Certificate Revocation List (CRL) Profile"; 1016 } 1018 feature client-ident-raw-public-key { 1019 description 1020 "Indicates that the client supports identifying itself 1021 using raw public keys."; 1022 reference 1023 "RFC 7250: 1024 Using Raw Public Keys in Transport Layer Security (TLS) 1025 and Datagram Transport Layer Security (DTLS)"; 1026 } 1028 feature client-ident-psk { 1029 description 1030 "Indicates that the client supports identifying itself 1031 using PSKs (pre-shared or pairwise-symmetric keys)."; 1032 reference 1033 "RFC 4279: 1034 Pre-Shared Key Ciphersuites for Transport Layer Security 1035 (TLS)"; 1036 } 1038 feature server-auth-x509-cert { 1039 description 1040 "Indicates that the client supports authenticating servers 1041 using X.509 certificates."; 1042 reference 1043 "RFC 5280: 1044 Internet X.509 Public Key Infrastructure Certificate 1045 and Certificate Revocation List (CRL) Profile"; 1046 } 1048 feature server-auth-raw-public-key { 1049 description 1050 "Indicates that the client supports authenticating servers 1051 using raw public keys."; 1052 reference 1053 "RFC 7250: 1054 Using Raw Public Keys in Transport Layer Security (TLS) 1055 and Datagram Transport Layer Security (DTLS)"; 1056 } 1058 feature server-auth-psk { 1059 description 1060 "Indicates that the client supports authenticating servers 1061 using PSKs (pre-shared or pairwise-symmetric keys)."; 1062 reference 1063 "RFC 4279: 1064 Pre-Shared Key Ciphersuites for Transport Layer Security 1065 (TLS)"; 1066 } 1068 // Groupings 1070 grouping tls-client-grouping { 1071 description 1072 "A reusable grouping for configuring a TLS client without 1073 any consideration for how an underlying TCP session is 1074 established. 1076 Note that this grouping uses fairly typical descendant 1077 node names such that a stack of 'uses' statements will 1078 have name conflicts. It is intended that the consuming 1079 data model will resolve the issue (e.g., by wrapping 1080 the 'uses' statement in a container called 1081 'tls-client-parameters'). This model purposely does 1082 not do this itself so as to provide maximum flexibility 1083 to consuming models."; 1085 container client-identity { 1086 nacm:default-deny-write; 1087 presence 1088 "Indicates that a TLS-level client identity has been 1089 configured. This statement is present so the mandatory 1090 descendant do not imply that this node must be configured."; 1091 description 1092 "Identity credentials the TLS client MAY present when 1093 establishing a connection to a TLS server. If not 1094 configured, then client authentication is presumed to 1095 occur a protocol layer above TLS. When configured, 1096 and requested by the TLS server when establishing a 1097 TLS session, these credentials are passed in the 1098 Certificate message defined in Section 7.4.2 of 1099 RFC 5246 and Section 4.4.2 in RFC 8446."; 1100 reference 1101 "RFC 5246: The Transport Layer Security (TLS) Protocol 1102 Version 1.2 1103 RFC 8446: The Transport Layer Security (TLS) Protocol 1104 Version 1.3 1105 RFC CCCC: A YANG Data Model for a Keystore"; 1106 choice auth-type { 1107 mandatory true; 1108 description 1109 "A choice amongst authentication types, of which one must 1110 be enabled (via its associated 'feature') and selected."; 1111 case certificate { 1112 if-feature "client-ident-x509-cert"; 1113 container certificate { 1114 description 1115 "Specifies the client identity using a certificate."; 1116 uses 1117 ks:local-or-keystore-end-entity-cert-with-key-grouping{ 1118 refine "local-or-keystore/local/local-definition" { 1119 must 'public-key-format' 1120 + ' = "ct:subject-public-key-info-format"'; 1121 } 1122 refine "local-or-keystore/keystore/keystore-reference" 1123 + "/asymmetric-key" { 1124 must 'deref(.)/../ks:public-key-format' 1125 + ' = "ct:subject-public-key-info-format"'; 1126 } 1127 } 1128 } 1129 } 1130 case raw-public-key { 1131 if-feature "client-ident-raw-public-key"; 1132 container raw-private-key { 1133 description 1134 "Specifies the client identity using a raw 1135 private key."; 1136 uses ks:local-or-keystore-asymmetric-key-grouping { 1137 refine "local-or-keystore/local/local-definition" { 1138 must 'public-key-format' 1139 + ' = "ct:subject-public-key-info-format"'; 1140 } 1141 refine "local-or-keystore/keystore" 1142 + "/keystore-reference" { 1143 must 'deref(.)/../ks:public-key-format' 1144 + ' = "ct:subject-public-key-info-format"'; 1145 } 1146 } 1147 } 1148 } 1149 case psk { 1150 if-feature "client-ident-psk"; 1151 container psk { 1152 description 1153 "Specifies the client identity using a PSK (pre-shared 1154 or pairwise-symmetric key)."; 1155 uses ks:local-or-keystore-symmetric-key-grouping; 1156 leaf id { 1157 type string; 1158 description 1159 "The key 'psk_identity' value used in the TLS 1160 'ClientKeyExchange' message."; 1161 reference 1162 "RFC 4279: Pre-Shared Key Ciphersuites for 1163 Transport Layer Security (TLS) 1164 I-D.ietf-tls-external-psk-importer: 1165 Importing External PSKs for TLS 1166 I-D.ietf-tls-external-psk-guidance: 1167 Guidance for External PSK Usage in TLS"; 1168 } 1169 } 1170 } 1171 } 1172 } // container client-identity 1174 container server-authentication { 1175 nacm:default-deny-write; 1176 must 'ca-certs or ee-certs or raw-public-keys or psks'; 1177 description 1178 "Specifies how the TLS client can authenticate TLS servers. 1179 Any combination of credentials is additive and unordered. 1181 Note that no configuration is required for PSK (pre-shared 1182 or pairwise-symmetric key) based authentication as the key 1183 is necessarily the same as configured in the '../client- 1184 identity' node."; 1185 container ca-certs { 1186 if-feature "client-ident-x509-cert"; 1187 presence 1188 "Indicates that CA certificates have been configured. 1189 This statement is present so the mandatory descendant 1190 nodes do not imply that this node must be configured."; 1191 description 1192 "A set of certificate authority (CA) certificates used by 1193 the TLS client to authenticate TLS server certificates. 1194 A server certificate is authenticated if it has a valid 1195 chain of trust to a configured CA certificate."; 1196 reference 1197 "RFC BBBB: A YANG Data Model for a Truststore"; 1198 uses ts:local-or-truststore-certs-grouping; 1199 } 1200 container ee-certs { 1201 if-feature "client-ident-x509-cert"; 1202 presence 1203 "Indicates that EE certificates have been configured. 1204 This statement is present so the mandatory descendant 1205 nodes do not imply that this node must be configured."; 1206 description 1207 "A set of server certificates (i.e., end entity 1208 certificates) used by the TLS client to authenticate 1209 certificates presented by TLS servers. A server 1210 certificate is authenticated if it is an exact 1211 match to a configured server certificate."; 1212 reference 1213 "RFC BBBB: A YANG Data Model for a Truststore"; 1214 uses ts:local-or-truststore-certs-grouping; 1215 } 1216 container raw-public-keys { 1217 if-feature "client-ident-raw-public-key"; 1218 presence 1219 "Indicates that raw public keys have been configured. 1220 This statement is present so the mandatory descendant 1221 nodes do not imply that this node must be configured."; 1222 description 1223 "A set of raw public keys used by the TLS client to 1224 authenticate raw public keys presented by the TLS 1225 server. A raw public key is authenticated if it 1226 is an exact match to a configured raw public key."; 1227 reference 1228 "RFC BBBB: A YANG Data Model for a Truststore"; 1229 uses ts:local-or-truststore-public-keys-grouping { 1230 refine "local-or-truststore/local/local-definition" 1231 + "/public-key" { 1232 must 'public-key-format' 1233 + ' = "ct:subject-public-key-info-format"'; 1234 } 1235 refine "local-or-truststore/truststore" 1236 + "/truststore-reference" { 1237 must 'deref(.)/../*/ts:public-key-format' 1238 + ' = "ct:subject-public-key-info-format"'; 1239 } 1240 } 1241 } 1242 leaf psks { 1243 if-feature "client-ident-psk"; 1244 type empty; 1245 description 1246 "Indicates that the TLS client can authenticate TLS servers 1247 using configure PSKs (pre-shared or pairwise-symmetric 1248 keys). 1250 No configuration is required since the PSK value is the 1251 same as PSK value configured in the 'client-identity' 1252 node."; 1253 } 1254 } // container server-authentication 1256 container hello-params { 1257 nacm:default-deny-write; 1258 if-feature "tlscmn:hello-params"; 1259 uses tlscmn:hello-params-grouping; 1260 description 1261 "Configurable parameters for the TLS hello message."; 1262 } // container hello-params 1264 container keepalives { 1265 nacm:default-deny-write; 1266 if-feature "tls-client-keepalives"; 1267 description 1268 "Configures the keepalive policy for the TLS client."; 1269 leaf peer-allowed-to-send { 1270 type empty; 1271 description 1272 "Indicates that the remote TLS server is allowed to send 1273 HeartbeatRequest messages, as defined by RFC 6520 1274 to this TLS client."; 1275 reference 1276 "RFC 6520: Transport Layer Security (TLS) and Datagram 1277 Transport Layer Security (DTLS) Heartbeat Extension"; 1278 } 1279 container test-peer-aliveness { 1280 presence 1281 "Indicates that the TLS client proactively tests the 1282 aliveness of the remote TLS server."; 1283 description 1284 "Configures the keep-alive policy to proactively test 1285 the aliveness of the TLS server. An unresponsive 1286 TLS server is dropped after approximately max-wait 1287 * max-attempts seconds. The TLS client MUST send 1288 HeartbeatRequest messages, as defined by RFC 6520."; 1289 reference 1290 "RFC 6520: Transport Layer Security (TLS) and Datagram 1291 Transport Layer Security (DTLS) Heartbeat Extension"; 1292 leaf max-wait { 1293 type uint16 { 1294 range "1..max"; 1295 } 1296 units "seconds"; 1297 default "30"; 1298 description 1299 "Sets the amount of time in seconds after which if 1300 no data has been received from the TLS server, a 1301 TLS-level message will be sent to test the 1302 aliveness of the TLS server."; 1303 } 1304 leaf max-attempts { 1305 type uint8; 1306 default "3"; 1307 description 1308 "Sets the maximum number of sequential keep-alive 1309 messages that can fail to obtain a response from 1310 the TLS server before assuming the TLS server is 1311 no longer alive."; 1312 } 1313 } 1314 } 1315 } // grouping tls-client-grouping 1317 } 1319 1321 4. The "ietf-tls-server" Module 1323 This section defines a YANG 1.1 module called "ietf-tls-server". A 1324 high-level overview of the module is provided in Section 4.1. 1325 Examples illustrating the module's use are provided in Examples 1326 (Section 4.2). The YANG module itself is defined in Section 4.3. 1328 4.1. Data Model Overview 1330 This section provides an overview of the "ietf-tls-server" module in 1331 terms of its features and groupings. 1333 4.1.1. Features 1335 The following diagram lists all the "feature" statements defined in 1336 the "ietf-tls-server" module: 1338 Features: 1339 +-- tls-server-keepalives 1340 +-- server-ident-x509-cert 1341 +-- server-ident-raw-public-key 1342 +-- server-ident-psk 1343 +-- client-auth-supported 1344 +-- client-auth-x509-cert 1345 +-- client-auth-raw-public-key 1346 +-- client-auth-psk 1348 | The diagram above uses syntax that is similar to but not 1349 | defined in [RFC8340]. 1351 4.1.2. Groupings 1353 The "ietf-tls-server" module defines the following "grouping" 1354 statement: 1356 * tls-server-grouping 1358 This grouping is presented in the following subsection. 1360 4.1.2.1. The "tls-server-grouping" Grouping 1362 The following tree diagram [RFC8340] illustrates the "tls-server- 1363 grouping" grouping: 1365 =============== NOTE: '\' line wrapping per RFC 8792 ================ 1367 grouping tls-server-grouping 1368 +-- server-identity 1369 | +-- (auth-type) 1370 | +--:(certificate) {server-ident-x509-cert}? 1371 | | +-- certificate 1372 | | +---u ks:local-or-keystore-end-entity-cert-with-key-\ 1373 grouping 1374 | +--:(raw-private-key) {server-ident-raw-public-key}? 1375 | | +-- raw-private-key 1376 | | +---u ks:local-or-keystore-asymmetric-key-grouping 1377 | +--:(psk) {server-ident-psk}? 1378 | +-- psk 1379 | +---u ks:local-or-keystore-symmetric-key-grouping 1380 | +-- id_hint? 1381 | string 1382 +-- client-authentication! {client-auth-supported}? 1383 | +-- ca-certs! {client-auth-x509-cert}? 1384 | | +---u ts:local-or-truststore-certs-grouping 1385 | +-- ee-certs! {client-auth-x509-cert}? 1386 | | +---u ts:local-or-truststore-certs-grouping 1387 | +-- raw-public-keys! {client-auth-raw-public-key}? 1388 | | +---u ts:local-or-truststore-public-keys-grouping 1389 | +-- psks? empty {client-auth-psk}? 1390 +-- hello-params {tlscmn:hello-params}? 1391 | +---u tlscmn:hello-params-grouping 1392 +-- keepalives {tls-server-keepalives}? 1393 +-- peer-allowed-to-send? empty 1394 +-- test-peer-aliveness! 1395 +-- max-wait? uint16 1396 +-- max-attempts? uint8 1398 Comments: 1400 * The "server-identity" node configures identity credentials, each 1401 of which is enabled by a "feature". 1403 * The "client-authentication" node, which is optionally configured 1404 (as client authentication MAY occur at a higher protocol layer), 1405 configures trust anchors for authenticating the TLS client, with 1406 each option enabled by a "feature" statement. 1408 * The "hello-params" node, which must be enabled by a feature, 1409 configures parameters for the TLS sessions established by this 1410 configuration. 1412 * The "keepalives" node, which must be enabled by a feature, 1413 configures a flag enabling the TLS client to test the aliveness of 1414 the TLS server, as well as a "presence" container for testing the 1415 aliveness of the TLSi client. The aliveness-tests occurs at the 1416 TLS protocol layer. 1418 * For the referenced grouping statement(s): 1420 - The "local-or-keystore-end-entity-cert-with-key-grouping" 1421 grouping is discussed in Section 2.1.3.6 of 1422 [I-D.ietf-netconf-keystore]. 1423 - The "local-or-keystore-asymmetric-key-grouping" grouping is 1424 discussed in Section 2.1.3.4 of [I-D.ietf-netconf-keystore]. 1425 - The "local-or-keystore-symmetric-key-grouping" grouping is 1426 discussed in Section 2.1.3.3 of [I-D.ietf-netconf-keystore]. 1427 - The "local-or-truststore-public-keys-grouping" grouping is 1428 discussed in Section 2.1.3.2 of 1429 [I-D.ietf-netconf-trust-anchors]. 1430 - The "local-or-truststore-certs-grouping" grouping is discussed 1431 in Section 2.1.3.1 of [I-D.ietf-netconf-trust-anchors]. 1432 - The "hello-params-grouping" grouping is discussed in 1433 Section 2.1.3.1 in this document. 1435 4.1.3. Protocol-accessible Nodes 1437 The "ietf-tls-server" module defines only "grouping" statements that 1438 are used by other modules to instantiate protocol-accessible nodes. 1440 4.2. Example Usage 1442 This section presents two examples showing the "tls-server-grouping" 1443 grouping populated with some data. These examples are effectively 1444 the same except the first configures the server identity using a 1445 local key while the second uses a key configured in a keystore. Both 1446 examples are consistent with the examples presented in Section 2 of 1447 [I-D.ietf-netconf-trust-anchors] and Section 3.2 of 1448 [I-D.ietf-netconf-keystore]. 1450 The following configuration example uses local-definitions for the 1451 server identity and client authentication: 1453 =============== NOTE: '\' line wrapping per RFC 8792 ================ 1455 1456 1458 1462 1463 1464 1465 1466 ct:subject-public-key-info-format 1468 BASE64VALUE= 1469 ct:rsa-private-key-format 1471 BASE64VALUE= 1472 BASE64VALUE= 1473 1474 1475 1493 1495 1496 1497 1498 1499 1500 Identity Cert Issuer #1 1501 BASE64VALUE= 1502 1503 1504 Identity Cert Issuer #2 1505 BASE64VALUE= 1506 1507 1509 1510 1511 1512 1513 Application #1 1514 BASE64VALUE= 1515 1516 1517 Application #2 1518 BASE64VALUE= 1519 1520 1521 1522 1523 1524 1525 User A 1526 ct:subject-public-key-info-format 1528 BASE64VALUE= 1529 1530 1531 User B 1532 ct:subject-public-key-info-format 1534 BASE64VALUE= 1535 1536 1537 1538 1539 1541 1542 1543 1545 1547 The following configuration example uses keystore-references for the 1548 server identity and truststore-references for client authentication: 1549 from the keystore: 1551 =============== NOTE: '\' line wrapping per RFC 8792 ================ 1553 1554 1556 1557 1558 1559 1560 1561 rsa-asymmetric-key 1562 ex-rsa-cert 1563 1564 1565 1574 1576 1577 1578 1579 trusted-client-ca-certs 1581 1582 1583 trusted-client-ee-certs 1585 1586 1587 Raw Public Keys for TLS Clients 1589 1590 1591 1593 1594 1595 1597 1599 4.3. YANG Module 1601 This YANG module has normative references to 1602 [I-D.ietf-netconf-trust-anchors] and [I-D.ietf-netconf-keystore], and 1603 Informative references to [RFC5246], [RFC8446], 1604 [I-D.ietf-tls-external-psk-importer] and 1605 [I-D.ietf-tls-external-psk-guidance]. 1607 file "ietf-tls-server@2021-12-14.yang" 1609 module ietf-tls-server { 1610 yang-version 1.1; 1611 namespace "urn:ietf:params:xml:ns:yang:ietf-tls-server"; 1612 prefix tlss; 1614 import ietf-netconf-acm { 1615 prefix nacm; 1616 reference 1617 "RFC 8341: Network Configuration Access Control Model"; 1618 } 1620 import ietf-crypto-types { 1621 prefix ct; 1622 reference 1623 "RFC AAAA: YANG Data Types and Groupings for Cryptography"; 1624 } 1626 import ietf-truststore { 1627 prefix ts; 1628 reference 1629 "RFC BBBB: A YANG Data Model for a Truststore"; 1630 } 1632 import ietf-keystore { 1633 prefix ks; 1634 reference 1635 "RFC CCCC: A YANG Data Model for a Keystore"; 1636 } 1638 import ietf-tls-common { 1639 prefix tlscmn; 1640 revision-date 2021-12-14; // stable grouping definitions 1641 reference 1642 "RFC FFFF: YANG Groupings for TLS Clients and TLS Servers"; 1643 } 1645 organization 1646 "IETF NETCONF (Network Configuration) Working Group"; 1648 contact 1649 "WG Web: 1650 WG List: 1651 Author: Kent Watsen 1652 Author: Gary Wu "; 1654 description 1655 "This module defines reusable groupings for TLS servers that 1656 can be used as a basis for specific TLS server instances. 1658 Copyright (c) 2021 IETF Trust and the persons identified 1659 as authors of the code. All rights reserved. 1661 Redistribution and use in source and binary forms, with 1662 or without modification, is permitted pursuant to, and 1663 subject to the license terms contained in, the Simplified 1664 BSD License set forth in Section 4.c of the IETF Trust's 1665 Legal Provisions Relating to IETF Documents 1666 (https://trustee.ietf.org/license-info). 1668 This version of this YANG module is part of RFC FFFF 1669 (https://www.rfc-editor.org/info/rfcFFFF); see the RFC 1670 itself for full legal notices. 1672 The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 1673 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 1674 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document 1675 are to be interpreted as described in BCP 14 (RFC 2119) 1676 (RFC 8174) when, and only when, they appear in all 1677 capitals, as shown here."; 1679 revision 2021-12-14 { 1680 description 1681 "Initial version"; 1682 reference 1683 "RFC FFFF: YANG Groupings for TLS Clients and TLS Servers"; 1684 } 1686 // Features 1688 feature tls-server-keepalives { 1689 description 1690 "Per socket TLS keepalive parameters are configurable for 1691 TLS servers on the server implementing this feature."; 1692 } 1694 feature server-ident-x509-cert { 1695 description 1696 "Indicates that the server supports identifying itself 1697 using X.509 certificates."; 1698 reference 1699 "RFC 5280: 1700 Internet X.509 Public Key Infrastructure Certificate 1701 and Certificate Revocation List (CRL) Profile"; 1702 } 1704 feature server-ident-raw-public-key { 1705 description 1706 "Indicates that the server supports identifying itself 1707 using raw public keys."; 1708 reference 1709 "RFC 7250: 1710 Using Raw Public Keys in Transport Layer Security (TLS) 1711 and Datagram Transport Layer Security (DTLS)"; 1712 } 1714 feature server-ident-psk { 1715 description 1716 "Indicates that the server supports identifying itself 1717 using PSKs (pre-shared or pairwise-symmetric keys)."; 1718 reference 1719 "RFC 4279: 1720 Pre-Shared Key Ciphersuites for Transport Layer Security 1721 (TLS)"; 1722 } 1724 feature client-auth-supported { 1725 description 1726 "Indicates that the configuration for how to authenticate 1727 clients can be configured herein. TLS-level client 1728 authentication may not be needed when client authentication 1729 is expected to occur only at another protocol layer."; 1730 } 1732 feature client-auth-x509-cert { 1733 description 1734 "Indicates that the server supports authenticating clients 1735 using X.509 certificates."; 1736 reference 1737 "RFC 5280: 1738 Internet X.509 Public Key Infrastructure Certificate 1739 and Certificate Revocation List (CRL) Profile"; 1740 } 1742 feature client-auth-raw-public-key { 1743 description 1744 "Indicates that the server supports authenticating clients 1745 using raw public keys."; 1746 reference 1747 "RFC 7250: 1748 Using Raw Public Keys in Transport Layer Security (TLS) 1749 and Datagram Transport Layer Security (DTLS)"; 1750 } 1752 feature client-auth-psk { 1753 description 1754 "Indicates that the server supports authenticating clients 1755 using PSKs (pre-shared or pairwise-symmetric keys)."; 1756 reference 1757 "RFC 4279: 1758 Pre-Shared Key Ciphersuites for Transport Layer Security 1759 (TLS)"; 1760 } 1762 // Groupings 1764 grouping tls-server-grouping { 1765 description 1766 "A reusable grouping for configuring a TLS server without 1767 any consideration for how underlying TCP sessions are 1768 established. 1770 Note that this grouping uses fairly typical descendant 1771 node names such that a stack of 'uses' statements will 1772 have name conflicts. It is intended that the consuming 1773 data model will resolve the issue (e.g., by wrapping 1774 the 'uses' statement in a container called 1775 'tls-server-parameters'). This model purposely does 1776 not do this itself so as to provide maximum flexibility 1777 to consuming models."; 1779 container server-identity { 1780 nacm:default-deny-write; 1781 description 1782 "A locally-defined or referenced end-entity certificate, 1783 including any configured intermediate certificates, the 1784 TLS server will present when establishing a TLS connection 1785 in its Certificate message, as defined in Section 7.4.2 1786 in RFC 5246 and Section 4.4.2 in RFC 8446."; 1787 reference 1788 "RFC 5246: The Transport Layer Security (TLS) Protocol 1789 Version 1.2 1790 RFC 8446: The Transport Layer Security (TLS) Protocol 1791 Version 1.3 1793 RFC CCCC: A YANG Data Model for a Keystore"; 1794 choice auth-type { 1795 mandatory true; 1796 description 1797 "A choice amongst authentication types, of which one must 1798 be enabled (via its associated 'feature') and selected."; 1799 case certificate { 1800 if-feature "server-ident-x509-cert"; 1801 container certificate { 1802 description 1803 "Specifies the server identity using a certificate."; 1804 uses 1805 ks:local-or-keystore-end-entity-cert-with-key-grouping{ 1806 refine "local-or-keystore/local/local-definition" { 1807 must 'public-key-format' 1808 + ' = "ct:subject-public-key-info-format"'; 1809 } 1810 refine "local-or-keystore/keystore/keystore-reference" 1811 + "/asymmetric-key" { 1812 must 'deref(.)/../ks:public-key-format' 1813 + ' = "ct:subject-public-key-info-format"'; 1814 } 1815 } 1816 } 1817 } 1818 case raw-private-key { 1819 if-feature "server-ident-raw-public-key"; 1820 container raw-private-key { 1821 description 1822 "Specifies the server identity using a raw 1823 private key."; 1824 uses ks:local-or-keystore-asymmetric-key-grouping { 1825 refine "local-or-keystore/local/local-definition" { 1826 must 'public-key-format' 1827 + ' = "ct:subject-public-key-info-format"'; 1828 } 1829 refine "local-or-keystore/keystore/keystore-reference"{ 1830 must 'deref(.)/../ks:public-key-format' 1831 + ' = "ct:subject-public-key-info-format"'; 1832 } 1833 } 1834 } 1835 } 1836 case psk { 1837 if-feature "server-ident-psk"; 1838 container psk { 1839 description 1840 "Specifies the server identity using a PSK (pre-shared 1841 or pairwise-symmetric key)."; 1842 uses ks:local-or-keystore-symmetric-key-grouping; 1843 leaf id_hint { 1844 type string; 1845 description 1846 "The key 'psk_identity_hint' value used in the TLS 1847 'ServerKeyExchange' message."; 1848 reference 1849 "RFC 4279: Pre-Shared Key Ciphersuites for 1850 Transport Layer Security (TLS) 1851 I-D.ietf-tls-external-psk-importer: 1852 Importing External PSKs for TLS 1853 I-D.ietf-tls-external-psk-guidance: 1854 Guidance for External PSK Usage in TLS"; 1855 } 1856 } 1857 } 1858 } 1859 } // container server-identity 1861 container client-authentication { 1862 if-feature "client-auth-supported"; 1863 nacm:default-deny-write; 1864 must 'ca-certs or ee-certs or raw-public-keys or psks'; 1865 presence 1866 "Indicates that client authentication is supported (i.e., 1867 that the server will request clients send certificates). 1868 If not configured, the TLS server SHOULD NOT request the 1869 TLS clients provide authentication credentials."; 1870 description 1871 "Specifies how the TLS server can authenticate TLS clients. 1872 Any combination of credentials is additive and unordered. 1874 Note that no configuration is required for PSK (pre-shared 1875 or pairwise-symmetric key) based authentication as the key 1876 is necessarily the same as configured in the '../server- 1877 identity' node."; 1878 container ca-certs { 1879 if-feature "client-auth-x509-cert"; 1880 presence 1881 "Indicates that CA certificates have been configured. 1882 This statement is present so the mandatory descendant 1883 nodes do not imply that this node must be configured."; 1884 description 1885 "A set of certificate authority (CA) certificates used by 1886 the TLS server to authenticate TLS client certificates. 1887 A client certificate is authenticated if it has a valid 1888 chain of trust to a configured CA certificate."; 1890 reference 1891 "RFC BBBB: A YANG Data Model for a Truststore"; 1892 uses ts:local-or-truststore-certs-grouping; 1893 } 1894 container ee-certs { 1895 if-feature "client-auth-x509-cert"; 1896 presence 1897 "Indicates that EE certificates have been configured. 1898 This statement is present so the mandatory descendant 1899 nodes do not imply that this node must be configured."; 1900 description 1901 "A set of client certificates (i.e., end entity 1902 certificates) used by the TLS server to authenticate 1903 certificates presented by TLS clients. A client 1904 certificate is authenticated if it is an exact 1905 match to a configured client certificate."; 1906 reference 1907 "RFC BBBB: A YANG Data Model for a Truststore"; 1908 uses ts:local-or-truststore-certs-grouping; 1909 } 1910 container raw-public-keys { 1911 if-feature "client-auth-raw-public-key"; 1912 presence 1913 "Indicates that raw public keys have been configured. 1914 This statement is present so the mandatory descendant 1915 nodes do not imply that this node must be configured."; 1916 description 1917 "A set of raw public keys used by the TLS server to 1918 authenticate raw public keys presented by the TLS 1919 client. A raw public key is authenticated if it 1920 is an exact match to a configured raw public key."; 1921 reference 1922 "RFC BBBB: A YANG Data Model for a Truststore"; 1923 uses ts:local-or-truststore-public-keys-grouping { 1924 refine "local-or-truststore/local/local-definition" 1925 + "/public-key" { 1926 must 'public-key-format' 1927 + ' = "ct:subject-public-key-info-format"'; 1928 } 1929 refine "local-or-truststore/truststore" 1930 + "/truststore-reference" { 1931 must 'deref(.)/../*/ts:public-key-format' 1932 + ' = "ct:subject-public-key-info-format"'; 1933 } 1934 } 1935 } 1936 leaf psks { 1937 if-feature "client-auth-psk"; 1938 type empty; 1939 description 1940 "Indicates that the TLS server can authenticate TLS clients 1941 using configured PSKs (pre-shared or pairwise-symmetric 1942 keys). 1944 No configuration is required since the PSK value is the 1945 same as PSK value configured in the 'server-identity' 1946 node."; 1947 } 1948 } // container client-authentication 1950 container hello-params { 1951 nacm:default-deny-write; 1952 if-feature "tlscmn:hello-params"; 1953 uses tlscmn:hello-params-grouping; 1954 description 1955 "Configurable parameters for the TLS hello message."; 1956 } // container hello-params 1958 container keepalives { 1959 nacm:default-deny-write; 1960 if-feature "tls-server-keepalives"; 1961 description 1962 "Configures the keepalive policy for the TLS server."; 1963 leaf peer-allowed-to-send { 1964 type empty; 1965 description 1966 "Indicates that the remote TLS client is allowed to send 1967 HeartbeatRequest messages, as defined by RFC 6520 1968 to this TLS server."; 1969 reference 1970 "RFC 6520: Transport Layer Security (TLS) and Datagram 1971 Transport Layer Security (DTLS) Heartbeat Extension"; 1972 } 1973 container test-peer-aliveness { 1974 presence 1975 "Indicates that the TLS server proactively tests the 1976 aliveness of the remote TLS client."; 1977 description 1978 "Configures the keep-alive policy to proactively test 1979 the aliveness of the TLS client. An unresponsive 1980 TLS client is dropped after approximately max-wait 1981 * max-attempts seconds."; 1982 leaf max-wait { 1983 type uint16 { 1984 range "1..max"; 1985 } 1986 units "seconds"; 1987 default "30"; 1988 description 1989 "Sets the amount of time in seconds after which if 1990 no data has been received from the TLS client, a 1991 TLS-level message will be sent to test the 1992 aliveness of the TLS client."; 1993 } 1994 leaf max-attempts { 1995 type uint8; 1996 default "3"; 1997 description 1998 "Sets the maximum number of sequential keep-alive 1999 messages that can fail to obtain a response from 2000 the TLS client before assuming the TLS client is 2001 no longer alive."; 2002 } 2003 } 2004 } // container keepalives 2005 } // grouping tls-server-grouping 2007 } 2009 2011 5. Security Considerations 2013 5.1. The "iana-tls-cipher-suite-algs" Module 2015 The "iana-tls-cipher-suite-algs" YANG module defines a data model 2016 that is designed to be accessed via YANG based management protocols, 2017 such as NETCONF [RFC6241] and RESTCONF [RFC8040]. Both of these 2018 protocols have mandatory-to-implement secure transport layers (e.g., 2019 SSH, TLS) with mutual authentication. 2021 The NETCONF access control model (NACM) [RFC8341] provides the means 2022 to restrict access for particular users to a pre-configured subset of 2023 all available protocol operations and content. 2025 This YANG module defines YANG identities, for a public IANA- 2026 maintained registry, and a single protocol-accessible read-only node 2027 for the subset of those identities supported by a server. 2029 YANG identities are not security-sensitive, as they are statically 2030 defined in the publicly-accessible YANG module. 2032 The protocol-accessible read-only node for the algorithms supported 2033 by a server is mildly sensitive, but not to the extent that special 2034 NACM annotations are needed to prevent read-access to regular 2035 authenticated administrators. 2037 This module does not define any writable-nodes, RPCs, actions, or 2038 notifications, and thus the security consideration for such is not 2039 provided here. 2041 5.2. The "ietf-tls-common" YANG Module 2043 The "ietf-tls-common" YANG module defines "grouping" statements that 2044 are designed to be accessed via YANG based management protocols, such 2045 as NETCONF [RFC6241] and RESTCONF [RFC8040]. Both of these protocols 2046 have mandatory-to-implement secure transport layers (e.g., SSH, TLS) 2047 with mutual authentication. 2049 The NETCONF access control model (NACM) [RFC8341] provides the means 2050 to restrict access for particular users to a pre-configured subset of 2051 all available protocol operations and content. 2053 Since the module in this document only define groupings, these 2054 considerations are primarily for the designers of other modules that 2055 use these groupings. 2057 None of the readable data nodes defined in this YANG module are 2058 considered sensitive or vulnerable in network environments. The NACM 2059 "default-deny-all" extension has not been set for any data nodes 2060 defined in this module. 2062 None of the writable data nodes defined in this YANG module are 2063 considered sensitive or vulnerable in network environments. The NACM 2064 "default-deny-write" extension has not been set for any data nodes 2065 defined in this module. 2067 This module does not define any RPCs, actions, or notifications, and 2068 thus the security consideration for such is not provided here. 2070 5.3. The "ietf-tls-client" YANG Module 2072 The "ietf-tls-client" YANG module defines "grouping" statements that 2073 are designed to be accessed via YANG based management protocols, such 2074 as NETCONF [RFC6241] and RESTCONF [RFC8040]. Both of these protocols 2075 have mandatory-to-implement secure transport layers (e.g., SSH, TLS) 2076 with mutual authentication. 2078 The NETCONF access control model (NACM) [RFC8341] provides the means 2079 to restrict access for particular users to a pre-configured subset of 2080 all available protocol operations and content. 2082 Since the module in this document only define groupings, these 2083 considerations are primarily for the designers of other modules that 2084 use these groupings. 2086 None of the readable data nodes defined in this YANG module are 2087 considered sensitive or vulnerable in network environments. The NACM 2088 "default-deny-all" extension has not been set for any data nodes 2089 defined in this module. 2091 | Please be aware that this module uses the "key" and "private- 2092 | key" nodes from the "ietf-crypto-types" module 2093 | [I-D.ietf-netconf-crypto-types], where said nodes have the NACM 2094 | extension "default-deny-all" set, thus preventing unrestricted 2095 | read-access to the cleartext key values. 2097 All the writable data nodes defined by this module may be considered 2098 sensitive or vulnerable in some network environments. For instance, 2099 any modification to a key or reference to a key may dramatically 2100 alter the implemented security policy. For this reason, the NACM 2101 extension "default-deny-write" has been set for all data nodes 2102 defined in this module. 2104 This module does not define any RPCs, actions, or notifications, and 2105 thus the security consideration for such is not provided here. 2107 5.4. The "ietf-tls-server" YANG Module 2109 The "ietf-tls-server" YANG module defines "grouping" statements that 2110 are designed to be accessed via YANG based management protocols, such 2111 as NETCONF [RFC6241] and RESTCONF [RFC8040]. Both of these protocols 2112 have mandatory-to-implement secure transport layers (e.g., SSH, TLS) 2113 with mutual authentication. 2115 The NETCONF access control model (NACM) [RFC8341] provides the means 2116 to restrict access for particular users to a pre-configured subset of 2117 all available protocol operations and content. 2119 Since the module in this document only define groupings, these 2120 considerations are primarily for the designers of other modules that 2121 use these groupings. 2123 None of the readable data nodes defined in this YANG module are 2124 considered sensitive or vulnerable in network environments. The NACM 2125 "default-deny-all" extension has not been set for any data nodes 2126 defined in this module. 2128 | Please be aware that this module uses the "key" and "private- 2129 | key" nodes from the "ietf-crypto-types" module 2130 | [I-D.ietf-netconf-crypto-types], where said nodes have the NACM 2131 | extension "default-deny-all" set, thus preventing unrestricted 2132 | read-access to the cleartext key values. 2134 All the writable data nodes defined by this module may be considered 2135 sensitive or vulnerable in some network environments. For instance, 2136 any modification to a key or reference to a key may dramatically 2137 alter the implemented security policy. For this reason, the NACM 2138 extension "default-deny-write" has been set for all data nodes 2139 defined in this module. 2141 This module does not define any RPCs, actions, or notifications, and 2142 thus the security consideration for such is not provided here. 2144 6. IANA Considerations 2146 6.1. The "IETF XML" Registry 2148 This document registers four URIs in the "ns" subregistry of the IETF 2149 XML Registry [RFC3688]. Following the format in [RFC3688], the 2150 following registrations are requested: 2152 URI: urn:ietf:params:xml:ns:yang:iana-tls-cipher-suite-algs 2153 Registrant Contact: IANA 2154 XML: N/A, the requested URI is an XML namespace. 2156 URI: urn:ietf:params:xml:ns:yang:ietf-tls-common 2157 Registrant Contact: The IESG 2158 XML: N/A, the requested URI is an XML namespace. 2160 URI: urn:ietf:params:xml:ns:yang:ietf-tls-client 2161 Registrant Contact: The IESG 2162 XML: N/A, the requested URI is an XML namespace. 2164 URI: urn:ietf:params:xml:ns:yang:ietf-tls-server 2165 Registrant Contact: The IESG 2166 XML: N/A, the requested URI is an XML namespace. 2168 6.2. The "YANG Module Names" Registry 2170 This document registers four YANG modules in the YANG Module Names 2171 registry [RFC6020]. Following the format in [RFC6020], the following 2172 registrations are requested: 2174 name: iana-tls-cipher-suite-algs 2175 namespace: urn:ietf:params:xml:ns:yang:iana-tls-cipher-suite-algs 2176 prefix: tlscsa 2177 reference: RFC FFFF 2179 name: ietf-tls-common 2180 namespace: urn:ietf:params:xml:ns:yang:ietf-tls-common 2181 prefix: tlscmn 2182 reference: RFC FFFF 2184 name: ietf-tls-client 2185 namespace: urn:ietf:params:xml:ns:yang:ietf-tls-client 2186 prefix: tlsc 2187 reference: RFC FFFF 2189 name: ietf-tls-server 2190 namespace: urn:ietf:params:xml:ns:yang:ietf-tls-server 2191 prefix: tlss 2192 reference: RFC FFFF 2194 6.3. The "iana-tls-cipher-suite-algs" Module 2196 IANA is requested to maintain a YANG module called "iana-tls-cipher- 2197 suite-algs" that shadows the "TLS Cipher Suites" sub-registry of the 2198 "Transport Layer Security (TLS) Parameters" registry 2199 [IANA-CIPHER-ALGS]. 2201 This registry defines a YANG identity for each cipher suite 2202 algorithm, and a "base" identity from which all of the other 2203 identities are derived. 2205 An initial version of this module can be found in Appendix A.1. 2207 * Please note that this module was created on June 2st, 2021, and 2208 that additional entries may have been added in the interim before 2209 this document's publication. If this is that case, IANA may 2210 either publish just an updated module containing the new entries, 2211 or publish the initial module as is immediately followed by a 2212 "revision" containing the additional algorithm names. 2214 * Please also note that the "status" statement has been set to 2215 "deprecated", if the "RECOMMENDED" column in the registry had the 2216 value 'N', and to "obsolete", if the "References" column included 2217 Moving single-DES and IDEA TLS ciphersuites to Historic 2218 (https://datatracker.ietf.org/doc/status-change-tls-des-idea- 2219 ciphers-to-historic) reference. 2221 7. References 2223 7.1. Normative References 2225 [I-D.ietf-netconf-crypto-types] 2226 Watsen, K., "YANG Data Types and Groupings for 2227 Cryptography", Work in Progress, Internet-Draft, draft- 2228 ietf-netconf-crypto-types-21, 14 September 2021, 2229 . 2232 [I-D.ietf-netconf-keystore] 2233 Watsen, K., "A YANG Data Model for a Keystore", Work in 2234 Progress, Internet-Draft, draft-ietf-netconf-keystore-22, 2235 18 May 2021, . 2238 [I-D.ietf-netconf-trust-anchors] 2239 Watsen, K., "A YANG Data Model for a Truststore", Work in 2240 Progress, Internet-Draft, draft-ietf-netconf-trust- 2241 anchors-15, 18 May 2021, 2242 . 2245 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 2246 Requirement Levels", BCP 14, RFC 2119, 2247 DOI 10.17487/RFC2119, March 1997, 2248 . 2250 [RFC5288] Salowey, J., Choudhury, A., and D. McGrew, "AES Galois 2251 Counter Mode (GCM) Cipher Suites for TLS", RFC 5288, 2252 DOI 10.17487/RFC5288, August 2008, 2253 . 2255 [RFC5289] Rescorla, E., "TLS Elliptic Curve Cipher Suites with SHA- 2256 256/384 and AES Galois Counter Mode (GCM)", RFC 5289, 2257 DOI 10.17487/RFC5289, August 2008, 2258 . 2260 [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for 2261 the Network Configuration Protocol (NETCONF)", RFC 6020, 2262 DOI 10.17487/RFC6020, October 2010, 2263 . 2265 [RFC7589] Badra, M., Luchuk, A., and J. Schoenwaelder, "Using the 2266 NETCONF Protocol over Transport Layer Security (TLS) with 2267 Mutual X.509 Authentication", RFC 7589, 2268 DOI 10.17487/RFC7589, June 2015, 2269 . 2271 [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", 2272 RFC 7950, DOI 10.17487/RFC7950, August 2016, 2273 . 2275 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2276 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 2277 May 2017, . 2279 [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration 2280 Access Control Model", STD 91, RFC 8341, 2281 DOI 10.17487/RFC8341, March 2018, 2282 . 2284 [RFC8422] Nir, Y., Josefsson, S., and M. Pegourie-Gonnard, "Elliptic 2285 Curve Cryptography (ECC) Cipher Suites for Transport Layer 2286 Security (TLS) Versions 1.2 and Earlier", RFC 8422, 2287 DOI 10.17487/RFC8422, August 2018, 2288 . 2290 [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol 2291 Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, 2292 . 2294 7.2. Informative References 2296 [I-D.ietf-netconf-http-client-server] 2297 Watsen, K., "YANG Groupings for HTTP Clients and HTTP 2298 Servers", Work in Progress, Internet-Draft, draft-ietf- 2299 netconf-http-client-server-07, 18 May 2021, 2300 . 2303 [I-D.ietf-netconf-netconf-client-server] 2304 Watsen, K., "NETCONF Client and Server Models", Work in 2305 Progress, Internet-Draft, draft-ietf-netconf-netconf- 2306 client-server-23, 18 May 2021, 2307 . 2310 [I-D.ietf-netconf-restconf-client-server] 2311 Watsen, K., "RESTCONF Client and Server Models", Work in 2312 Progress, Internet-Draft, draft-ietf-netconf-restconf- 2313 client-server-23, 18 May 2021, 2314 . 2317 [I-D.ietf-netconf-ssh-client-server] 2318 Watsen, K., "YANG Groupings for SSH Clients and SSH 2319 Servers", Work in Progress, Internet-Draft, draft-ietf- 2320 netconf-ssh-client-server-25, 18 June 2021, 2321 . 2324 [I-D.ietf-netconf-tcp-client-server] 2325 Watsen, K. and M. Scharf, "YANG Groupings for TCP Clients 2326 and TCP Servers", Work in Progress, Internet-Draft, draft- 2327 ietf-netconf-tcp-client-server-10, 18 May 2021, 2328 . 2331 [I-D.ietf-netconf-tls-client-server] 2332 Watsen, K., "YANG Groupings for TLS Clients and TLS 2333 Servers", Work in Progress, Internet-Draft, draft-ietf- 2334 netconf-tls-client-server-25, 18 June 2021, 2335 . 2338 [I-D.ietf-tls-external-psk-guidance] 2339 Housley, R., Hoyland, J., Sethi, M., and C. A. Wood, 2340 "Guidance for External PSK Usage in TLS", Work in 2341 Progress, Internet-Draft, draft-ietf-tls-external-psk- 2342 guidance-04, 9 December 2021, 2343 . 2346 [I-D.ietf-tls-external-psk-importer] 2347 Benjamin, D. and C. A. Wood, "Importing External PSKs for 2348 TLS", Work in Progress, Internet-Draft, draft-ietf-tls- 2349 external-psk-importer-06, 3 December 2020, 2350 . 2353 [IANA-CIPHER-ALGS] 2354 (IANA), I. A. N. A., "IANA "TLS Cipher Suites" Sub- 2355 registry of the "Transport Layer Security (TLS) 2356 Parameters" Registry", . 2359 [RFC2246] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0", 2360 RFC 2246, DOI 10.17487/RFC2246, January 1999, 2361 . 2363 [RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, 2364 DOI 10.17487/RFC2818, May 2000, 2365 . 2367 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, 2368 DOI 10.17487/RFC3688, January 2004, 2369 . 2371 [RFC4346] Dierks, T. and E. Rescorla, "The Transport Layer Security 2372 (TLS) Protocol Version 1.1", RFC 4346, 2373 DOI 10.17487/RFC4346, April 2006, 2374 . 2376 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security 2377 (TLS) Protocol Version 1.2", RFC 5246, 2378 DOI 10.17487/RFC5246, August 2008, 2379 . 2381 [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., 2382 and A. Bierman, Ed., "Network Configuration Protocol 2383 (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, 2384 . 2386 [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF 2387 Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, 2388 . 2390 [RFC8071] Watsen, K., "NETCONF Call Home and RESTCONF Call Home", 2391 RFC 8071, DOI 10.17487/RFC8071, February 2017, 2392 . 2394 [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", 2395 BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, 2396 . 2398 [RFC8342] Bjorklund, M., Schoenwaelder, J., Shafer, P., Watsen, K., 2399 and R. Wilton, "Network Management Datastore Architecture 2400 (NMDA)", RFC 8342, DOI 10.17487/RFC8342, March 2018, 2401 . 2403 Appendix A. YANG Modules for IANA 2405 The module contained in this section was generated by scripts using 2406 the contents of the associated sub-registry as they existed on June 2407 2nd, 2021. 2409 A.1. Initial Module for the "TLS Cipher Suites" Registry 2411 A.1.1. Data Model Overview 2413 This section provides an overview of the "iana-tls-cipher-suite-algs" 2414 module in terms of its identities and protocol-accessible nodes. 2416 A.1.1.1. Identities 2418 The following diagram lists the base "identity" statements defined in 2419 the module, of which there is just one, and illustrates that all the 2420 derived identity statements are generated from the associated IANA- 2421 maintained registry [IANA-CIPHER-ALGS]. 2423 Identities: 2424 +-- cipher-suite-alg-base 2425 +-- 2427 | The diagram above uses syntax that is similar to but not 2428 | defined in [RFC8340]. 2430 A.1.1.2. Protocol-accessible Nodes 2432 The following tree diagram [RFC8340] lists all the protocol- 2433 accessible nodes defined in the "iana-tls-cipher-suite-alg" module: 2435 module: iana-tls-cipher-suite-algs 2436 +--ro supported-algorithms 2437 +--ro supported-algorithm* identityref 2439 Comments: 2441 * Protocol-accessible nodes are those nodes that are accessible when 2442 the module is "implemented", as described in Section 5.6.5 of 2443 [RFC7950]. 2445 A.1.2. Example Usage 2447 The following example illustrates operational state data indicating 2448 the TLS cipher suite algorithms supported by the server: 2450 =============== NOTE: '\' line wrapping per RFC 8792 ================ 2452 2456 tlscsa:tls-ecdhe-ecdsa-with-aes-256-cbc-sha 2458 tlscsa:tls-dhe-rsa-with-aes-128-cbc-sha256 2460 tlscsa:tls-rsa-with-3des-ede-cbc-sha 2462 tlscsa:tls-ecdhe-psk-with-aes-256-gcm-sha384<\ 2463 /supported-algorithm> 2464 tlscsa:tls-dhe-psk-with-chacha20-poly1305-sha\ 2465 256 2466 tlscsa:tls-eccpwd-with-aes-256-gcm-sha384 2468 tlscsa:tls-psk-with-aes-256-ccm 2470 tlscsa:tls-dhe-psk-with-camellia-256-cbc-sha3\ 2471 84 2472 tlscsa:tls-ecdh-rsa-with-aes-256-cbc-sha384 2474 tlscsa:tls-ecdh-rsa-with-3des-ede-cbc-sha 2476 tlscsa:tls-dh-dss-with-aes-128-gcm-sha256 2478 2480 A.1.3. YANG Module 2482 Following are the complete contents to the initial IANA-maintained 2483 YANG module. Please note that the date "2021-06-02" reflects the day 2484 on which the extraction occurred. 2486 file "iana-tls-cipher-suite-algs@2021-06-02.yang" 2487 module iana-tls-cipher-suite-algs { 2488 yang-version 1.1; 2489 namespace "urn:ietf:params:xml:ns:yang:iana-tls-cipher-suite-algs"; 2490 prefix tlscsa; 2492 organization 2493 "Internet Assigned Numbers Authority (IANA)"; 2495 contact 2496 "Postal: ICANN 2497 12025 Waterfront Drive, Suite 300 2498 Los Angeles, CA 90094-2536 2499 United States of America 2500 Tel: +1 310 301 5800 2501 Email: iana@iana.org"; 2503 description 2504 "This module defines identities for the Cipher Suite 2505 algorithms defined in the 'TLS Cipher Suites' sub-registry 2506 of the 'Transport Layer Security (TLS) Parameters' registry 2507 maintained by IANA. 2509 Copyright (c) 2021 IETF Trust and the persons identified as 2510 authors of the code. All rights reserved. 2512 Redistribution and use in source and binary forms, with 2513 or without modification, is permitted pursuant to, and 2514 subject to the license terms contained in, the Simplified 2515 BSD License set forth in Section 4.c of the IETF Trust's 2516 Legal Provisions Relating to IETF Documents 2517 (https://trustee.ietf.org/license-info). 2519 The initial version of this YANG module is part of RFC FFFF 2520 (https://www.rfc-editor.org/info/rfcFFFF); see the RFC 2521 itself for full legal notices."; 2523 revision 2021-06-02 { 2524 description 2525 "Initial version"; 2526 reference 2527 "RFC FFFF: YANG Groupings for TLS Clients and TLS Servers"; 2528 } 2530 identity cipher-suite-alg-base { 2531 description 2532 "Base identity used to identify TLS cipher suites."; 2533 } 2534 identity tls-null-with-null-null { 2535 base cipher-suite-alg-base; 2536 status deprecated; 2537 description 2538 "TLS-NULL-WITH-NULL-NULL"; 2539 reference 2540 "RFC 5246: 2541 The Transport Layer Security (TLS) Protocol Version 1.2"; 2542 } 2544 identity tls-rsa-with-null-md5 { 2545 base cipher-suite-alg-base; 2546 status deprecated; 2547 description 2548 "TLS-RSA-WITH-NULL-MD5"; 2549 reference 2550 "RFC 5246: 2551 The Transport Layer Security (TLS) Protocol Version 1.2"; 2552 } 2554 identity tls-rsa-with-null-sha { 2555 base cipher-suite-alg-base; 2556 status deprecated; 2557 description 2558 "TLS-RSA-WITH-NULL-SHA"; 2559 reference 2560 "RFC 5246: 2561 The Transport Layer Security (TLS) Protocol Version 1.2"; 2562 } 2564 identity tls-rsa-export-with-rc4-40-md5 { 2565 base cipher-suite-alg-base; 2566 status deprecated; 2567 description 2568 "TLS-RSA-EXPORT-WITH-RC4-40-MD5"; 2569 reference 2570 "RFC 4346: 2571 The TLS Protocol Version 1.1 2572 RFC 6347: 2573 Datagram Transport Layer Security version 1.2"; 2574 } 2576 identity tls-rsa-with-rc4-128-md5 { 2577 base cipher-suite-alg-base; 2578 status deprecated; 2579 description 2580 "TLS-RSA-WITH-RC4-128-MD5"; 2581 reference 2582 "RFC 5246: 2583 The Transport Layer Security (TLS) Protocol Version 1.2 2584 RFC 6347: 2585 Datagram Transport Layer Security version 1.2"; 2586 } 2588 identity tls-rsa-with-rc4-128-sha { 2589 base cipher-suite-alg-base; 2590 status deprecated; 2591 description 2592 "TLS-RSA-WITH-RC4-128-SHA"; 2593 reference 2594 "RFC 5246: 2595 The Transport Layer Security (TLS) Protocol Version 1.2 2596 RFC 6347: 2597 Datagram Transport Layer Security version 1.2"; 2598 } 2600 identity tls-rsa-export-with-rc2-cbc-40-md5 { 2601 base cipher-suite-alg-base; 2602 status deprecated; 2603 description 2604 "TLS-RSA-EXPORT-WITH-RC2-CBC-40-MD5"; 2605 reference 2606 "RFC 4346: 2607 The TLS Protocol Version 1.1"; 2608 } 2610 identity tls-rsa-with-idea-cbc-sha { 2611 base cipher-suite-alg-base; 2612 status obsolete; 2613 description 2614 "TLS-RSA-WITH-IDEA-CBC-SHA"; 2615 reference 2616 "RFC 5469: 2617 DES and IDEA Cipher Suites for 2618 Transport Layer Security (TLS) 2619 RFC 5469: 2620 DES and IDEA Cipher Suites for 2621 Transport Layer Security (TLS)"; 2622 } 2624 identity tls-rsa-export-with-des40-cbc-sha { 2625 base cipher-suite-alg-base; 2626 status deprecated; 2627 description 2628 "TLS-RSA-EXPORT-WITH-DES40-CBC-SHA"; 2629 reference 2630 "RFC 4346: 2631 The TLS Protocol Version 1.1"; 2632 } 2634 identity tls-rsa-with-des-cbc-sha { 2635 base cipher-suite-alg-base; 2636 status obsolete; 2637 description 2638 "TLS-RSA-WITH-DES-CBC-SHA"; 2639 reference 2640 "RFC 5469: 2641 DES and IDEA Cipher Suites for 2642 Transport Layer Security (TLS) 2643 RFC 5469: 2644 DES and IDEA Cipher Suites for 2645 Transport Layer Security (TLS)"; 2646 } 2648 identity tls-rsa-with-3des-ede-cbc-sha { 2649 base cipher-suite-alg-base; 2650 status deprecated; 2651 description 2652 "TLS-RSA-WITH-3DES-EDE-CBC-SHA"; 2653 reference 2654 "RFC 5246: 2655 The Transport Layer Security (TLS) Protocol Version 1.2"; 2656 } 2658 identity tls-dh-dss-export-with-des40-cbc-sha { 2659 base cipher-suite-alg-base; 2660 status deprecated; 2661 description 2662 "TLS-DH-DSS-EXPORT-WITH-DES40-CBC-SHA"; 2663 reference 2664 "RFC 4346: 2665 The TLS Protocol Version 1.1"; 2666 } 2668 identity tls-dh-dss-with-des-cbc-sha { 2669 base cipher-suite-alg-base; 2670 status obsolete; 2671 description 2672 "TLS-DH-DSS-WITH-DES-CBC-SHA"; 2673 reference 2674 "RFC 5469: 2675 DES and IDEA Cipher Suites for 2676 Transport Layer Security (TLS) 2677 RFC 5469: 2679 DES and IDEA Cipher Suites for 2680 Transport Layer Security (TLS)"; 2681 } 2683 identity tls-dh-dss-with-3des-ede-cbc-sha { 2684 base cipher-suite-alg-base; 2685 status deprecated; 2686 description 2687 "TLS-DH-DSS-WITH-3DES-EDE-CBC-SHA"; 2688 reference 2689 "RFC 5246: 2690 The Transport Layer Security (TLS) Protocol Version 1.2"; 2691 } 2693 identity tls-dh-rsa-export-with-des40-cbc-sha { 2694 base cipher-suite-alg-base; 2695 status deprecated; 2696 description 2697 "TLS-DH-RSA-EXPORT-WITH-DES40-CBC-SHA"; 2698 reference 2699 "RFC 4346: 2700 The TLS Protocol Version 1.1"; 2701 } 2703 identity tls-dh-rsa-with-des-cbc-sha { 2704 base cipher-suite-alg-base; 2705 status obsolete; 2706 description 2707 "TLS-DH-RSA-WITH-DES-CBC-SHA"; 2708 reference 2709 "RFC 5469: 2710 DES and IDEA Cipher Suites for 2711 Transport Layer Security (TLS) 2712 RFC 5469: 2713 DES and IDEA Cipher Suites for 2714 Transport Layer Security (TLS)"; 2715 } 2717 identity tls-dh-rsa-with-3des-ede-cbc-sha { 2718 base cipher-suite-alg-base; 2719 status deprecated; 2720 description 2721 "TLS-DH-RSA-WITH-3DES-EDE-CBC-SHA"; 2722 reference 2723 "RFC 5246: 2724 The Transport Layer Security (TLS) Protocol Version 1.2"; 2725 } 2726 identity tls-dhe-dss-export-with-des40-cbc-sha { 2727 base cipher-suite-alg-base; 2728 status deprecated; 2729 description 2730 "TLS-DHE-DSS-EXPORT-WITH-DES40-CBC-SHA"; 2731 reference 2732 "RFC 4346: 2733 The TLS Protocol Version 1.1"; 2734 } 2736 identity tls-dhe-dss-with-des-cbc-sha { 2737 base cipher-suite-alg-base; 2738 status obsolete; 2739 description 2740 "TLS-DHE-DSS-WITH-DES-CBC-SHA"; 2741 reference 2742 "RFC 5469: 2743 DES and IDEA Cipher Suites for 2744 Transport Layer Security (TLS) 2745 RFC 5469: 2746 DES and IDEA Cipher Suites for 2747 Transport Layer Security (TLS)"; 2748 } 2750 identity tls-dhe-dss-with-3des-ede-cbc-sha { 2751 base cipher-suite-alg-base; 2752 status deprecated; 2753 description 2754 "TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA"; 2755 reference 2756 "RFC 5246: 2757 The Transport Layer Security (TLS) Protocol Version 1.2"; 2758 } 2760 identity tls-dhe-rsa-export-with-des40-cbc-sha { 2761 base cipher-suite-alg-base; 2762 status deprecated; 2763 description 2764 "TLS-DHE-RSA-EXPORT-WITH-DES40-CBC-SHA"; 2765 reference 2766 "RFC 4346: 2767 The TLS Protocol Version 1.1"; 2768 } 2770 identity tls-dhe-rsa-with-des-cbc-sha { 2771 base cipher-suite-alg-base; 2772 status obsolete; 2773 description 2774 "TLS-DHE-RSA-WITH-DES-CBC-SHA"; 2775 reference 2776 "RFC 5469: 2777 DES and IDEA Cipher Suites for 2778 Transport Layer Security (TLS) 2779 RFC 5469: 2780 DES and IDEA Cipher Suites for 2781 Transport Layer Security (TLS)"; 2782 } 2784 identity tls-dhe-rsa-with-3des-ede-cbc-sha { 2785 base cipher-suite-alg-base; 2786 status deprecated; 2787 description 2788 "TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA"; 2789 reference 2790 "RFC 5246: 2791 The Transport Layer Security (TLS) Protocol Version 1.2"; 2792 } 2794 identity tls-dh-anon-export-with-rc4-40-md5 { 2795 base cipher-suite-alg-base; 2796 status deprecated; 2797 description 2798 "TLS-DH-ANON-EXPORT-WITH-RC4-40-MD5"; 2799 reference 2800 "RFC 4346: 2801 The TLS Protocol Version 1.1 2802 RFC 6347: 2803 Datagram Transport Layer Security version 1.2"; 2804 } 2806 identity tls-dh-anon-with-rc4-128-md5 { 2807 base cipher-suite-alg-base; 2808 status deprecated; 2809 description 2810 "TLS-DH-ANON-WITH-RC4-128-MD5"; 2811 reference 2812 "RFC 5246: 2813 The Transport Layer Security (TLS) Protocol Version 1.2 2814 RFC 6347: 2815 Datagram Transport Layer Security version 1.2"; 2816 } 2818 identity tls-dh-anon-export-with-des40-cbc-sha { 2819 base cipher-suite-alg-base; 2820 status deprecated; 2821 description 2822 "TLS-DH-ANON-EXPORT-WITH-DES40-CBC-SHA"; 2823 reference 2824 "RFC 4346: 2825 The TLS Protocol Version 1.1"; 2826 } 2828 identity tls-dh-anon-with-des-cbc-sha { 2829 base cipher-suite-alg-base; 2830 status obsolete; 2831 description 2832 "TLS-DH-ANON-WITH-DES-CBC-SHA"; 2833 reference 2834 "RFC 5469: 2835 DES and IDEA Cipher Suites for 2836 Transport Layer Security (TLS) 2837 RFC 5469: 2838 DES and IDEA Cipher Suites for 2839 Transport Layer Security (TLS)"; 2840 } 2842 identity tls-dh-anon-with-3des-ede-cbc-sha { 2843 base cipher-suite-alg-base; 2844 status deprecated; 2845 description 2846 "TLS-DH-ANON-WITH-3DES-EDE-CBC-SHA"; 2847 reference 2848 "RFC 5246: 2849 The Transport Layer Security (TLS) Protocol Version 1.2"; 2850 } 2852 identity tls-krb5-with-des-cbc-sha { 2853 base cipher-suite-alg-base; 2854 status deprecated; 2855 description 2856 "TLS-KRB5-WITH-DES-CBC-SHA"; 2857 reference 2858 "RFC 2712: 2859 Addition of Kerberos Cipher Suites to 2860 Transport Layer Security (TLS)"; 2861 } 2863 identity tls-krb5-with-3des-ede-cbc-sha { 2864 base cipher-suite-alg-base; 2865 status deprecated; 2866 description 2867 "TLS-KRB5-WITH-3DES-EDE-CBC-SHA"; 2868 reference 2869 "RFC 2712: 2871 Addition of Kerberos Cipher Suites to 2872 Transport Layer Security (TLS)"; 2873 } 2875 identity tls-krb5-with-rc4-128-sha { 2876 base cipher-suite-alg-base; 2877 status deprecated; 2878 description 2879 "TLS-KRB5-WITH-RC4-128-SHA"; 2880 reference 2881 "RFC 2712: 2882 Addition of Kerberos Cipher Suites to 2883 Transport Layer Security (TLS) 2884 RFC 6347: 2885 Datagram Transport Layer Security version 1.2"; 2886 } 2888 identity tls-krb5-with-idea-cbc-sha { 2889 base cipher-suite-alg-base; 2890 status deprecated; 2891 description 2892 "TLS-KRB5-WITH-IDEA-CBC-SHA"; 2893 reference 2894 "RFC 2712: 2895 Addition of Kerberos Cipher Suites to 2896 Transport Layer Security (TLS)"; 2897 } 2899 identity tls-krb5-with-des-cbc-md5 { 2900 base cipher-suite-alg-base; 2901 status deprecated; 2902 description 2903 "TLS-KRB5-WITH-DES-CBC-MD5"; 2904 reference 2905 "RFC 2712: 2906 Addition of Kerberos Cipher Suites to 2907 Transport Layer Security (TLS)"; 2908 } 2910 identity tls-krb5-with-3des-ede-cbc-md5 { 2911 base cipher-suite-alg-base; 2912 status deprecated; 2913 description 2914 "TLS-KRB5-WITH-3DES-EDE-CBC-MD5"; 2915 reference 2916 "RFC 2712: 2917 Addition of Kerberos Cipher Suites to 2918 Transport Layer Security (TLS)"; 2920 } 2922 identity tls-krb5-with-rc4-128-md5 { 2923 base cipher-suite-alg-base; 2924 status deprecated; 2925 description 2926 "TLS-KRB5-WITH-RC4-128-MD5"; 2927 reference 2928 "RFC 2712: 2929 Addition of Kerberos Cipher Suites to 2930 Transport Layer Security (TLS) 2931 RFC 6347: 2932 Datagram Transport Layer Security version 1.2"; 2933 } 2935 identity tls-krb5-with-idea-cbc-md5 { 2936 base cipher-suite-alg-base; 2937 status deprecated; 2938 description 2939 "TLS-KRB5-WITH-IDEA-CBC-MD5"; 2940 reference 2941 "RFC 2712: 2942 Addition of Kerberos Cipher Suites to 2943 Transport Layer Security (TLS)"; 2944 } 2946 identity tls-krb5-export-with-des-cbc-40-sha { 2947 base cipher-suite-alg-base; 2948 status deprecated; 2949 description 2950 "TLS-KRB5-EXPORT-WITH-DES-CBC-40-SHA"; 2951 reference 2952 "RFC 2712: 2953 Addition of Kerberos Cipher Suites to 2954 Transport Layer Security (TLS)"; 2955 } 2957 identity tls-krb5-export-with-rc2-cbc-40-sha { 2958 base cipher-suite-alg-base; 2959 status deprecated; 2960 description 2961 "TLS-KRB5-EXPORT-WITH-RC2-CBC-40-SHA"; 2962 reference 2963 "RFC 2712: 2964 Addition of Kerberos Cipher Suites to 2965 Transport Layer Security (TLS)"; 2966 } 2967 identity tls-krb5-export-with-rc4-40-sha { 2968 base cipher-suite-alg-base; 2969 status deprecated; 2970 description 2971 "TLS-KRB5-EXPORT-WITH-RC4-40-SHA"; 2972 reference 2973 "RFC 2712: 2974 Addition of Kerberos Cipher Suites to 2975 Transport Layer Security (TLS) 2976 RFC 6347: 2977 Datagram Transport Layer Security version 1.2"; 2978 } 2980 identity tls-krb5-export-with-des-cbc-40-md5 { 2981 base cipher-suite-alg-base; 2982 status deprecated; 2983 description 2984 "TLS-KRB5-EXPORT-WITH-DES-CBC-40-MD5"; 2985 reference 2986 "RFC 2712: 2987 Addition of Kerberos Cipher Suites to 2988 Transport Layer Security (TLS)"; 2989 } 2991 identity tls-krb5-export-with-rc2-cbc-40-md5 { 2992 base cipher-suite-alg-base; 2993 status deprecated; 2994 description 2995 "TLS-KRB5-EXPORT-WITH-RC2-CBC-40-MD5"; 2996 reference 2997 "RFC 2712: 2998 Addition of Kerberos Cipher Suites to 2999 Transport Layer Security (TLS)"; 3000 } 3002 identity tls-krb5-export-with-rc4-40-md5 { 3003 base cipher-suite-alg-base; 3004 status deprecated; 3005 description 3006 "TLS-KRB5-EXPORT-WITH-RC4-40-MD5"; 3007 reference 3008 "RFC 2712: 3009 Addition of Kerberos Cipher Suites to 3010 Transport Layer Security (TLS) 3011 RFC 6347: 3012 Datagram Transport Layer Security version 1.2"; 3013 } 3014 identity tls-psk-with-null-sha { 3015 base cipher-suite-alg-base; 3016 status deprecated; 3017 description 3018 "TLS-PSK-WITH-NULL-SHA"; 3019 reference 3020 "RFC 4785: 3021 Pre-Shared Key Cipher Suites with NULL Encryption for 3022 Transport Layer Security (TLS)"; 3023 } 3025 identity tls-dhe-psk-with-null-sha { 3026 base cipher-suite-alg-base; 3027 status deprecated; 3028 description 3029 "TLS-DHE-PSK-WITH-NULL-SHA"; 3030 reference 3031 "RFC 4785: 3032 Pre-Shared Key Cipher Suites with NULL Encryption for 3033 Transport Layer Security (TLS)"; 3034 } 3036 identity tls-rsa-psk-with-null-sha { 3037 base cipher-suite-alg-base; 3038 status deprecated; 3039 description 3040 "TLS-RSA-PSK-WITH-NULL-SHA"; 3041 reference 3042 "RFC 4785: 3043 Pre-Shared Key Cipher Suites with NULL Encryption for 3044 Transport Layer Security (TLS)"; 3045 } 3047 identity tls-rsa-with-aes-128-cbc-sha { 3048 base cipher-suite-alg-base; 3049 status deprecated; 3050 description 3051 "TLS-RSA-WITH-AES-128-CBC-SHA"; 3052 reference 3053 "RFC 5246: 3054 The Transport Layer Security (TLS) Protocol Version 1.2"; 3055 } 3057 identity tls-dh-dss-with-aes-128-cbc-sha { 3058 base cipher-suite-alg-base; 3059 status deprecated; 3060 description 3061 "TLS-DH-DSS-WITH-AES-128-CBC-SHA"; 3063 reference 3064 "RFC 5246: 3065 The Transport Layer Security (TLS) Protocol Version 1.2"; 3066 } 3068 identity tls-dh-rsa-with-aes-128-cbc-sha { 3069 base cipher-suite-alg-base; 3070 status deprecated; 3071 description 3072 "TLS-DH-RSA-WITH-AES-128-CBC-SHA"; 3073 reference 3074 "RFC 5246: 3075 The Transport Layer Security (TLS) Protocol Version 1.2"; 3076 } 3078 identity tls-dhe-dss-with-aes-128-cbc-sha { 3079 base cipher-suite-alg-base; 3080 status deprecated; 3081 description 3082 "TLS-DHE-DSS-WITH-AES-128-CBC-SHA"; 3083 reference 3084 "RFC 5246: 3085 The Transport Layer Security (TLS) Protocol Version 1.2"; 3086 } 3088 identity tls-dhe-rsa-with-aes-128-cbc-sha { 3089 base cipher-suite-alg-base; 3090 status deprecated; 3091 description 3092 "TLS-DHE-RSA-WITH-AES-128-CBC-SHA"; 3093 reference 3094 "RFC 5246: 3095 The Transport Layer Security (TLS) Protocol Version 1.2"; 3096 } 3098 identity tls-dh-anon-with-aes-128-cbc-sha { 3099 base cipher-suite-alg-base; 3100 status deprecated; 3101 description 3102 "TLS-DH-ANON-WITH-AES-128-CBC-SHA"; 3103 reference 3104 "RFC 5246: 3105 The Transport Layer Security (TLS) Protocol Version 1.2"; 3106 } 3108 identity tls-rsa-with-aes-256-cbc-sha { 3109 base cipher-suite-alg-base; 3110 status deprecated; 3111 description 3112 "TLS-RSA-WITH-AES-256-CBC-SHA"; 3113 reference 3114 "RFC 5246: 3115 The Transport Layer Security (TLS) Protocol Version 1.2"; 3116 } 3118 identity tls-dh-dss-with-aes-256-cbc-sha { 3119 base cipher-suite-alg-base; 3120 status deprecated; 3121 description 3122 "TLS-DH-DSS-WITH-AES-256-CBC-SHA"; 3123 reference 3124 "RFC 5246: 3125 The Transport Layer Security (TLS) Protocol Version 1.2"; 3126 } 3128 identity tls-dh-rsa-with-aes-256-cbc-sha { 3129 base cipher-suite-alg-base; 3130 status deprecated; 3131 description 3132 "TLS-DH-RSA-WITH-AES-256-CBC-SHA"; 3133 reference 3134 "RFC 5246: 3135 The Transport Layer Security (TLS) Protocol Version 1.2"; 3136 } 3138 identity tls-dhe-dss-with-aes-256-cbc-sha { 3139 base cipher-suite-alg-base; 3140 status deprecated; 3141 description 3142 "TLS-DHE-DSS-WITH-AES-256-CBC-SHA"; 3143 reference 3144 "RFC 5246: 3145 The Transport Layer Security (TLS) Protocol Version 1.2"; 3146 } 3148 identity tls-dhe-rsa-with-aes-256-cbc-sha { 3149 base cipher-suite-alg-base; 3150 status deprecated; 3151 description 3152 "TLS-DHE-RSA-WITH-AES-256-CBC-SHA"; 3153 reference 3154 "RFC 5246: 3155 The Transport Layer Security (TLS) Protocol Version 1.2"; 3156 } 3158 identity tls-dh-anon-with-aes-256-cbc-sha { 3159 base cipher-suite-alg-base; 3160 status deprecated; 3161 description 3162 "TLS-DH-ANON-WITH-AES-256-CBC-SHA"; 3163 reference 3164 "RFC 5246: 3165 The Transport Layer Security (TLS) Protocol Version 1.2"; 3166 } 3168 identity tls-rsa-with-null-sha256 { 3169 base cipher-suite-alg-base; 3170 status deprecated; 3171 description 3172 "TLS-RSA-WITH-NULL-SHA256"; 3173 reference 3174 "RFC 5246: 3175 The Transport Layer Security (TLS) Protocol Version 1.2"; 3176 } 3178 identity tls-rsa-with-aes-128-cbc-sha256 { 3179 base cipher-suite-alg-base; 3180 status deprecated; 3181 description 3182 "TLS-RSA-WITH-AES-128-CBC-SHA256"; 3183 reference 3184 "RFC 5246: 3185 The Transport Layer Security (TLS) Protocol Version 1.2"; 3186 } 3188 identity tls-rsa-with-aes-256-cbc-sha256 { 3189 base cipher-suite-alg-base; 3190 status deprecated; 3191 description 3192 "TLS-RSA-WITH-AES-256-CBC-SHA256"; 3193 reference 3194 "RFC 5246: 3195 The Transport Layer Security (TLS) Protocol Version 1.2"; 3196 } 3198 identity tls-dh-dss-with-aes-128-cbc-sha256 { 3199 base cipher-suite-alg-base; 3200 status deprecated; 3201 description 3202 "TLS-DH-DSS-WITH-AES-128-CBC-SHA256"; 3203 reference 3204 "RFC 5246: 3205 The Transport Layer Security (TLS) Protocol Version 1.2"; 3206 } 3207 identity tls-dh-rsa-with-aes-128-cbc-sha256 { 3208 base cipher-suite-alg-base; 3209 status deprecated; 3210 description 3211 "TLS-DH-RSA-WITH-AES-128-CBC-SHA256"; 3212 reference 3213 "RFC 5246: 3214 The Transport Layer Security (TLS) Protocol Version 1.2"; 3215 } 3217 identity tls-dhe-dss-with-aes-128-cbc-sha256 { 3218 base cipher-suite-alg-base; 3219 status deprecated; 3220 description 3221 "TLS-DHE-DSS-WITH-AES-128-CBC-SHA256"; 3222 reference 3223 "RFC 5246: 3224 The Transport Layer Security (TLS) Protocol Version 1.2"; 3225 } 3227 identity tls-rsa-with-camellia-128-cbc-sha { 3228 base cipher-suite-alg-base; 3229 status deprecated; 3230 description 3231 "TLS-RSA-WITH-CAMELLIA-128-CBC-SHA"; 3232 reference 3233 "RFC 5932: 3234 Camellia Cipher Suites for TLS"; 3235 } 3237 identity tls-dh-dss-with-camellia-128-cbc-sha { 3238 base cipher-suite-alg-base; 3239 status deprecated; 3240 description 3241 "TLS-DH-DSS-WITH-CAMELLIA-128-CBC-SHA"; 3242 reference 3243 "RFC 5932: 3244 Camellia Cipher Suites for TLS"; 3245 } 3247 identity tls-dh-rsa-with-camellia-128-cbc-sha { 3248 base cipher-suite-alg-base; 3249 status deprecated; 3250 description 3251 "TLS-DH-RSA-WITH-CAMELLIA-128-CBC-SHA"; 3252 reference 3253 "RFC 5932: 3254 Camellia Cipher Suites for TLS"; 3256 } 3258 identity tls-dhe-dss-with-camellia-128-cbc-sha { 3259 base cipher-suite-alg-base; 3260 status deprecated; 3261 description 3262 "TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA"; 3263 reference 3264 "RFC 5932: 3265 Camellia Cipher Suites for TLS"; 3266 } 3268 identity tls-dhe-rsa-with-camellia-128-cbc-sha { 3269 base cipher-suite-alg-base; 3270 status deprecated; 3271 description 3272 "TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA"; 3273 reference 3274 "RFC 5932: 3275 Camellia Cipher Suites for TLS"; 3276 } 3278 identity tls-dh-anon-with-camellia-128-cbc-sha { 3279 base cipher-suite-alg-base; 3280 status deprecated; 3281 description 3282 "TLS-DH-ANON-WITH-CAMELLIA-128-CBC-SHA"; 3283 reference 3284 "RFC 5932: 3285 Camellia Cipher Suites for TLS"; 3286 } 3288 identity tls-dhe-rsa-with-aes-128-cbc-sha256 { 3289 base cipher-suite-alg-base; 3290 status deprecated; 3291 description 3292 "TLS-DHE-RSA-WITH-AES-128-CBC-SHA256"; 3293 reference 3294 "RFC 5246: 3295 The Transport Layer Security (TLS) Protocol Version 1.2"; 3296 } 3298 identity tls-dh-dss-with-aes-256-cbc-sha256 { 3299 base cipher-suite-alg-base; 3300 status deprecated; 3301 description 3302 "TLS-DH-DSS-WITH-AES-256-CBC-SHA256"; 3303 reference 3304 "RFC 5246: 3305 The Transport Layer Security (TLS) Protocol Version 1.2"; 3306 } 3308 identity tls-dh-rsa-with-aes-256-cbc-sha256 { 3309 base cipher-suite-alg-base; 3310 status deprecated; 3311 description 3312 "TLS-DH-RSA-WITH-AES-256-CBC-SHA256"; 3313 reference 3314 "RFC 5246: 3315 The Transport Layer Security (TLS) Protocol Version 1.2"; 3316 } 3318 identity tls-dhe-dss-with-aes-256-cbc-sha256 { 3319 base cipher-suite-alg-base; 3320 status deprecated; 3321 description 3322 "TLS-DHE-DSS-WITH-AES-256-CBC-SHA256"; 3323 reference 3324 "RFC 5246: 3325 The Transport Layer Security (TLS) Protocol Version 1.2"; 3326 } 3328 identity tls-dhe-rsa-with-aes-256-cbc-sha256 { 3329 base cipher-suite-alg-base; 3330 status deprecated; 3331 description 3332 "TLS-DHE-RSA-WITH-AES-256-CBC-SHA256"; 3333 reference 3334 "RFC 5246: 3335 The Transport Layer Security (TLS) Protocol Version 1.2"; 3336 } 3338 identity tls-dh-anon-with-aes-128-cbc-sha256 { 3339 base cipher-suite-alg-base; 3340 status deprecated; 3341 description 3342 "TLS-DH-ANON-WITH-AES-128-CBC-SHA256"; 3343 reference 3344 "RFC 5246: 3345 The Transport Layer Security (TLS) Protocol Version 1.2"; 3346 } 3348 identity tls-dh-anon-with-aes-256-cbc-sha256 { 3349 base cipher-suite-alg-base; 3350 status deprecated; 3351 description 3352 "TLS-DH-ANON-WITH-AES-256-CBC-SHA256"; 3353 reference 3354 "RFC 5246: 3355 The Transport Layer Security (TLS) Protocol Version 1.2"; 3356 } 3358 identity tls-rsa-with-camellia-256-cbc-sha { 3359 base cipher-suite-alg-base; 3360 status deprecated; 3361 description 3362 "TLS-RSA-WITH-CAMELLIA-256-CBC-SHA"; 3363 reference 3364 "RFC 5932: 3365 Camellia Cipher Suites for TLS"; 3366 } 3368 identity tls-dh-dss-with-camellia-256-cbc-sha { 3369 base cipher-suite-alg-base; 3370 status deprecated; 3371 description 3372 "TLS-DH-DSS-WITH-CAMELLIA-256-CBC-SHA"; 3373 reference 3374 "RFC 5932: 3375 Camellia Cipher Suites for TLS"; 3376 } 3378 identity tls-dh-rsa-with-camellia-256-cbc-sha { 3379 base cipher-suite-alg-base; 3380 status deprecated; 3381 description 3382 "TLS-DH-RSA-WITH-CAMELLIA-256-CBC-SHA"; 3383 reference 3384 "RFC 5932: 3385 Camellia Cipher Suites for TLS"; 3386 } 3388 identity tls-dhe-dss-with-camellia-256-cbc-sha { 3389 base cipher-suite-alg-base; 3390 status deprecated; 3391 description 3392 "TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA"; 3393 reference 3394 "RFC 5932: 3395 Camellia Cipher Suites for TLS"; 3396 } 3398 identity tls-dhe-rsa-with-camellia-256-cbc-sha { 3399 base cipher-suite-alg-base; 3400 status deprecated; 3401 description 3402 "TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA"; 3403 reference 3404 "RFC 5932: 3405 Camellia Cipher Suites for TLS"; 3406 } 3408 identity tls-dh-anon-with-camellia-256-cbc-sha { 3409 base cipher-suite-alg-base; 3410 status deprecated; 3411 description 3412 "TLS-DH-ANON-WITH-CAMELLIA-256-CBC-SHA"; 3413 reference 3414 "RFC 5932: 3415 Camellia Cipher Suites for TLS"; 3416 } 3418 identity tls-psk-with-rc4-128-sha { 3419 base cipher-suite-alg-base; 3420 status deprecated; 3421 description 3422 "TLS-PSK-WITH-RC4-128-SHA"; 3423 reference 3424 "RFC 4279: 3425 Pre-Shared Key Ciphersuites for 3426 Transport Layer Security (TLS) 3427 RFC 6347: 3428 Datagram Transport Layer Security version 1.2"; 3429 } 3431 identity tls-psk-with-3des-ede-cbc-sha { 3432 base cipher-suite-alg-base; 3433 status deprecated; 3434 description 3435 "TLS-PSK-WITH-3DES-EDE-CBC-SHA"; 3436 reference 3437 "RFC 4279: 3438 Pre-Shared Key Ciphersuites for 3439 Transport Layer Security (TLS)"; 3440 } 3442 identity tls-psk-with-aes-128-cbc-sha { 3443 base cipher-suite-alg-base; 3444 status deprecated; 3445 description 3446 "TLS-PSK-WITH-AES-128-CBC-SHA"; 3447 reference 3448 "RFC 4279: 3449 Pre-Shared Key Ciphersuites for 3450 Transport Layer Security (TLS)"; 3451 } 3453 identity tls-psk-with-aes-256-cbc-sha { 3454 base cipher-suite-alg-base; 3455 status deprecated; 3456 description 3457 "TLS-PSK-WITH-AES-256-CBC-SHA"; 3458 reference 3459 "RFC 4279: 3460 Pre-Shared Key Ciphersuites for 3461 Transport Layer Security (TLS)"; 3462 } 3464 identity tls-dhe-psk-with-rc4-128-sha { 3465 base cipher-suite-alg-base; 3466 status deprecated; 3467 description 3468 "TLS-DHE-PSK-WITH-RC4-128-SHA"; 3469 reference 3470 "RFC 4279: 3471 Pre-Shared Key Ciphersuites for 3472 Transport Layer Security (TLS) 3473 RFC 6347: 3474 Datagram Transport Layer Security version 1.2"; 3475 } 3477 identity tls-dhe-psk-with-3des-ede-cbc-sha { 3478 base cipher-suite-alg-base; 3479 status deprecated; 3480 description 3481 "TLS-DHE-PSK-WITH-3DES-EDE-CBC-SHA"; 3482 reference 3483 "RFC 4279: 3484 Pre-Shared Key Ciphersuites for 3485 Transport Layer Security (TLS)"; 3486 } 3488 identity tls-dhe-psk-with-aes-128-cbc-sha { 3489 base cipher-suite-alg-base; 3490 status deprecated; 3491 description 3492 "TLS-DHE-PSK-WITH-AES-128-CBC-SHA"; 3493 reference 3494 "RFC 4279: 3495 Pre-Shared Key Ciphersuites for 3496 Transport Layer Security (TLS)"; 3497 } 3499 identity tls-dhe-psk-with-aes-256-cbc-sha { 3500 base cipher-suite-alg-base; 3501 status deprecated; 3502 description 3503 "TLS-DHE-PSK-WITH-AES-256-CBC-SHA"; 3504 reference 3505 "RFC 4279: 3506 Pre-Shared Key Ciphersuites for 3507 Transport Layer Security (TLS)"; 3508 } 3510 identity tls-rsa-psk-with-rc4-128-sha { 3511 base cipher-suite-alg-base; 3512 status deprecated; 3513 description 3514 "TLS-RSA-PSK-WITH-RC4-128-SHA"; 3515 reference 3516 "RFC 4279: 3517 Pre-Shared Key Ciphersuites for 3518 Transport Layer Security (TLS) 3519 RFC 6347: 3520 Datagram Transport Layer Security version 1.2"; 3521 } 3523 identity tls-rsa-psk-with-3des-ede-cbc-sha { 3524 base cipher-suite-alg-base; 3525 status deprecated; 3526 description 3527 "TLS-RSA-PSK-WITH-3DES-EDE-CBC-SHA"; 3528 reference 3529 "RFC 4279: 3530 Pre-Shared Key Ciphersuites for 3531 Transport Layer Security (TLS)"; 3532 } 3534 identity tls-rsa-psk-with-aes-128-cbc-sha { 3535 base cipher-suite-alg-base; 3536 status deprecated; 3537 description 3538 "TLS-RSA-PSK-WITH-AES-128-CBC-SHA"; 3539 reference 3540 "RFC 4279: 3541 Pre-Shared Key Ciphersuites for 3542 Transport Layer Security (TLS)"; 3543 } 3544 identity tls-rsa-psk-with-aes-256-cbc-sha { 3545 base cipher-suite-alg-base; 3546 status deprecated; 3547 description 3548 "TLS-RSA-PSK-WITH-AES-256-CBC-SHA"; 3549 reference 3550 "RFC 4279: 3551 Pre-Shared Key Ciphersuites for 3552 Transport Layer Security (TLS)"; 3553 } 3555 identity tls-rsa-with-seed-cbc-sha { 3556 base cipher-suite-alg-base; 3557 status deprecated; 3558 description 3559 "TLS-RSA-WITH-SEED-CBC-SHA"; 3560 reference 3561 "RFC 4162: 3562 Addition of SEED Ciphersuites to 3563 Transport Layer Security (TLS)"; 3564 } 3566 identity tls-dh-dss-with-seed-cbc-sha { 3567 base cipher-suite-alg-base; 3568 status deprecated; 3569 description 3570 "TLS-DH-DSS-WITH-SEED-CBC-SHA"; 3571 reference 3572 "RFC 4162: 3573 Addition of SEED Ciphersuites to 3574 Transport Layer Security (TLS)"; 3575 } 3577 identity tls-dh-rsa-with-seed-cbc-sha { 3578 base cipher-suite-alg-base; 3579 status deprecated; 3580 description 3581 "TLS-DH-RSA-WITH-SEED-CBC-SHA"; 3582 reference 3583 "RFC 4162: 3584 Addition of SEED Ciphersuites to 3585 Transport Layer Security (TLS)"; 3586 } 3588 identity tls-dhe-dss-with-seed-cbc-sha { 3589 base cipher-suite-alg-base; 3590 status deprecated; 3591 description 3592 "TLS-DHE-DSS-WITH-SEED-CBC-SHA"; 3593 reference 3594 "RFC 4162: 3595 Addition of SEED Ciphersuites to 3596 Transport Layer Security (TLS)"; 3597 } 3599 identity tls-dhe-rsa-with-seed-cbc-sha { 3600 base cipher-suite-alg-base; 3601 status deprecated; 3602 description 3603 "TLS-DHE-RSA-WITH-SEED-CBC-SHA"; 3604 reference 3605 "RFC 4162: 3606 Addition of SEED Ciphersuites to 3607 Transport Layer Security (TLS)"; 3608 } 3610 identity tls-dh-anon-with-seed-cbc-sha { 3611 base cipher-suite-alg-base; 3612 status deprecated; 3613 description 3614 "TLS-DH-ANON-WITH-SEED-CBC-SHA"; 3615 reference 3616 "RFC 4162: 3617 Addition of SEED Ciphersuites to 3618 Transport Layer Security (TLS)"; 3619 } 3621 identity tls-rsa-with-aes-128-gcm-sha256 { 3622 base cipher-suite-alg-base; 3623 status deprecated; 3624 description 3625 "TLS-RSA-WITH-AES-128-GCM-SHA256"; 3626 reference 3627 "RFC 5288: 3628 AES-GCM Cipher Suites for TLS"; 3629 } 3631 identity tls-rsa-with-aes-256-gcm-sha384 { 3632 base cipher-suite-alg-base; 3633 status deprecated; 3634 description 3635 "TLS-RSA-WITH-AES-256-GCM-SHA384"; 3636 reference 3637 "RFC 5288: 3638 AES-GCM Cipher Suites for TLS"; 3639 } 3640 identity tls-dhe-rsa-with-aes-128-gcm-sha256 { 3641 base cipher-suite-alg-base; 3642 description 3643 "TLS-DHE-RSA-WITH-AES-128-GCM-SHA256"; 3644 reference 3645 "RFC 5288: 3646 AES-GCM Cipher Suites for TLS"; 3647 } 3649 identity tls-dhe-rsa-with-aes-256-gcm-sha384 { 3650 base cipher-suite-alg-base; 3651 description 3652 "TLS-DHE-RSA-WITH-AES-256-GCM-SHA384"; 3653 reference 3654 "RFC 5288: 3655 AES-GCM Cipher Suites for TLS"; 3656 } 3658 identity tls-dh-rsa-with-aes-128-gcm-sha256 { 3659 base cipher-suite-alg-base; 3660 status deprecated; 3661 description 3662 "TLS-DH-RSA-WITH-AES-128-GCM-SHA256"; 3663 reference 3664 "RFC 5288: 3665 AES-GCM Cipher Suites for TLS"; 3666 } 3668 identity tls-dh-rsa-with-aes-256-gcm-sha384 { 3669 base cipher-suite-alg-base; 3670 status deprecated; 3671 description 3672 "TLS-DH-RSA-WITH-AES-256-GCM-SHA384"; 3673 reference 3674 "RFC 5288: 3675 AES-GCM Cipher Suites for TLS"; 3676 } 3678 identity tls-dhe-dss-with-aes-128-gcm-sha256 { 3679 base cipher-suite-alg-base; 3680 status deprecated; 3681 description 3682 "TLS-DHE-DSS-WITH-AES-128-GCM-SHA256"; 3683 reference 3684 "RFC 5288: 3685 AES-GCM Cipher Suites for TLS"; 3686 } 3687 identity tls-dhe-dss-with-aes-256-gcm-sha384 { 3688 base cipher-suite-alg-base; 3689 status deprecated; 3690 description 3691 "TLS-DHE-DSS-WITH-AES-256-GCM-SHA384"; 3692 reference 3693 "RFC 5288: 3694 AES-GCM Cipher Suites for TLS"; 3695 } 3697 identity tls-dh-dss-with-aes-128-gcm-sha256 { 3698 base cipher-suite-alg-base; 3699 status deprecated; 3700 description 3701 "TLS-DH-DSS-WITH-AES-128-GCM-SHA256"; 3702 reference 3703 "RFC 5288: 3704 AES-GCM Cipher Suites for TLS"; 3705 } 3707 identity tls-dh-dss-with-aes-256-gcm-sha384 { 3708 base cipher-suite-alg-base; 3709 status deprecated; 3710 description 3711 "TLS-DH-DSS-WITH-AES-256-GCM-SHA384"; 3712 reference 3713 "RFC 5288: 3714 AES-GCM Cipher Suites for TLS"; 3715 } 3717 identity tls-dh-anon-with-aes-128-gcm-sha256 { 3718 base cipher-suite-alg-base; 3719 status deprecated; 3720 description 3721 "TLS-DH-ANON-WITH-AES-128-GCM-SHA256"; 3722 reference 3723 "RFC 5288: 3724 AES-GCM Cipher Suites for TLS"; 3725 } 3727 identity tls-dh-anon-with-aes-256-gcm-sha384 { 3728 base cipher-suite-alg-base; 3729 status deprecated; 3730 description 3731 "TLS-DH-ANON-WITH-AES-256-GCM-SHA384"; 3732 reference 3733 "RFC 5288: 3734 AES-GCM Cipher Suites for TLS"; 3736 } 3738 identity tls-psk-with-aes-128-gcm-sha256 { 3739 base cipher-suite-alg-base; 3740 status deprecated; 3741 description 3742 "TLS-PSK-WITH-AES-128-GCM-SHA256"; 3743 reference 3744 "RFC 5487: 3745 Pre-Shared Key Cipher Suites for Transport Layer Security 3746 (TLS) with SHA-256/384 and AES Galois Counter Mode"; 3747 } 3749 identity tls-psk-with-aes-256-gcm-sha384 { 3750 base cipher-suite-alg-base; 3751 status deprecated; 3752 description 3753 "TLS-PSK-WITH-AES-256-GCM-SHA384"; 3754 reference 3755 "RFC 5487: 3756 Pre-Shared Key Cipher Suites for Transport Layer Security 3757 (TLS) with SHA-256/384 and AES Galois Counter Mode"; 3758 } 3760 identity tls-dhe-psk-with-aes-128-gcm-sha256 { 3761 base cipher-suite-alg-base; 3762 description 3763 "TLS-DHE-PSK-WITH-AES-128-GCM-SHA256"; 3764 reference 3765 "RFC 5487: 3766 Pre-Shared Key Cipher Suites for Transport Layer Security 3767 (TLS) with SHA-256/384 and AES Galois Counter Mode"; 3768 } 3770 identity tls-dhe-psk-with-aes-256-gcm-sha384 { 3771 base cipher-suite-alg-base; 3772 description 3773 "TLS-DHE-PSK-WITH-AES-256-GCM-SHA384"; 3774 reference 3775 "RFC 5487: 3776 Pre-Shared Key Cipher Suites for Transport Layer Security 3777 (TLS) with SHA-256/384 and AES Galois Counter Mode"; 3778 } 3780 identity tls-rsa-psk-with-aes-128-gcm-sha256 { 3781 base cipher-suite-alg-base; 3782 status deprecated; 3783 description 3784 "TLS-RSA-PSK-WITH-AES-128-GCM-SHA256"; 3785 reference 3786 "RFC 5487: 3787 Pre-Shared Key Cipher Suites for Transport Layer Security 3788 (TLS) with SHA-256/384 and AES Galois Counter Mode"; 3789 } 3791 identity tls-rsa-psk-with-aes-256-gcm-sha384 { 3792 base cipher-suite-alg-base; 3793 status deprecated; 3794 description 3795 "TLS-RSA-PSK-WITH-AES-256-GCM-SHA384"; 3796 reference 3797 "RFC 5487: 3798 Pre-Shared Key Cipher Suites for Transport Layer Security 3799 (TLS) with SHA-256/384 and AES Galois Counter Mode"; 3800 } 3802 identity tls-psk-with-aes-128-cbc-sha256 { 3803 base cipher-suite-alg-base; 3804 status deprecated; 3805 description 3806 "TLS-PSK-WITH-AES-128-CBC-SHA256"; 3807 reference 3808 "RFC 5487: 3809 Pre-Shared Key Cipher Suites for Transport Layer Security 3810 (TLS) with SHA-256/384 and AES Galois Counter Mode"; 3811 } 3813 identity tls-psk-with-aes-256-cbc-sha384 { 3814 base cipher-suite-alg-base; 3815 status deprecated; 3816 description 3817 "TLS-PSK-WITH-AES-256-CBC-SHA384"; 3818 reference 3819 "RFC 5487: 3820 Pre-Shared Key Cipher Suites for Transport Layer Security 3821 (TLS) with SHA-256/384 and AES Galois Counter Mode"; 3822 } 3824 identity tls-psk-with-null-sha256 { 3825 base cipher-suite-alg-base; 3826 status deprecated; 3827 description 3828 "TLS-PSK-WITH-NULL-SHA256"; 3829 reference 3830 "RFC 5487: 3831 Pre-Shared Key Cipher Suites for Transport Layer Security 3832 (TLS) with SHA-256/384 and AES Galois Counter Mode"; 3833 } 3835 identity tls-psk-with-null-sha384 { 3836 base cipher-suite-alg-base; 3837 status deprecated; 3838 description 3839 "TLS-PSK-WITH-NULL-SHA384"; 3840 reference 3841 "RFC 5487: 3842 Pre-Shared Key Cipher Suites for Transport Layer Security 3843 (TLS) with SHA-256/384 and AES Galois Counter Mode"; 3844 } 3846 identity tls-dhe-psk-with-aes-128-cbc-sha256 { 3847 base cipher-suite-alg-base; 3848 status deprecated; 3849 description 3850 "TLS-DHE-PSK-WITH-AES-128-CBC-SHA256"; 3851 reference 3852 "RFC 5487: 3853 Pre-Shared Key Cipher Suites for Transport Layer Security 3854 (TLS) with SHA-256/384 and AES Galois Counter Mode"; 3855 } 3857 identity tls-dhe-psk-with-aes-256-cbc-sha384 { 3858 base cipher-suite-alg-base; 3859 status deprecated; 3860 description 3861 "TLS-DHE-PSK-WITH-AES-256-CBC-SHA384"; 3862 reference 3863 "RFC 5487: 3864 Pre-Shared Key Cipher Suites for Transport Layer Security 3865 (TLS) with SHA-256/384 and AES Galois Counter Mode"; 3866 } 3868 identity tls-dhe-psk-with-null-sha256 { 3869 base cipher-suite-alg-base; 3870 status deprecated; 3871 description 3872 "TLS-DHE-PSK-WITH-NULL-SHA256"; 3873 reference 3874 "RFC 5487: 3875 Pre-Shared Key Cipher Suites for Transport Layer Security 3876 (TLS) with SHA-256/384 and AES Galois Counter Mode"; 3877 } 3879 identity tls-dhe-psk-with-null-sha384 { 3880 base cipher-suite-alg-base; 3881 status deprecated; 3882 description 3883 "TLS-DHE-PSK-WITH-NULL-SHA384"; 3884 reference 3885 "RFC 5487: 3886 Pre-Shared Key Cipher Suites for Transport Layer Security 3887 (TLS) with SHA-256/384 and AES Galois Counter Mode"; 3888 } 3890 identity tls-rsa-psk-with-aes-128-cbc-sha256 { 3891 base cipher-suite-alg-base; 3892 status deprecated; 3893 description 3894 "TLS-RSA-PSK-WITH-AES-128-CBC-SHA256"; 3895 reference 3896 "RFC 5487: 3897 Pre-Shared Key Cipher Suites for Transport Layer Security 3898 (TLS) with SHA-256/384 and AES Galois Counter Mode"; 3899 } 3901 identity tls-rsa-psk-with-aes-256-cbc-sha384 { 3902 base cipher-suite-alg-base; 3903 status deprecated; 3904 description 3905 "TLS-RSA-PSK-WITH-AES-256-CBC-SHA384"; 3906 reference 3907 "RFC 5487: 3908 Pre-Shared Key Cipher Suites for Transport Layer Security 3909 (TLS) with SHA-256/384 and AES Galois Counter Mode"; 3910 } 3912 identity tls-rsa-psk-with-null-sha256 { 3913 base cipher-suite-alg-base; 3914 status deprecated; 3915 description 3916 "TLS-RSA-PSK-WITH-NULL-SHA256"; 3917 reference 3918 "RFC 5487: 3919 Pre-Shared Key Cipher Suites for Transport Layer Security 3920 (TLS) with SHA-256/384 and AES Galois Counter Mode"; 3921 } 3923 identity tls-rsa-psk-with-null-sha384 { 3924 base cipher-suite-alg-base; 3925 status deprecated; 3926 description 3927 "TLS-RSA-PSK-WITH-NULL-SHA384"; 3929 reference 3930 "RFC 5487: 3931 Pre-Shared Key Cipher Suites for Transport Layer Security 3932 (TLS) with SHA-256/384 and AES Galois Counter Mode"; 3933 } 3935 identity tls-rsa-with-camellia-128-cbc-sha256 { 3936 base cipher-suite-alg-base; 3937 status deprecated; 3938 description 3939 "TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256"; 3940 reference 3941 "RFC 5932: 3942 Camellia Cipher Suites for TLS"; 3943 } 3945 identity tls-dh-dss-with-camellia-128-cbc-sha256 { 3946 base cipher-suite-alg-base; 3947 status deprecated; 3948 description 3949 "TLS-DH-DSS-WITH-CAMELLIA-128-CBC-SHA256"; 3950 reference 3951 "RFC 5932: 3952 Camellia Cipher Suites for TLS"; 3953 } 3955 identity tls-dh-rsa-with-camellia-128-cbc-sha256 { 3956 base cipher-suite-alg-base; 3957 status deprecated; 3958 description 3959 "TLS-DH-RSA-WITH-CAMELLIA-128-CBC-SHA256"; 3960 reference 3961 "RFC 5932: 3962 Camellia Cipher Suites for TLS"; 3963 } 3965 identity tls-dhe-dss-with-camellia-128-cbc-sha256 { 3966 base cipher-suite-alg-base; 3967 status deprecated; 3968 description 3969 "TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256"; 3970 reference 3971 "RFC 5932: 3972 Camellia Cipher Suites for TLS"; 3973 } 3975 identity tls-dhe-rsa-with-camellia-128-cbc-sha256 { 3976 base cipher-suite-alg-base; 3977 status deprecated; 3978 description 3979 "TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256"; 3980 reference 3981 "RFC 5932: 3982 Camellia Cipher Suites for TLS"; 3983 } 3985 identity tls-dh-anon-with-camellia-128-cbc-sha256 { 3986 base cipher-suite-alg-base; 3987 status deprecated; 3988 description 3989 "TLS-DH-ANON-WITH-CAMELLIA-128-CBC-SHA256"; 3990 reference 3991 "RFC 5932: 3992 Camellia Cipher Suites for TLS"; 3993 } 3995 identity tls-rsa-with-camellia-256-cbc-sha256 { 3996 base cipher-suite-alg-base; 3997 status deprecated; 3998 description 3999 "TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256"; 4000 reference 4001 "RFC 5932: 4002 Camellia Cipher Suites for TLS"; 4003 } 4005 identity tls-dh-dss-with-camellia-256-cbc-sha256 { 4006 base cipher-suite-alg-base; 4007 status deprecated; 4008 description 4009 "TLS-DH-DSS-WITH-CAMELLIA-256-CBC-SHA256"; 4010 reference 4011 "RFC 5932: 4012 Camellia Cipher Suites for TLS"; 4013 } 4015 identity tls-dh-rsa-with-camellia-256-cbc-sha256 { 4016 base cipher-suite-alg-base; 4017 status deprecated; 4018 description 4019 "TLS-DH-RSA-WITH-CAMELLIA-256-CBC-SHA256"; 4020 reference 4021 "RFC 5932: 4022 Camellia Cipher Suites for TLS"; 4023 } 4024 identity tls-dhe-dss-with-camellia-256-cbc-sha256 { 4025 base cipher-suite-alg-base; 4026 status deprecated; 4027 description 4028 "TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256"; 4029 reference 4030 "RFC 5932: 4031 Camellia Cipher Suites for TLS"; 4032 } 4034 identity tls-dhe-rsa-with-camellia-256-cbc-sha256 { 4035 base cipher-suite-alg-base; 4036 status deprecated; 4037 description 4038 "TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256"; 4039 reference 4040 "RFC 5932: 4041 Camellia Cipher Suites for TLS"; 4042 } 4044 identity tls-dh-anon-with-camellia-256-cbc-sha256 { 4045 base cipher-suite-alg-base; 4046 status deprecated; 4047 description 4048 "TLS-DH-ANON-WITH-CAMELLIA-256-CBC-SHA256"; 4049 reference 4050 "RFC 5932: 4051 Camellia Cipher Suites for TLS"; 4052 } 4054 identity tls-sm4-gcm-sm3 { 4055 base cipher-suite-alg-base; 4056 status deprecated; 4057 description 4058 "TLS-SM4-GCM-SM3"; 4059 reference 4060 "RFC 8998: 4061 ShangMi (SM) Cipher Suites for Transport Layer Security 4062 (TLS) Protocol Version 1.3"; 4063 } 4065 identity tls-sm4-ccm-sm3 { 4066 base cipher-suite-alg-base; 4067 status deprecated; 4068 description 4069 "TLS-SM4-CCM-SM3"; 4070 reference 4071 "RFC 8998: 4073 ShangMi (SM) Cipher Suites for Transport Layer Security 4074 (TLS) Protocol Version 1.3"; 4075 } 4077 identity tls-empty-renegotiation-info-scsv { 4078 base cipher-suite-alg-base; 4079 status deprecated; 4080 description 4081 "TLS-EMPTY-RENEGOTIATION-INFO-SCSV"; 4082 reference 4083 "RFC 5746: 4084 Transport Layer Security (TLS) 4085 Renegotiation Indication Extension"; 4086 } 4088 identity tls-aes-128-gcm-sha256 { 4089 base cipher-suite-alg-base; 4090 description 4091 "TLS-AES-128-GCM-SHA256"; 4092 reference 4093 "RFC 8446: 4094 The Transport Layer Security (TLS) Protocol Version 1.3"; 4095 } 4097 identity tls-aes-256-gcm-sha384 { 4098 base cipher-suite-alg-base; 4099 description 4100 "TLS-AES-256-GCM-SHA384"; 4101 reference 4102 "RFC 8446: 4103 The Transport Layer Security (TLS) Protocol Version 1.3"; 4104 } 4106 identity tls-chacha20-poly1305-sha256 { 4107 base cipher-suite-alg-base; 4108 description 4109 "TLS-CHACHA20-POLY1305-SHA256"; 4110 reference 4111 "RFC 8446: 4112 The Transport Layer Security (TLS) Protocol Version 1.3"; 4113 } 4115 identity tls-aes-128-ccm-sha256 { 4116 base cipher-suite-alg-base; 4117 description 4118 "TLS-AES-128-CCM-SHA256"; 4119 reference 4120 "RFC 8446: 4122 The Transport Layer Security (TLS) Protocol Version 1.3"; 4123 } 4125 identity tls-aes-128-ccm-8-sha256 { 4126 base cipher-suite-alg-base; 4127 status deprecated; 4128 description 4129 "TLS-AES-128-CCM-8-SHA256"; 4130 reference 4131 "RFC 8446: 4132 The Transport Layer Security (TLS) Protocol Version 1.3"; 4133 } 4135 identity tls-fallback-scsv { 4136 base cipher-suite-alg-base; 4137 status deprecated; 4138 description 4139 "TLS-FALLBACK-SCSV"; 4140 reference 4141 "RFC 7507: 4142 TLS Fallback Signaling Cipher Suite Value (SCSV) 4143 for Preventing Protocol Downgrade Attacks"; 4144 } 4146 identity tls-ecdh-ecdsa-with-null-sha { 4147 base cipher-suite-alg-base; 4148 status deprecated; 4149 description 4150 "TLS-ECDH-ECDSA-WITH-NULL-SHA"; 4151 reference 4152 "RFC 8422: 4153 Elliptic Curve Cryptography (ECC) Cipher Suites for 4154 Transport Layer Security (TLS) Versions 1.2 and Earlier"; 4155 } 4157 identity tls-ecdh-ecdsa-with-rc4-128-sha { 4158 base cipher-suite-alg-base; 4159 status deprecated; 4160 description 4161 "TLS-ECDH-ECDSA-WITH-RC4-128-SHA"; 4162 reference 4163 "RFC 8422: 4164 Elliptic Curve Cryptography (ECC) Cipher Suites for 4165 Transport Layer Security (TLS) Versions 1.2 and Earlier 4166 RFC 6347: 4167 Datagram Transport Layer Security version 1.2"; 4168 } 4169 identity tls-ecdh-ecdsa-with-3des-ede-cbc-sha { 4170 base cipher-suite-alg-base; 4171 status deprecated; 4172 description 4173 "TLS-ECDH-ECDSA-WITH-3DES-EDE-CBC-SHA"; 4174 reference 4175 "RFC 8422: 4176 Elliptic Curve Cryptography (ECC) Cipher Suites for 4177 Transport Layer Security (TLS) Versions 1.2 and Earlier"; 4178 } 4180 identity tls-ecdh-ecdsa-with-aes-128-cbc-sha { 4181 base cipher-suite-alg-base; 4182 status deprecated; 4183 description 4184 "TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA"; 4185 reference 4186 "RFC 8422: 4187 Elliptic Curve Cryptography (ECC) Cipher Suites for 4188 Transport Layer Security (TLS) Versions 1.2 and Earlier"; 4189 } 4191 identity tls-ecdh-ecdsa-with-aes-256-cbc-sha { 4192 base cipher-suite-alg-base; 4193 status deprecated; 4194 description 4195 "TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA"; 4196 reference 4197 "RFC 8422: 4198 Elliptic Curve Cryptography (ECC) Cipher Suites for 4199 Transport Layer Security (TLS) Versions 1.2 and Earlier"; 4200 } 4202 identity tls-ecdhe-ecdsa-with-null-sha { 4203 base cipher-suite-alg-base; 4204 status deprecated; 4205 description 4206 "TLS-ECDHE-ECDSA-WITH-NULL-SHA"; 4207 reference 4208 "RFC 8422: 4209 Elliptic Curve Cryptography (ECC) Cipher Suites for 4210 Transport Layer Security (TLS) Versions 1.2 and Earlier"; 4211 } 4213 identity tls-ecdhe-ecdsa-with-rc4-128-sha { 4214 base cipher-suite-alg-base; 4215 status deprecated; 4216 description 4217 "TLS-ECDHE-ECDSA-WITH-RC4-128-SHA"; 4218 reference 4219 "RFC 8422: 4220 Elliptic Curve Cryptography (ECC) Cipher Suites for 4221 Transport Layer Security (TLS) Versions 1.2 and Earlier 4222 RFC 6347: 4223 Datagram Transport Layer Security version 1.2"; 4224 } 4226 identity tls-ecdhe-ecdsa-with-3des-ede-cbc-sha { 4227 base cipher-suite-alg-base; 4228 status deprecated; 4229 description 4230 "TLS-ECDHE-ECDSA-WITH-3DES-EDE-CBC-SHA"; 4231 reference 4232 "RFC 8422: 4233 Elliptic Curve Cryptography (ECC) Cipher Suites for 4234 Transport Layer Security (TLS) Versions 1.2 and Earlier"; 4235 } 4237 identity tls-ecdhe-ecdsa-with-aes-128-cbc-sha { 4238 base cipher-suite-alg-base; 4239 status deprecated; 4240 description 4241 "TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA"; 4242 reference 4243 "RFC 8422: 4244 Elliptic Curve Cryptography (ECC) Cipher Suites for 4245 Transport Layer Security (TLS) Versions 1.2 and Earlier"; 4246 } 4248 identity tls-ecdhe-ecdsa-with-aes-256-cbc-sha { 4249 base cipher-suite-alg-base; 4250 status deprecated; 4251 description 4252 "TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA"; 4253 reference 4254 "RFC 8422: 4255 Elliptic Curve Cryptography (ECC) Cipher Suites for 4256 Transport Layer Security (TLS) Versions 1.2 and Earlier"; 4257 } 4259 identity tls-ecdh-rsa-with-null-sha { 4260 base cipher-suite-alg-base; 4261 status deprecated; 4262 description 4263 "TLS-ECDH-RSA-WITH-NULL-SHA"; 4264 reference 4265 "RFC 8422: 4266 Elliptic Curve Cryptography (ECC) Cipher Suites for 4267 Transport Layer Security (TLS) Versions 1.2 and Earlier"; 4268 } 4270 identity tls-ecdh-rsa-with-rc4-128-sha { 4271 base cipher-suite-alg-base; 4272 status deprecated; 4273 description 4274 "TLS-ECDH-RSA-WITH-RC4-128-SHA"; 4275 reference 4276 "RFC 8422: 4277 Elliptic Curve Cryptography (ECC) Cipher Suites for 4278 Transport Layer Security (TLS) Versions 1.2 and Earlier 4279 RFC 6347: 4280 Datagram Transport Layer Security version 1.2"; 4281 } 4283 identity tls-ecdh-rsa-with-3des-ede-cbc-sha { 4284 base cipher-suite-alg-base; 4285 status deprecated; 4286 description 4287 "TLS-ECDH-RSA-WITH-3DES-EDE-CBC-SHA"; 4288 reference 4289 "RFC 8422: 4290 Elliptic Curve Cryptography (ECC) Cipher Suites for 4291 Transport Layer Security (TLS) Versions 1.2 and Earlier"; 4292 } 4294 identity tls-ecdh-rsa-with-aes-128-cbc-sha { 4295 base cipher-suite-alg-base; 4296 status deprecated; 4297 description 4298 "TLS-ECDH-RSA-WITH-AES-128-CBC-SHA"; 4299 reference 4300 "RFC 8422: 4301 Elliptic Curve Cryptography (ECC) Cipher Suites for 4302 Transport Layer Security (TLS) Versions 1.2 and Earlier"; 4303 } 4305 identity tls-ecdh-rsa-with-aes-256-cbc-sha { 4306 base cipher-suite-alg-base; 4307 status deprecated; 4308 description 4309 "TLS-ECDH-RSA-WITH-AES-256-CBC-SHA"; 4310 reference 4311 "RFC 8422: 4312 Elliptic Curve Cryptography (ECC) Cipher Suites for 4313 Transport Layer Security (TLS) Versions 1.2 and Earlier"; 4314 } 4316 identity tls-ecdhe-rsa-with-null-sha { 4317 base cipher-suite-alg-base; 4318 status deprecated; 4319 description 4320 "TLS-ECDHE-RSA-WITH-NULL-SHA"; 4321 reference 4322 "RFC 8422: 4323 Elliptic Curve Cryptography (ECC) Cipher Suites for 4324 Transport Layer Security (TLS) Versions 1.2 and Earlier"; 4325 } 4327 identity tls-ecdhe-rsa-with-rc4-128-sha { 4328 base cipher-suite-alg-base; 4329 status deprecated; 4330 description 4331 "TLS-ECDHE-RSA-WITH-RC4-128-SHA"; 4332 reference 4333 "RFC 8422: 4334 Elliptic Curve Cryptography (ECC) Cipher Suites for 4335 Transport Layer Security (TLS) Versions 1.2 and Earlier 4336 RFC 6347: 4337 Datagram Transport Layer Security version 1.2"; 4338 } 4340 identity tls-ecdhe-rsa-with-3des-ede-cbc-sha { 4341 base cipher-suite-alg-base; 4342 status deprecated; 4343 description 4344 "TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA"; 4345 reference 4346 "RFC 8422: 4347 Elliptic Curve Cryptography (ECC) Cipher Suites for 4348 Transport Layer Security (TLS) Versions 1.2 and Earlier"; 4349 } 4351 identity tls-ecdhe-rsa-with-aes-128-cbc-sha { 4352 base cipher-suite-alg-base; 4353 status deprecated; 4354 description 4355 "TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA"; 4356 reference 4357 "RFC 8422: 4358 Elliptic Curve Cryptography (ECC) Cipher Suites for 4359 Transport Layer Security (TLS) Versions 1.2 and Earlier"; 4360 } 4361 identity tls-ecdhe-rsa-with-aes-256-cbc-sha { 4362 base cipher-suite-alg-base; 4363 status deprecated; 4364 description 4365 "TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA"; 4366 reference 4367 "RFC 8422: 4368 Elliptic Curve Cryptography (ECC) Cipher Suites for 4369 Transport Layer Security (TLS) Versions 1.2 and Earlier"; 4370 } 4372 identity tls-ecdh-anon-with-null-sha { 4373 base cipher-suite-alg-base; 4374 status deprecated; 4375 description 4376 "TLS-ECDH-ANON-WITH-NULL-SHA"; 4377 reference 4378 "RFC 8422: 4379 Elliptic Curve Cryptography (ECC) Cipher Suites for 4380 Transport Layer Security (TLS) Versions 1.2 and Earlier"; 4381 } 4383 identity tls-ecdh-anon-with-rc4-128-sha { 4384 base cipher-suite-alg-base; 4385 status deprecated; 4386 description 4387 "TLS-ECDH-ANON-WITH-RC4-128-SHA"; 4388 reference 4389 "RFC 8422: 4390 Elliptic Curve Cryptography (ECC) Cipher Suites for 4391 Transport Layer Security (TLS) Versions 1.2 and Earlier 4392 RFC 6347: 4393 Datagram Transport Layer Security version 1.2"; 4394 } 4396 identity tls-ecdh-anon-with-3des-ede-cbc-sha { 4397 base cipher-suite-alg-base; 4398 status deprecated; 4399 description 4400 "TLS-ECDH-ANON-WITH-3DES-EDE-CBC-SHA"; 4401 reference 4402 "RFC 8422: 4403 Elliptic Curve Cryptography (ECC) Cipher Suites for 4404 Transport Layer Security (TLS) Versions 1.2 and Earlier"; 4405 } 4407 identity tls-ecdh-anon-with-aes-128-cbc-sha { 4408 base cipher-suite-alg-base; 4409 status deprecated; 4410 description 4411 "TLS-ECDH-ANON-WITH-AES-128-CBC-SHA"; 4412 reference 4413 "RFC 8422: 4414 Elliptic Curve Cryptography (ECC) Cipher Suites for 4415 Transport Layer Security (TLS) Versions 1.2 and Earlier"; 4416 } 4418 identity tls-ecdh-anon-with-aes-256-cbc-sha { 4419 base cipher-suite-alg-base; 4420 status deprecated; 4421 description 4422 "TLS-ECDH-ANON-WITH-AES-256-CBC-SHA"; 4423 reference 4424 "RFC 8422: 4425 Elliptic Curve Cryptography (ECC) Cipher Suites for 4426 Transport Layer Security (TLS) Versions 1.2 and Earlier"; 4427 } 4429 identity tls-srp-sha-with-3des-ede-cbc-sha { 4430 base cipher-suite-alg-base; 4431 status deprecated; 4432 description 4433 "TLS-SRP-SHA-WITH-3DES-EDE-CBC-SHA"; 4434 reference 4435 "RFC 5054: 4436 Using SRP for TLS Authentication"; 4437 } 4439 identity tls-srp-sha-rsa-with-3des-ede-cbc-sha { 4440 base cipher-suite-alg-base; 4441 status deprecated; 4442 description 4443 "TLS-SRP-SHA-RSA-WITH-3DES-EDE-CBC-SHA"; 4444 reference 4445 "RFC 5054: 4446 Using SRP for TLS Authentication"; 4447 } 4449 identity tls-srp-sha-dss-with-3des-ede-cbc-sha { 4450 base cipher-suite-alg-base; 4451 status deprecated; 4452 description 4453 "TLS-SRP-SHA-DSS-WITH-3DES-EDE-CBC-SHA"; 4454 reference 4455 "RFC 5054: 4456 Using SRP for TLS Authentication"; 4458 } 4460 identity tls-srp-sha-with-aes-128-cbc-sha { 4461 base cipher-suite-alg-base; 4462 status deprecated; 4463 description 4464 "TLS-SRP-SHA-WITH-AES-128-CBC-SHA"; 4465 reference 4466 "RFC 5054: 4467 Using SRP for TLS Authentication"; 4468 } 4470 identity tls-srp-sha-rsa-with-aes-128-cbc-sha { 4471 base cipher-suite-alg-base; 4472 status deprecated; 4473 description 4474 "TLS-SRP-SHA-RSA-WITH-AES-128-CBC-SHA"; 4475 reference 4476 "RFC 5054: 4477 Using SRP for TLS Authentication"; 4478 } 4480 identity tls-srp-sha-dss-with-aes-128-cbc-sha { 4481 base cipher-suite-alg-base; 4482 status deprecated; 4483 description 4484 "TLS-SRP-SHA-DSS-WITH-AES-128-CBC-SHA"; 4485 reference 4486 "RFC 5054: 4487 Using SRP for TLS Authentication"; 4488 } 4490 identity tls-srp-sha-with-aes-256-cbc-sha { 4491 base cipher-suite-alg-base; 4492 status deprecated; 4493 description 4494 "TLS-SRP-SHA-WITH-AES-256-CBC-SHA"; 4495 reference 4496 "RFC 5054: 4497 Using SRP for TLS Authentication"; 4498 } 4500 identity tls-srp-sha-rsa-with-aes-256-cbc-sha { 4501 base cipher-suite-alg-base; 4502 status deprecated; 4503 description 4504 "TLS-SRP-SHA-RSA-WITH-AES-256-CBC-SHA"; 4505 reference 4506 "RFC 5054: 4507 Using SRP for TLS Authentication"; 4508 } 4510 identity tls-srp-sha-dss-with-aes-256-cbc-sha { 4511 base cipher-suite-alg-base; 4512 status deprecated; 4513 description 4514 "TLS-SRP-SHA-DSS-WITH-AES-256-CBC-SHA"; 4515 reference 4516 "RFC 5054: 4517 Using SRP for TLS Authentication"; 4518 } 4520 identity tls-ecdhe-ecdsa-with-aes-128-cbc-sha256 { 4521 base cipher-suite-alg-base; 4522 status deprecated; 4523 description 4524 "TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256"; 4525 reference 4526 "RFC 5289: 4527 TLS Elliptic Curve Cipher Suites with SHA-256/384 4528 and AES Galois Counter Mode"; 4529 } 4531 identity tls-ecdhe-ecdsa-with-aes-256-cbc-sha384 { 4532 base cipher-suite-alg-base; 4533 status deprecated; 4534 description 4535 "TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384"; 4536 reference 4537 "RFC 5289: 4538 TLS Elliptic Curve Cipher Suites with SHA-256/384 4539 and AES Galois Counter Mode"; 4540 } 4542 identity tls-ecdh-ecdsa-with-aes-128-cbc-sha256 { 4543 base cipher-suite-alg-base; 4544 status deprecated; 4545 description 4546 "TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA256"; 4547 reference 4548 "RFC 5289: 4549 TLS Elliptic Curve Cipher Suites with SHA-256/384 4550 and AES Galois Counter Mode"; 4551 } 4553 identity tls-ecdh-ecdsa-with-aes-256-cbc-sha384 { 4554 base cipher-suite-alg-base; 4555 status deprecated; 4556 description 4557 "TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA384"; 4558 reference 4559 "RFC 5289: 4560 TLS Elliptic Curve Cipher Suites with SHA-256/384 4561 and AES Galois Counter Mode"; 4562 } 4564 identity tls-ecdhe-rsa-with-aes-128-cbc-sha256 { 4565 base cipher-suite-alg-base; 4566 status deprecated; 4567 description 4568 "TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256"; 4569 reference 4570 "RFC 5289: 4571 TLS Elliptic Curve Cipher Suites with SHA-256/384 4572 and AES Galois Counter Mode"; 4573 } 4575 identity tls-ecdhe-rsa-with-aes-256-cbc-sha384 { 4576 base cipher-suite-alg-base; 4577 status deprecated; 4578 description 4579 "TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384"; 4580 reference 4581 "RFC 5289: 4582 TLS Elliptic Curve Cipher Suites with SHA-256/384 4583 and AES Galois Counter Mode"; 4584 } 4586 identity tls-ecdh-rsa-with-aes-128-cbc-sha256 { 4587 base cipher-suite-alg-base; 4588 status deprecated; 4589 description 4590 "TLS-ECDH-RSA-WITH-AES-128-CBC-SHA256"; 4591 reference 4592 "RFC 5289: 4593 TLS Elliptic Curve Cipher Suites with SHA-256/384 4594 and AES Galois Counter Mode"; 4595 } 4597 identity tls-ecdh-rsa-with-aes-256-cbc-sha384 { 4598 base cipher-suite-alg-base; 4599 status deprecated; 4600 description 4601 "TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384"; 4603 reference 4604 "RFC 5289: 4605 TLS Elliptic Curve Cipher Suites with SHA-256/384 4606 and AES Galois Counter Mode"; 4607 } 4609 identity tls-ecdhe-ecdsa-with-aes-128-gcm-sha256 { 4610 base cipher-suite-alg-base; 4611 description 4612 "TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256"; 4613 reference 4614 "RFC 5289: 4615 TLS Elliptic Curve Cipher Suites with SHA-256/384 4616 and AES Galois Counter Mode"; 4617 } 4619 identity tls-ecdhe-ecdsa-with-aes-256-gcm-sha384 { 4620 base cipher-suite-alg-base; 4621 description 4622 "TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384"; 4623 reference 4624 "RFC 5289: 4625 TLS Elliptic Curve Cipher Suites with SHA-256/384 4626 and AES Galois Counter Mode"; 4627 } 4629 identity tls-ecdh-ecdsa-with-aes-128-gcm-sha256 { 4630 base cipher-suite-alg-base; 4631 status deprecated; 4632 description 4633 "TLS-ECDH-ECDSA-WITH-AES-128-GCM-SHA256"; 4634 reference 4635 "RFC 5289: 4636 TLS Elliptic Curve Cipher Suites with SHA-256/384 4637 and AES Galois Counter Mode"; 4638 } 4640 identity tls-ecdh-ecdsa-with-aes-256-gcm-sha384 { 4641 base cipher-suite-alg-base; 4642 status deprecated; 4643 description 4644 "TLS-ECDH-ECDSA-WITH-AES-256-GCM-SHA384"; 4645 reference 4646 "RFC 5289: 4647 TLS Elliptic Curve Cipher Suites with SHA-256/384 4648 and AES Galois Counter Mode"; 4649 } 4650 identity tls-ecdhe-rsa-with-aes-128-gcm-sha256 { 4651 base cipher-suite-alg-base; 4652 description 4653 "TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256"; 4654 reference 4655 "RFC 5289: 4656 TLS Elliptic Curve Cipher Suites with SHA-256/384 4657 and AES Galois Counter Mode"; 4658 } 4660 identity tls-ecdhe-rsa-with-aes-256-gcm-sha384 { 4661 base cipher-suite-alg-base; 4662 description 4663 "TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384"; 4664 reference 4665 "RFC 5289: 4666 TLS Elliptic Curve Cipher Suites with SHA-256/384 4667 and AES Galois Counter Mode"; 4668 } 4670 identity tls-ecdh-rsa-with-aes-128-gcm-sha256 { 4671 base cipher-suite-alg-base; 4672 status deprecated; 4673 description 4674 "TLS-ECDH-RSA-WITH-AES-128-GCM-SHA256"; 4675 reference 4676 "RFC 5289: 4677 TLS Elliptic Curve Cipher Suites with SHA-256/384 4678 and AES Galois Counter Mode"; 4679 } 4681 identity tls-ecdh-rsa-with-aes-256-gcm-sha384 { 4682 base cipher-suite-alg-base; 4683 status deprecated; 4684 description 4685 "TLS-ECDH-RSA-WITH-AES-256-GCM-SHA384"; 4686 reference 4687 "RFC 5289: 4688 TLS Elliptic Curve Cipher Suites with SHA-256/384 4689 and AES Galois Counter Mode"; 4690 } 4692 identity tls-ecdhe-psk-with-rc4-128-sha { 4693 base cipher-suite-alg-base; 4694 status deprecated; 4695 description 4696 "TLS-ECDHE-PSK-WITH-RC4-128-SHA"; 4697 reference 4698 "RFC 5489: 4699 ECDHE_PSK Ciphersuites for Transport Layer Security (TLS) 4700 RFC 6347: 4701 Datagram Transport Layer Security version 1.2"; 4702 } 4704 identity tls-ecdhe-psk-with-3des-ede-cbc-sha { 4705 base cipher-suite-alg-base; 4706 status deprecated; 4707 description 4708 "TLS-ECDHE-PSK-WITH-3DES-EDE-CBC-SHA"; 4709 reference 4710 "RFC 5489: 4711 ECDHE_PSK Ciphersuites for Transport Layer Security (TLS)"; 4712 } 4714 identity tls-ecdhe-psk-with-aes-128-cbc-sha { 4715 base cipher-suite-alg-base; 4716 status deprecated; 4717 description 4718 "TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA"; 4719 reference 4720 "RFC 5489: 4721 ECDHE_PSK Ciphersuites for Transport Layer Security (TLS)"; 4722 } 4724 identity tls-ecdhe-psk-with-aes-256-cbc-sha { 4725 base cipher-suite-alg-base; 4726 status deprecated; 4727 description 4728 "TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA"; 4729 reference 4730 "RFC 5489: 4731 ECDHE_PSK Ciphersuites for Transport Layer Security (TLS)"; 4732 } 4734 identity tls-ecdhe-psk-with-aes-128-cbc-sha256 { 4735 base cipher-suite-alg-base; 4736 status deprecated; 4737 description 4738 "TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA256"; 4739 reference 4740 "RFC 5489: 4741 ECDHE_PSK Ciphersuites for Transport Layer Security (TLS)"; 4742 } 4744 identity tls-ecdhe-psk-with-aes-256-cbc-sha384 { 4745 base cipher-suite-alg-base; 4746 status deprecated; 4747 description 4748 "TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA384"; 4749 reference 4750 "RFC 5489: 4751 ECDHE_PSK Ciphersuites for Transport Layer Security (TLS)"; 4752 } 4754 identity tls-ecdhe-psk-with-null-sha { 4755 base cipher-suite-alg-base; 4756 status deprecated; 4757 description 4758 "TLS-ECDHE-PSK-WITH-NULL-SHA"; 4759 reference 4760 "RFC 5489: 4761 ECDHE_PSK Ciphersuites for Transport Layer Security (TLS)"; 4762 } 4764 identity tls-ecdhe-psk-with-null-sha256 { 4765 base cipher-suite-alg-base; 4766 status deprecated; 4767 description 4768 "TLS-ECDHE-PSK-WITH-NULL-SHA256"; 4769 reference 4770 "RFC 5489: 4771 ECDHE_PSK Ciphersuites for Transport Layer Security (TLS)"; 4772 } 4774 identity tls-ecdhe-psk-with-null-sha384 { 4775 base cipher-suite-alg-base; 4776 status deprecated; 4777 description 4778 "TLS-ECDHE-PSK-WITH-NULL-SHA384"; 4779 reference 4780 "RFC 5489: 4781 ECDHE_PSK Ciphersuites for Transport Layer Security (TLS)"; 4782 } 4784 identity tls-rsa-with-aria-128-cbc-sha256 { 4785 base cipher-suite-alg-base; 4786 status deprecated; 4787 description 4788 "TLS-RSA-WITH-ARIA-128-CBC-SHA256"; 4789 reference 4790 "RFC 6209: 4791 Addition of the ARIA Cipher Suites to 4792 Transport Layer Security (TLS)"; 4793 } 4794 identity tls-rsa-with-aria-256-cbc-sha384 { 4795 base cipher-suite-alg-base; 4796 status deprecated; 4797 description 4798 "TLS-RSA-WITH-ARIA-256-CBC-SHA384"; 4799 reference 4800 "RFC 6209: 4801 Addition of the ARIA Cipher Suites to 4802 Transport Layer Security (TLS)"; 4803 } 4805 identity tls-dh-dss-with-aria-128-cbc-sha256 { 4806 base cipher-suite-alg-base; 4807 status deprecated; 4808 description 4809 "TLS-DH-DSS-WITH-ARIA-128-CBC-SHA256"; 4810 reference 4811 "RFC 6209: 4812 Addition of the ARIA Cipher Suites to 4813 Transport Layer Security (TLS)"; 4814 } 4816 identity tls-dh-dss-with-aria-256-cbc-sha384 { 4817 base cipher-suite-alg-base; 4818 status deprecated; 4819 description 4820 "TLS-DH-DSS-WITH-ARIA-256-CBC-SHA384"; 4821 reference 4822 "RFC 6209: 4823 Addition of the ARIA Cipher Suites to 4824 Transport Layer Security (TLS)"; 4825 } 4827 identity tls-dh-rsa-with-aria-128-cbc-sha256 { 4828 base cipher-suite-alg-base; 4829 status deprecated; 4830 description 4831 "TLS-DH-RSA-WITH-ARIA-128-CBC-SHA256"; 4832 reference 4833 "RFC 6209: 4834 Addition of the ARIA Cipher Suites to 4835 Transport Layer Security (TLS)"; 4836 } 4838 identity tls-dh-rsa-with-aria-256-cbc-sha384 { 4839 base cipher-suite-alg-base; 4840 status deprecated; 4841 description 4842 "TLS-DH-RSA-WITH-ARIA-256-CBC-SHA384"; 4843 reference 4844 "RFC 6209: 4845 Addition of the ARIA Cipher Suites to 4846 Transport Layer Security (TLS)"; 4847 } 4849 identity tls-dhe-dss-with-aria-128-cbc-sha256 { 4850 base cipher-suite-alg-base; 4851 status deprecated; 4852 description 4853 "TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256"; 4854 reference 4855 "RFC 6209: 4856 Addition of the ARIA Cipher Suites to 4857 Transport Layer Security (TLS)"; 4858 } 4860 identity tls-dhe-dss-with-aria-256-cbc-sha384 { 4861 base cipher-suite-alg-base; 4862 status deprecated; 4863 description 4864 "TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384"; 4865 reference 4866 "RFC 6209: 4867 Addition of the ARIA Cipher Suites to 4868 Transport Layer Security (TLS)"; 4869 } 4871 identity tls-dhe-rsa-with-aria-128-cbc-sha256 { 4872 base cipher-suite-alg-base; 4873 status deprecated; 4874 description 4875 "TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256"; 4876 reference 4877 "RFC 6209: 4878 Addition of the ARIA Cipher Suites to 4879 Transport Layer Security (TLS)"; 4880 } 4882 identity tls-dhe-rsa-with-aria-256-cbc-sha384 { 4883 base cipher-suite-alg-base; 4884 status deprecated; 4885 description 4886 "TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384"; 4887 reference 4888 "RFC 6209: 4889 Addition of the ARIA Cipher Suites to 4890 Transport Layer Security (TLS)"; 4891 } 4893 identity tls-dh-anon-with-aria-128-cbc-sha256 { 4894 base cipher-suite-alg-base; 4895 status deprecated; 4896 description 4897 "TLS-DH-ANON-WITH-ARIA-128-CBC-SHA256"; 4898 reference 4899 "RFC 6209: 4900 Addition of the ARIA Cipher Suites to 4901 Transport Layer Security (TLS)"; 4902 } 4904 identity tls-dh-anon-with-aria-256-cbc-sha384 { 4905 base cipher-suite-alg-base; 4906 status deprecated; 4907 description 4908 "TLS-DH-ANON-WITH-ARIA-256-CBC-SHA384"; 4909 reference 4910 "RFC 6209: 4911 Addition of the ARIA Cipher Suites to 4912 Transport Layer Security (TLS)"; 4913 } 4915 identity tls-ecdhe-ecdsa-with-aria-128-cbc-sha256 { 4916 base cipher-suite-alg-base; 4917 status deprecated; 4918 description 4919 "TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC-SHA256"; 4920 reference 4921 "RFC 6209: 4922 Addition of the ARIA Cipher Suites to 4923 Transport Layer Security (TLS)"; 4924 } 4926 identity tls-ecdhe-ecdsa-with-aria-256-cbc-sha384 { 4927 base cipher-suite-alg-base; 4928 status deprecated; 4929 description 4930 "TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC-SHA384"; 4931 reference 4932 "RFC 6209: 4933 Addition of the ARIA Cipher Suites to 4934 Transport Layer Security (TLS)"; 4935 } 4937 identity tls-ecdh-ecdsa-with-aria-128-cbc-sha256 { 4938 base cipher-suite-alg-base; 4939 status deprecated; 4940 description 4941 "TLS-ECDH-ECDSA-WITH-ARIA-128-CBC-SHA256"; 4942 reference 4943 "RFC 6209: 4944 Addition of the ARIA Cipher Suites to 4945 Transport Layer Security (TLS)"; 4946 } 4948 identity tls-ecdh-ecdsa-with-aria-256-cbc-sha384 { 4949 base cipher-suite-alg-base; 4950 status deprecated; 4951 description 4952 "TLS-ECDH-ECDSA-WITH-ARIA-256-CBC-SHA384"; 4953 reference 4954 "RFC 6209: 4955 Addition of the ARIA Cipher Suites to 4956 Transport Layer Security (TLS)"; 4957 } 4959 identity tls-ecdhe-rsa-with-aria-128-cbc-sha256 { 4960 base cipher-suite-alg-base; 4961 status deprecated; 4962 description 4963 "TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256"; 4964 reference 4965 "RFC 6209: 4966 Addition of the ARIA Cipher Suites to 4967 Transport Layer Security (TLS)"; 4968 } 4970 identity tls-ecdhe-rsa-with-aria-256-cbc-sha384 { 4971 base cipher-suite-alg-base; 4972 status deprecated; 4973 description 4974 "TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384"; 4975 reference 4976 "RFC 6209: 4977 Addition of the ARIA Cipher Suites to 4978 Transport Layer Security (TLS)"; 4979 } 4981 identity tls-ecdh-rsa-with-aria-128-cbc-sha256 { 4982 base cipher-suite-alg-base; 4983 status deprecated; 4984 description 4985 "TLS-ECDH-RSA-WITH-ARIA-128-CBC-SHA256"; 4987 reference 4988 "RFC 6209: 4989 Addition of the ARIA Cipher Suites to 4990 Transport Layer Security (TLS)"; 4991 } 4993 identity tls-ecdh-rsa-with-aria-256-cbc-sha384 { 4994 base cipher-suite-alg-base; 4995 status deprecated; 4996 description 4997 "TLS-ECDH-RSA-WITH-ARIA-256-CBC-SHA384"; 4998 reference 4999 "RFC 6209: 5000 Addition of the ARIA Cipher Suites to 5001 Transport Layer Security (TLS)"; 5002 } 5004 identity tls-rsa-with-aria-128-gcm-sha256 { 5005 base cipher-suite-alg-base; 5006 status deprecated; 5007 description 5008 "TLS-RSA-WITH-ARIA-128-GCM-SHA256"; 5009 reference 5010 "RFC 6209: 5011 Addition of the ARIA Cipher Suites to 5012 Transport Layer Security (TLS)"; 5013 } 5015 identity tls-rsa-with-aria-256-gcm-sha384 { 5016 base cipher-suite-alg-base; 5017 status deprecated; 5018 description 5019 "TLS-RSA-WITH-ARIA-256-GCM-SHA384"; 5020 reference 5021 "RFC 6209: 5022 Addition of the ARIA Cipher Suites to 5023 Transport Layer Security (TLS)"; 5024 } 5026 identity tls-dhe-rsa-with-aria-128-gcm-sha256 { 5027 base cipher-suite-alg-base; 5028 status deprecated; 5029 description 5030 "TLS-DHE-RSA-WITH-ARIA-128-GCM-SHA256"; 5031 reference 5032 "RFC 6209: 5033 Addition of the ARIA Cipher Suites to 5034 Transport Layer Security (TLS)"; 5036 } 5038 identity tls-dhe-rsa-with-aria-256-gcm-sha384 { 5039 base cipher-suite-alg-base; 5040 status deprecated; 5041 description 5042 "TLS-DHE-RSA-WITH-ARIA-256-GCM-SHA384"; 5043 reference 5044 "RFC 6209: 5045 Addition of the ARIA Cipher Suites to 5046 Transport Layer Security (TLS)"; 5047 } 5049 identity tls-dh-rsa-with-aria-128-gcm-sha256 { 5050 base cipher-suite-alg-base; 5051 status deprecated; 5052 description 5053 "TLS-DH-RSA-WITH-ARIA-128-GCM-SHA256"; 5054 reference 5055 "RFC 6209: 5056 Addition of the ARIA Cipher Suites to 5057 Transport Layer Security (TLS)"; 5058 } 5060 identity tls-dh-rsa-with-aria-256-gcm-sha384 { 5061 base cipher-suite-alg-base; 5062 status deprecated; 5063 description 5064 "TLS-DH-RSA-WITH-ARIA-256-GCM-SHA384"; 5065 reference 5066 "RFC 6209: 5067 Addition of the ARIA Cipher Suites to 5068 Transport Layer Security (TLS)"; 5069 } 5071 identity tls-dhe-dss-with-aria-128-gcm-sha256 { 5072 base cipher-suite-alg-base; 5073 status deprecated; 5074 description 5075 "TLS-DHE-DSS-WITH-ARIA-128-GCM-SHA256"; 5076 reference 5077 "RFC 6209: 5078 Addition of the ARIA Cipher Suites to 5079 Transport Layer Security (TLS)"; 5080 } 5082 identity tls-dhe-dss-with-aria-256-gcm-sha384 { 5083 base cipher-suite-alg-base; 5084 status deprecated; 5085 description 5086 "TLS-DHE-DSS-WITH-ARIA-256-GCM-SHA384"; 5087 reference 5088 "RFC 6209: 5089 Addition of the ARIA Cipher Suites to 5090 Transport Layer Security (TLS)"; 5091 } 5093 identity tls-dh-dss-with-aria-128-gcm-sha256 { 5094 base cipher-suite-alg-base; 5095 status deprecated; 5096 description 5097 "TLS-DH-DSS-WITH-ARIA-128-GCM-SHA256"; 5098 reference 5099 "RFC 6209: 5100 Addition of the ARIA Cipher Suites to 5101 Transport Layer Security (TLS)"; 5102 } 5104 identity tls-dh-dss-with-aria-256-gcm-sha384 { 5105 base cipher-suite-alg-base; 5106 status deprecated; 5107 description 5108 "TLS-DH-DSS-WITH-ARIA-256-GCM-SHA384"; 5109 reference 5110 "RFC 6209: 5111 Addition of the ARIA Cipher Suites to 5112 Transport Layer Security (TLS)"; 5113 } 5115 identity tls-dh-anon-with-aria-128-gcm-sha256 { 5116 base cipher-suite-alg-base; 5117 status deprecated; 5118 description 5119 "TLS-DH-ANON-WITH-ARIA-128-GCM-SHA256"; 5120 reference 5121 "RFC 6209: 5122 Addition of the ARIA Cipher Suites to 5123 Transport Layer Security (TLS)"; 5124 } 5126 identity tls-dh-anon-with-aria-256-gcm-sha384 { 5127 base cipher-suite-alg-base; 5128 status deprecated; 5129 description 5130 "TLS-DH-ANON-WITH-ARIA-256-GCM-SHA384"; 5131 reference 5132 "RFC 6209: 5133 Addition of the ARIA Cipher Suites to 5134 Transport Layer Security (TLS)"; 5135 } 5137 identity tls-ecdhe-ecdsa-with-aria-128-gcm-sha256 { 5138 base cipher-suite-alg-base; 5139 status deprecated; 5140 description 5141 "TLS-ECDHE-ECDSA-WITH-ARIA-128-GCM-SHA256"; 5142 reference 5143 "RFC 6209: 5144 Addition of the ARIA Cipher Suites to 5145 Transport Layer Security (TLS)"; 5146 } 5148 identity tls-ecdhe-ecdsa-with-aria-256-gcm-sha384 { 5149 base cipher-suite-alg-base; 5150 status deprecated; 5151 description 5152 "TLS-ECDHE-ECDSA-WITH-ARIA-256-GCM-SHA384"; 5153 reference 5154 "RFC 6209: 5155 Addition of the ARIA Cipher Suites to 5156 Transport Layer Security (TLS)"; 5157 } 5159 identity tls-ecdh-ecdsa-with-aria-128-gcm-sha256 { 5160 base cipher-suite-alg-base; 5161 status deprecated; 5162 description 5163 "TLS-ECDH-ECDSA-WITH-ARIA-128-GCM-SHA256"; 5164 reference 5165 "RFC 6209: 5166 Addition of the ARIA Cipher Suites to 5167 Transport Layer Security (TLS)"; 5168 } 5170 identity tls-ecdh-ecdsa-with-aria-256-gcm-sha384 { 5171 base cipher-suite-alg-base; 5172 status deprecated; 5173 description 5174 "TLS-ECDH-ECDSA-WITH-ARIA-256-GCM-SHA384"; 5175 reference 5176 "RFC 6209: 5177 Addition of the ARIA Cipher Suites to 5178 Transport Layer Security (TLS)"; 5179 } 5180 identity tls-ecdhe-rsa-with-aria-128-gcm-sha256 { 5181 base cipher-suite-alg-base; 5182 status deprecated; 5183 description 5184 "TLS-ECDHE-RSA-WITH-ARIA-128-GCM-SHA256"; 5185 reference 5186 "RFC 6209: 5187 Addition of the ARIA Cipher Suites to 5188 Transport Layer Security (TLS)"; 5189 } 5191 identity tls-ecdhe-rsa-with-aria-256-gcm-sha384 { 5192 base cipher-suite-alg-base; 5193 status deprecated; 5194 description 5195 "TLS-ECDHE-RSA-WITH-ARIA-256-GCM-SHA384"; 5196 reference 5197 "RFC 6209: 5198 Addition of the ARIA Cipher Suites to 5199 Transport Layer Security (TLS)"; 5200 } 5202 identity tls-ecdh-rsa-with-aria-128-gcm-sha256 { 5203 base cipher-suite-alg-base; 5204 status deprecated; 5205 description 5206 "TLS-ECDH-RSA-WITH-ARIA-128-GCM-SHA256"; 5207 reference 5208 "RFC 6209: 5209 Addition of the ARIA Cipher Suites to 5210 Transport Layer Security (TLS)"; 5211 } 5213 identity tls-ecdh-rsa-with-aria-256-gcm-sha384 { 5214 base cipher-suite-alg-base; 5215 status deprecated; 5216 description 5217 "TLS-ECDH-RSA-WITH-ARIA-256-GCM-SHA384"; 5218 reference 5219 "RFC 6209: 5220 Addition of the ARIA Cipher Suites to 5221 Transport Layer Security (TLS)"; 5222 } 5224 identity tls-psk-with-aria-128-cbc-sha256 { 5225 base cipher-suite-alg-base; 5226 status deprecated; 5227 description 5228 "TLS-PSK-WITH-ARIA-128-CBC-SHA256"; 5229 reference 5230 "RFC 6209: 5231 Addition of the ARIA Cipher Suites to 5232 Transport Layer Security (TLS)"; 5233 } 5235 identity tls-psk-with-aria-256-cbc-sha384 { 5236 base cipher-suite-alg-base; 5237 status deprecated; 5238 description 5239 "TLS-PSK-WITH-ARIA-256-CBC-SHA384"; 5240 reference 5241 "RFC 6209: 5242 Addition of the ARIA Cipher Suites to 5243 Transport Layer Security (TLS)"; 5244 } 5246 identity tls-dhe-psk-with-aria-128-cbc-sha256 { 5247 base cipher-suite-alg-base; 5248 status deprecated; 5249 description 5250 "TLS-DHE-PSK-WITH-ARIA-128-CBC-SHA256"; 5251 reference 5252 "RFC 6209: 5253 Addition of the ARIA Cipher Suites to 5254 Transport Layer Security (TLS)"; 5255 } 5257 identity tls-dhe-psk-with-aria-256-cbc-sha384 { 5258 base cipher-suite-alg-base; 5259 status deprecated; 5260 description 5261 "TLS-DHE-PSK-WITH-ARIA-256-CBC-SHA384"; 5262 reference 5263 "RFC 6209: 5264 Addition of the ARIA Cipher Suites to 5265 Transport Layer Security (TLS)"; 5266 } 5268 identity tls-rsa-psk-with-aria-128-cbc-sha256 { 5269 base cipher-suite-alg-base; 5270 status deprecated; 5271 description 5272 "TLS-RSA-PSK-WITH-ARIA-128-CBC-SHA256"; 5273 reference 5274 "RFC 6209: 5275 Addition of the ARIA Cipher Suites to 5276 Transport Layer Security (TLS)"; 5277 } 5279 identity tls-rsa-psk-with-aria-256-cbc-sha384 { 5280 base cipher-suite-alg-base; 5281 status deprecated; 5282 description 5283 "TLS-RSA-PSK-WITH-ARIA-256-CBC-SHA384"; 5284 reference 5285 "RFC 6209: 5286 Addition of the ARIA Cipher Suites to 5287 Transport Layer Security (TLS)"; 5288 } 5290 identity tls-psk-with-aria-128-gcm-sha256 { 5291 base cipher-suite-alg-base; 5292 status deprecated; 5293 description 5294 "TLS-PSK-WITH-ARIA-128-GCM-SHA256"; 5295 reference 5296 "RFC 6209: 5297 Addition of the ARIA Cipher Suites to 5298 Transport Layer Security (TLS)"; 5299 } 5301 identity tls-psk-with-aria-256-gcm-sha384 { 5302 base cipher-suite-alg-base; 5303 status deprecated; 5304 description 5305 "TLS-PSK-WITH-ARIA-256-GCM-SHA384"; 5306 reference 5307 "RFC 6209: 5308 Addition of the ARIA Cipher Suites to 5309 Transport Layer Security (TLS)"; 5310 } 5312 identity tls-dhe-psk-with-aria-128-gcm-sha256 { 5313 base cipher-suite-alg-base; 5314 status deprecated; 5315 description 5316 "TLS-DHE-PSK-WITH-ARIA-128-GCM-SHA256"; 5317 reference 5318 "RFC 6209: 5319 Addition of the ARIA Cipher Suites to 5320 Transport Layer Security (TLS)"; 5321 } 5323 identity tls-dhe-psk-with-aria-256-gcm-sha384 { 5324 base cipher-suite-alg-base; 5325 status deprecated; 5326 description 5327 "TLS-DHE-PSK-WITH-ARIA-256-GCM-SHA384"; 5328 reference 5329 "RFC 6209: 5330 Addition of the ARIA Cipher Suites to 5331 Transport Layer Security (TLS)"; 5332 } 5334 identity tls-rsa-psk-with-aria-128-gcm-sha256 { 5335 base cipher-suite-alg-base; 5336 status deprecated; 5337 description 5338 "TLS-RSA-PSK-WITH-ARIA-128-GCM-SHA256"; 5339 reference 5340 "RFC 6209: 5341 Addition of the ARIA Cipher Suites to 5342 Transport Layer Security (TLS)"; 5343 } 5345 identity tls-rsa-psk-with-aria-256-gcm-sha384 { 5346 base cipher-suite-alg-base; 5347 status deprecated; 5348 description 5349 "TLS-RSA-PSK-WITH-ARIA-256-GCM-SHA384"; 5350 reference 5351 "RFC 6209: 5352 Addition of the ARIA Cipher Suites to 5353 Transport Layer Security (TLS)"; 5354 } 5356 identity tls-ecdhe-psk-with-aria-128-cbc-sha256 { 5357 base cipher-suite-alg-base; 5358 status deprecated; 5359 description 5360 "TLS-ECDHE-PSK-WITH-ARIA-128-CBC-SHA256"; 5361 reference 5362 "RFC 6209: 5363 Addition of the ARIA Cipher Suites to 5364 Transport Layer Security (TLS)"; 5365 } 5367 identity tls-ecdhe-psk-with-aria-256-cbc-sha384 { 5368 base cipher-suite-alg-base; 5369 status deprecated; 5370 description 5371 "TLS-ECDHE-PSK-WITH-ARIA-256-CBC-SHA384"; 5373 reference 5374 "RFC 6209: 5375 Addition of the ARIA Cipher Suites to 5376 Transport Layer Security (TLS)"; 5377 } 5379 identity tls-ecdhe-ecdsa-with-camellia-128-cbc-sha256 { 5380 base cipher-suite-alg-base; 5381 status deprecated; 5382 description 5383 "TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-CBC-SHA256"; 5384 reference 5385 "RFC 6367: 5386 Addition of the Camellia Cipher Suites to 5387 Transport Layer Security (TLS)"; 5388 } 5390 identity tls-ecdhe-ecdsa-with-camellia-256-cbc-sha384 { 5391 base cipher-suite-alg-base; 5392 status deprecated; 5393 description 5394 "TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-CBC-SHA384"; 5395 reference 5396 "RFC 6367: 5397 Addition of the Camellia Cipher Suites to 5398 Transport Layer Security (TLS)"; 5399 } 5401 identity tls-ecdh-ecdsa-with-camellia-128-cbc-sha256 { 5402 base cipher-suite-alg-base; 5403 status deprecated; 5404 description 5405 "TLS-ECDH-ECDSA-WITH-CAMELLIA-128-CBC-SHA256"; 5406 reference 5407 "RFC 6367: 5408 Addition of the Camellia Cipher Suites to 5409 Transport Layer Security (TLS)"; 5410 } 5412 identity tls-ecdh-ecdsa-with-camellia-256-cbc-sha384 { 5413 base cipher-suite-alg-base; 5414 status deprecated; 5415 description 5416 "TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384"; 5417 reference 5418 "RFC 6367: 5419 Addition of the Camellia Cipher Suites to 5420 Transport Layer Security (TLS)"; 5422 } 5424 identity tls-ecdhe-rsa-with-camellia-128-cbc-sha256 { 5425 base cipher-suite-alg-base; 5426 status deprecated; 5427 description 5428 "TLS-ECDHE-RSA-WITH-CAMELLIA-128-CBC-SHA256"; 5429 reference 5430 "RFC 6367: 5431 Addition of the Camellia Cipher Suites to 5432 Transport Layer Security (TLS)"; 5433 } 5435 identity tls-ecdhe-rsa-with-camellia-256-cbc-sha384 { 5436 base cipher-suite-alg-base; 5437 status deprecated; 5438 description 5439 "TLS-ECDHE-RSA-WITH-CAMELLIA-256-CBC-SHA384"; 5440 reference 5441 "RFC 6367: 5442 Addition of the Camellia Cipher Suites to 5443 Transport Layer Security (TLS)"; 5444 } 5446 identity tls-ecdh-rsa-with-camellia-128-cbc-sha256 { 5447 base cipher-suite-alg-base; 5448 status deprecated; 5449 description 5450 "TLS-ECDH-RSA-WITH-CAMELLIA-128-CBC-SHA256"; 5451 reference 5452 "RFC 6367: 5453 Addition of the Camellia Cipher Suites to 5454 Transport Layer Security (TLS)"; 5455 } 5457 identity tls-ecdh-rsa-with-camellia-256-cbc-sha384 { 5458 base cipher-suite-alg-base; 5459 status deprecated; 5460 description 5461 "TLS-ECDH-RSA-WITH-CAMELLIA-256-CBC-SHA384"; 5462 reference 5463 "RFC 6367: 5464 Addition of the Camellia Cipher Suites to 5465 Transport Layer Security (TLS)"; 5466 } 5468 identity tls-rsa-with-camellia-128-gcm-sha256 { 5469 base cipher-suite-alg-base; 5470 status deprecated; 5471 description 5472 "TLS-RSA-WITH-CAMELLIA-128-GCM-SHA256"; 5473 reference 5474 "RFC 6367: 5475 Addition of the Camellia Cipher Suites to 5476 Transport Layer Security (TLS)"; 5477 } 5479 identity tls-rsa-with-camellia-256-gcm-sha384 { 5480 base cipher-suite-alg-base; 5481 status deprecated; 5482 description 5483 "TLS-RSA-WITH-CAMELLIA-256-GCM-SHA384"; 5484 reference 5485 "RFC 6367: 5486 Addition of the Camellia Cipher Suites to 5487 Transport Layer Security (TLS)"; 5488 } 5490 identity tls-dhe-rsa-with-camellia-128-gcm-sha256 { 5491 base cipher-suite-alg-base; 5492 status deprecated; 5493 description 5494 "TLS-DHE-RSA-WITH-CAMELLIA-128-GCM-SHA256"; 5495 reference 5496 "RFC 6367: 5497 Addition of the Camellia Cipher Suites to 5498 Transport Layer Security (TLS)"; 5499 } 5501 identity tls-dhe-rsa-with-camellia-256-gcm-sha384 { 5502 base cipher-suite-alg-base; 5503 status deprecated; 5504 description 5505 "TLS-DHE-RSA-WITH-CAMELLIA-256-GCM-SHA384"; 5506 reference 5507 "RFC 6367: 5508 Addition of the Camellia Cipher Suites to 5509 Transport Layer Security (TLS)"; 5510 } 5512 identity tls-dh-rsa-with-camellia-128-gcm-sha256 { 5513 base cipher-suite-alg-base; 5514 status deprecated; 5515 description 5516 "TLS-DH-RSA-WITH-CAMELLIA-128-GCM-SHA256"; 5517 reference 5518 "RFC 6367: 5519 Addition of the Camellia Cipher Suites to 5520 Transport Layer Security (TLS)"; 5521 } 5523 identity tls-dh-rsa-with-camellia-256-gcm-sha384 { 5524 base cipher-suite-alg-base; 5525 status deprecated; 5526 description 5527 "TLS-DH-RSA-WITH-CAMELLIA-256-GCM-SHA384"; 5528 reference 5529 "RFC 6367: 5530 Addition of the Camellia Cipher Suites to 5531 Transport Layer Security (TLS)"; 5532 } 5534 identity tls-dhe-dss-with-camellia-128-gcm-sha256 { 5535 base cipher-suite-alg-base; 5536 status deprecated; 5537 description 5538 "TLS-DHE-DSS-WITH-CAMELLIA-128-GCM-SHA256"; 5539 reference 5540 "RFC 6367: 5541 Addition of the Camellia Cipher Suites to 5542 Transport Layer Security (TLS)"; 5543 } 5545 identity tls-dhe-dss-with-camellia-256-gcm-sha384 { 5546 base cipher-suite-alg-base; 5547 status deprecated; 5548 description 5549 "TLS-DHE-DSS-WITH-CAMELLIA-256-GCM-SHA384"; 5550 reference 5551 "RFC 6367: 5552 Addition of the Camellia Cipher Suites to 5553 Transport Layer Security (TLS)"; 5554 } 5556 identity tls-dh-dss-with-camellia-128-gcm-sha256 { 5557 base cipher-suite-alg-base; 5558 status deprecated; 5559 description 5560 "TLS-DH-DSS-WITH-CAMELLIA-128-GCM-SHA256"; 5561 reference 5562 "RFC 6367: 5563 Addition of the Camellia Cipher Suites to 5564 Transport Layer Security (TLS)"; 5565 } 5566 identity tls-dh-dss-with-camellia-256-gcm-sha384 { 5567 base cipher-suite-alg-base; 5568 status deprecated; 5569 description 5570 "TLS-DH-DSS-WITH-CAMELLIA-256-GCM-SHA384"; 5571 reference 5572 "RFC 6367: 5573 Addition of the Camellia Cipher Suites to 5574 Transport Layer Security (TLS)"; 5575 } 5577 identity tls-dh-anon-with-camellia-128-gcm-sha256 { 5578 base cipher-suite-alg-base; 5579 status deprecated; 5580 description 5581 "TLS-DH-ANON-WITH-CAMELLIA-128-GCM-SHA256"; 5582 reference 5583 "RFC 6367: 5584 Addition of the Camellia Cipher Suites to 5585 Transport Layer Security (TLS)"; 5586 } 5588 identity tls-dh-anon-with-camellia-256-gcm-sha384 { 5589 base cipher-suite-alg-base; 5590 status deprecated; 5591 description 5592 "TLS-DH-ANON-WITH-CAMELLIA-256-GCM-SHA384"; 5593 reference 5594 "RFC 6367: 5595 Addition of the Camellia Cipher Suites to 5596 Transport Layer Security (TLS)"; 5597 } 5599 identity tls-ecdhe-ecdsa-with-camellia-128-gcm-sha256 { 5600 base cipher-suite-alg-base; 5601 status deprecated; 5602 description 5603 "TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-GCM-SHA256"; 5604 reference 5605 "RFC 6367: 5606 Addition of the Camellia Cipher Suites to 5607 Transport Layer Security (TLS)"; 5608 } 5610 identity tls-ecdhe-ecdsa-with-camellia-256-gcm-sha384 { 5611 base cipher-suite-alg-base; 5612 status deprecated; 5613 description 5614 "TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-GCM-SHA384"; 5615 reference 5616 "RFC 6367: 5617 Addition of the Camellia Cipher Suites to 5618 Transport Layer Security (TLS)"; 5619 } 5621 identity tls-ecdh-ecdsa-with-camellia-128-gcm-sha256 { 5622 base cipher-suite-alg-base; 5623 status deprecated; 5624 description 5625 "TLS-ECDH-ECDSA-WITH-CAMELLIA-128-GCM-SHA256"; 5626 reference 5627 "RFC 6367: 5628 Addition of the Camellia Cipher Suites to 5629 Transport Layer Security (TLS)"; 5630 } 5632 identity tls-ecdh-ecdsa-with-camellia-256-gcm-sha384 { 5633 base cipher-suite-alg-base; 5634 status deprecated; 5635 description 5636 "TLS-ECDH-ECDSA-WITH-CAMELLIA-256-GCM-SHA384"; 5637 reference 5638 "RFC 6367: 5639 Addition of the Camellia Cipher Suites to 5640 Transport Layer Security (TLS)"; 5641 } 5643 identity tls-ecdhe-rsa-with-camellia-128-gcm-sha256 { 5644 base cipher-suite-alg-base; 5645 status deprecated; 5646 description 5647 "TLS-ECDHE-RSA-WITH-CAMELLIA-128-GCM-SHA256"; 5648 reference 5649 "RFC 6367: 5650 Addition of the Camellia Cipher Suites to 5651 Transport Layer Security (TLS)"; 5652 } 5654 identity tls-ecdhe-rsa-with-camellia-256-gcm-sha384 { 5655 base cipher-suite-alg-base; 5656 status deprecated; 5657 description 5658 "TLS-ECDHE-RSA-WITH-CAMELLIA-256-GCM-SHA384"; 5659 reference 5660 "RFC 6367: 5661 Addition of the Camellia Cipher Suites to 5662 Transport Layer Security (TLS)"; 5663 } 5665 identity tls-ecdh-rsa-with-camellia-128-gcm-sha256 { 5666 base cipher-suite-alg-base; 5667 status deprecated; 5668 description 5669 "TLS-ECDH-RSA-WITH-CAMELLIA-128-GCM-SHA256"; 5670 reference 5671 "RFC 6367: 5672 Addition of the Camellia Cipher Suites to 5673 Transport Layer Security (TLS)"; 5674 } 5676 identity tls-ecdh-rsa-with-camellia-256-gcm-sha384 { 5677 base cipher-suite-alg-base; 5678 status deprecated; 5679 description 5680 "TLS-ECDH-RSA-WITH-CAMELLIA-256-GCM-SHA384"; 5681 reference 5682 "RFC 6367: 5683 Addition of the Camellia Cipher Suites to 5684 Transport Layer Security (TLS)"; 5685 } 5687 identity tls-psk-with-camellia-128-gcm-sha256 { 5688 base cipher-suite-alg-base; 5689 status deprecated; 5690 description 5691 "TLS-PSK-WITH-CAMELLIA-128-GCM-SHA256"; 5692 reference 5693 "RFC 6367: 5694 Addition of the Camellia Cipher Suites to 5695 Transport Layer Security (TLS)"; 5696 } 5698 identity tls-psk-with-camellia-256-gcm-sha384 { 5699 base cipher-suite-alg-base; 5700 status deprecated; 5701 description 5702 "TLS-PSK-WITH-CAMELLIA-256-GCM-SHA384"; 5703 reference 5704 "RFC 6367: 5705 Addition of the Camellia Cipher Suites to 5706 Transport Layer Security (TLS)"; 5707 } 5709 identity tls-dhe-psk-with-camellia-128-gcm-sha256 { 5710 base cipher-suite-alg-base; 5711 status deprecated; 5712 description 5713 "TLS-DHE-PSK-WITH-CAMELLIA-128-GCM-SHA256"; 5714 reference 5715 "RFC 6367: 5716 Addition of the Camellia Cipher Suites to 5717 Transport Layer Security (TLS)"; 5718 } 5720 identity tls-dhe-psk-with-camellia-256-gcm-sha384 { 5721 base cipher-suite-alg-base; 5722 status deprecated; 5723 description 5724 "TLS-DHE-PSK-WITH-CAMELLIA-256-GCM-SHA384"; 5725 reference 5726 "RFC 6367: 5727 Addition of the Camellia Cipher Suites to 5728 Transport Layer Security (TLS)"; 5729 } 5731 identity tls-rsa-psk-with-camellia-128-gcm-sha256 { 5732 base cipher-suite-alg-base; 5733 status deprecated; 5734 description 5735 "TLS-RSA-PSK-WITH-CAMELLIA-128-GCM-SHA256"; 5736 reference 5737 "RFC 6367: 5738 Addition of the Camellia Cipher Suites to 5739 Transport Layer Security (TLS)"; 5740 } 5742 identity tls-rsa-psk-with-camellia-256-gcm-sha384 { 5743 base cipher-suite-alg-base; 5744 status deprecated; 5745 description 5746 "TLS-RSA-PSK-WITH-CAMELLIA-256-GCM-SHA384"; 5747 reference 5748 "RFC 6367: 5749 Addition of the Camellia Cipher Suites to 5750 Transport Layer Security (TLS)"; 5751 } 5753 identity tls-psk-with-camellia-128-cbc-sha256 { 5754 base cipher-suite-alg-base; 5755 status deprecated; 5756 description 5757 "TLS-PSK-WITH-CAMELLIA-128-CBC-SHA256"; 5759 reference 5760 "RFC 6367: 5761 Addition of the Camellia Cipher Suites to 5762 Transport Layer Security (TLS)"; 5763 } 5765 identity tls-psk-with-camellia-256-cbc-sha384 { 5766 base cipher-suite-alg-base; 5767 status deprecated; 5768 description 5769 "TLS-PSK-WITH-CAMELLIA-256-CBC-SHA384"; 5770 reference 5771 "RFC 6367: 5772 Addition of the Camellia Cipher Suites to 5773 Transport Layer Security (TLS)"; 5774 } 5776 identity tls-dhe-psk-with-camellia-128-cbc-sha256 { 5777 base cipher-suite-alg-base; 5778 status deprecated; 5779 description 5780 "TLS-DHE-PSK-WITH-CAMELLIA-128-CBC-SHA256"; 5781 reference 5782 "RFC 6367: 5783 Addition of the Camellia Cipher Suites to 5784 Transport Layer Security (TLS)"; 5785 } 5787 identity tls-dhe-psk-with-camellia-256-cbc-sha384 { 5788 base cipher-suite-alg-base; 5789 status deprecated; 5790 description 5791 "TLS-DHE-PSK-WITH-CAMELLIA-256-CBC-SHA384"; 5792 reference 5793 "RFC 6367: 5794 Addition of the Camellia Cipher Suites to 5795 Transport Layer Security (TLS)"; 5796 } 5798 identity tls-rsa-psk-with-camellia-128-cbc-sha256 { 5799 base cipher-suite-alg-base; 5800 status deprecated; 5801 description 5802 "TLS-RSA-PSK-WITH-CAMELLIA-128-CBC-SHA256"; 5803 reference 5804 "RFC 6367: 5805 Addition of the Camellia Cipher Suites to 5806 Transport Layer Security (TLS)"; 5808 } 5810 identity tls-rsa-psk-with-camellia-256-cbc-sha384 { 5811 base cipher-suite-alg-base; 5812 status deprecated; 5813 description 5814 "TLS-RSA-PSK-WITH-CAMELLIA-256-CBC-SHA384"; 5815 reference 5816 "RFC 6367: 5817 Addition of the Camellia Cipher Suites to 5818 Transport Layer Security (TLS)"; 5819 } 5821 identity tls-ecdhe-psk-with-camellia-128-cbc-sha256 { 5822 base cipher-suite-alg-base; 5823 status deprecated; 5824 description 5825 "TLS-ECDHE-PSK-WITH-CAMELLIA-128-CBC-SHA256"; 5826 reference 5827 "RFC 6367: 5828 Addition of the Camellia Cipher Suites to 5829 Transport Layer Security (TLS)"; 5830 } 5832 identity tls-ecdhe-psk-with-camellia-256-cbc-sha384 { 5833 base cipher-suite-alg-base; 5834 status deprecated; 5835 description 5836 "TLS-ECDHE-PSK-WITH-CAMELLIA-256-CBC-SHA384"; 5837 reference 5838 "RFC 6367: 5839 Addition of the Camellia Cipher Suites to 5840 Transport Layer Security (TLS)"; 5841 } 5843 identity tls-rsa-with-aes-128-ccm { 5844 base cipher-suite-alg-base; 5845 status deprecated; 5846 description 5847 "TLS-RSA-WITH-AES-128-CCM"; 5848 reference 5849 "RFC 6655: 5850 AES-CCM Cipher Suites for TLS"; 5851 } 5853 identity tls-rsa-with-aes-256-ccm { 5854 base cipher-suite-alg-base; 5855 status deprecated; 5856 description 5857 "TLS-RSA-WITH-AES-256-CCM"; 5858 reference 5859 "RFC 6655: 5860 AES-CCM Cipher Suites for TLS"; 5861 } 5863 identity tls-dhe-rsa-with-aes-128-ccm { 5864 base cipher-suite-alg-base; 5865 description 5866 "TLS-DHE-RSA-WITH-AES-128-CCM"; 5867 reference 5868 "RFC 6655: 5869 AES-CCM Cipher Suites for TLS"; 5870 } 5872 identity tls-dhe-rsa-with-aes-256-ccm { 5873 base cipher-suite-alg-base; 5874 description 5875 "TLS-DHE-RSA-WITH-AES-256-CCM"; 5876 reference 5877 "RFC 6655: 5878 AES-CCM Cipher Suites for TLS"; 5879 } 5881 identity tls-rsa-with-aes-128-ccm-8 { 5882 base cipher-suite-alg-base; 5883 status deprecated; 5884 description 5885 "TLS-RSA-WITH-AES-128-CCM-8"; 5886 reference 5887 "RFC 6655: 5888 AES-CCM Cipher Suites for TLS"; 5889 } 5891 identity tls-rsa-with-aes-256-ccm-8 { 5892 base cipher-suite-alg-base; 5893 status deprecated; 5894 description 5895 "TLS-RSA-WITH-AES-256-CCM-8"; 5896 reference 5897 "RFC 6655: 5898 AES-CCM Cipher Suites for TLS"; 5899 } 5901 identity tls-dhe-rsa-with-aes-128-ccm-8 { 5902 base cipher-suite-alg-base; 5903 status deprecated; 5904 description 5905 "TLS-DHE-RSA-WITH-AES-128-CCM-8"; 5906 reference 5907 "RFC 6655: 5908 AES-CCM Cipher Suites for TLS"; 5909 } 5911 identity tls-dhe-rsa-with-aes-256-ccm-8 { 5912 base cipher-suite-alg-base; 5913 status deprecated; 5914 description 5915 "TLS-DHE-RSA-WITH-AES-256-CCM-8"; 5916 reference 5917 "RFC 6655: 5918 AES-CCM Cipher Suites for TLS"; 5919 } 5921 identity tls-psk-with-aes-128-ccm { 5922 base cipher-suite-alg-base; 5923 status deprecated; 5924 description 5925 "TLS-PSK-WITH-AES-128-CCM"; 5926 reference 5927 "RFC 6655: 5928 AES-CCM Cipher Suites for TLS"; 5929 } 5931 identity tls-psk-with-aes-256-ccm { 5932 base cipher-suite-alg-base; 5933 status deprecated; 5934 description 5935 "TLS-PSK-WITH-AES-256-CCM"; 5936 reference 5937 "RFC 6655: 5938 AES-CCM Cipher Suites for TLS"; 5939 } 5941 identity tls-dhe-psk-with-aes-128-ccm { 5942 base cipher-suite-alg-base; 5943 description 5944 "TLS-DHE-PSK-WITH-AES-128-CCM"; 5945 reference 5946 "RFC 6655: 5947 AES-CCM Cipher Suites for TLS"; 5948 } 5950 identity tls-dhe-psk-with-aes-256-ccm { 5951 base cipher-suite-alg-base; 5952 description 5953 "TLS-DHE-PSK-WITH-AES-256-CCM"; 5954 reference 5955 "RFC 6655: 5956 AES-CCM Cipher Suites for TLS"; 5957 } 5959 identity tls-psk-with-aes-128-ccm-8 { 5960 base cipher-suite-alg-base; 5961 status deprecated; 5962 description 5963 "TLS-PSK-WITH-AES-128-CCM-8"; 5964 reference 5965 "RFC 6655: 5966 AES-CCM Cipher Suites for TLS"; 5967 } 5969 identity tls-psk-with-aes-256-ccm-8 { 5970 base cipher-suite-alg-base; 5971 status deprecated; 5972 description 5973 "TLS-PSK-WITH-AES-256-CCM-8"; 5974 reference 5975 "RFC 6655: 5976 AES-CCM Cipher Suites for TLS"; 5977 } 5979 identity tls-psk-dhe-with-aes-128-ccm-8 { 5980 base cipher-suite-alg-base; 5981 status deprecated; 5982 description 5983 "TLS-PSK-DHE-WITH-AES-128-CCM-8"; 5984 reference 5985 "RFC 6655: 5986 AES-CCM Cipher Suites for TLS"; 5987 } 5989 identity tls-psk-dhe-with-aes-256-ccm-8 { 5990 base cipher-suite-alg-base; 5991 status deprecated; 5992 description 5993 "TLS-PSK-DHE-WITH-AES-256-CCM-8"; 5994 reference 5995 "RFC 6655: 5996 AES-CCM Cipher Suites for TLS"; 5997 } 5999 identity tls-ecdhe-ecdsa-with-aes-128-ccm { 6000 base cipher-suite-alg-base; 6001 status deprecated; 6002 description 6003 "TLS-ECDHE-ECDSA-WITH-AES-128-CCM"; 6004 reference 6005 "RFC 7251: 6006 AES-CCM ECC Cipher Suites for TLS"; 6007 } 6009 identity tls-ecdhe-ecdsa-with-aes-256-ccm { 6010 base cipher-suite-alg-base; 6011 status deprecated; 6012 description 6013 "TLS-ECDHE-ECDSA-WITH-AES-256-CCM"; 6014 reference 6015 "RFC 7251: 6016 AES-CCM ECC Cipher Suites for TLS"; 6017 } 6019 identity tls-ecdhe-ecdsa-with-aes-128-ccm-8 { 6020 base cipher-suite-alg-base; 6021 status deprecated; 6022 description 6023 "TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8"; 6024 reference 6025 "RFC 7251: 6026 AES-CCM ECC Cipher Suites for TLS"; 6027 } 6029 identity tls-ecdhe-ecdsa-with-aes-256-ccm-8 { 6030 base cipher-suite-alg-base; 6031 status deprecated; 6032 description 6033 "TLS-ECDHE-ECDSA-WITH-AES-256-CCM-8"; 6034 reference 6035 "RFC 7251: 6036 AES-CCM ECC Cipher Suites for TLS"; 6037 } 6039 identity tls-eccpwd-with-aes-128-gcm-sha256 { 6040 base cipher-suite-alg-base; 6041 status deprecated; 6042 description 6043 "TLS-ECCPWD-WITH-AES-128-GCM-SHA256"; 6044 reference 6045 "RFC 8492: 6046 Secure Password Ciphersuites for 6047 Transport Layer Security (TLS)"; 6049 } 6051 identity tls-eccpwd-with-aes-256-gcm-sha384 { 6052 base cipher-suite-alg-base; 6053 status deprecated; 6054 description 6055 "TLS-ECCPWD-WITH-AES-256-GCM-SHA384"; 6056 reference 6057 "RFC 8492: 6058 Secure Password Ciphersuites for 6059 Transport Layer Security (TLS)"; 6060 } 6062 identity tls-eccpwd-with-aes-128-ccm-sha256 { 6063 base cipher-suite-alg-base; 6064 status deprecated; 6065 description 6066 "TLS-ECCPWD-WITH-AES-128-CCM-SHA256"; 6067 reference 6068 "RFC 8492: 6069 Secure Password Ciphersuites for 6070 Transport Layer Security (TLS)"; 6071 } 6073 identity tls-eccpwd-with-aes-256-ccm-sha384 { 6074 base cipher-suite-alg-base; 6075 status deprecated; 6076 description 6077 "TLS-ECCPWD-WITH-AES-256-CCM-SHA384"; 6078 reference 6079 "RFC 8492: 6080 Secure Password Ciphersuites for 6081 Transport Layer Security (TLS)"; 6082 } 6084 identity tls-ecdhe-rsa-with-chacha20-poly1305-sha256 { 6085 base cipher-suite-alg-base; 6086 description 6087 "TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256"; 6088 reference 6089 "RFC 7905: 6090 ChaCha20-Poly1305 Cipher Suites for 6091 Transport Layer Security (TLS)"; 6092 } 6094 identity tls-ecdhe-ecdsa-with-chacha20-poly1305-sha256 { 6095 base cipher-suite-alg-base; 6096 description 6097 "TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256"; 6098 reference 6099 "RFC 7905: 6100 ChaCha20-Poly1305 Cipher Suites for 6101 Transport Layer Security (TLS)"; 6102 } 6104 identity tls-dhe-rsa-with-chacha20-poly1305-sha256 { 6105 base cipher-suite-alg-base; 6106 description 6107 "TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256"; 6108 reference 6109 "RFC 7905: 6110 ChaCha20-Poly1305 Cipher Suites for 6111 Transport Layer Security (TLS)"; 6112 } 6114 identity tls-psk-with-chacha20-poly1305-sha256 { 6115 base cipher-suite-alg-base; 6116 status deprecated; 6117 description 6118 "TLS-PSK-WITH-CHACHA20-POLY1305-SHA256"; 6119 reference 6120 "RFC 7905: 6121 ChaCha20-Poly1305 Cipher Suites for 6122 Transport Layer Security (TLS)"; 6123 } 6125 identity tls-ecdhe-psk-with-chacha20-poly1305-sha256 { 6126 base cipher-suite-alg-base; 6127 description 6128 "TLS-ECDHE-PSK-WITH-CHACHA20-POLY1305-SHA256"; 6129 reference 6130 "RFC 7905: 6131 ChaCha20-Poly1305 Cipher Suites for 6132 Transport Layer Security (TLS)"; 6133 } 6135 identity tls-dhe-psk-with-chacha20-poly1305-sha256 { 6136 base cipher-suite-alg-base; 6137 description 6138 "TLS-DHE-PSK-WITH-CHACHA20-POLY1305-SHA256"; 6139 reference 6140 "RFC 7905: 6141 ChaCha20-Poly1305 Cipher Suites for 6142 Transport Layer Security (TLS)"; 6143 } 6144 identity tls-rsa-psk-with-chacha20-poly1305-sha256 { 6145 base cipher-suite-alg-base; 6146 status deprecated; 6147 description 6148 "TLS-RSA-PSK-WITH-CHACHA20-POLY1305-SHA256"; 6149 reference 6150 "RFC 7905: 6151 ChaCha20-Poly1305 Cipher Suites for 6152 Transport Layer Security (TLS)"; 6153 } 6155 identity tls-ecdhe-psk-with-aes-128-gcm-sha256 { 6156 base cipher-suite-alg-base; 6157 description 6158 "TLS-ECDHE-PSK-WITH-AES-128-GCM-SHA256"; 6159 reference 6160 "RFC 8442: 6161 ECDHE_PSK with AES-GCM and AES-CCM Cipher Suites"; 6162 } 6164 identity tls-ecdhe-psk-with-aes-256-gcm-sha384 { 6165 base cipher-suite-alg-base; 6166 description 6167 "TLS-ECDHE-PSK-WITH-AES-256-GCM-SHA384"; 6168 reference 6169 "RFC 8442: 6170 ECDHE_PSK with AES-GCM and AES-CCM Cipher Suites"; 6171 } 6173 identity tls-ecdhe-psk-with-aes-128-ccm-8-sha256 { 6174 base cipher-suite-alg-base; 6175 status deprecated; 6176 description 6177 "TLS-ECDHE-PSK-WITH-AES-128-CCM-8-SHA256"; 6178 reference 6179 "RFC 8442: 6180 ECDHE_PSK with AES-GCM and AES-CCM Cipher Suites"; 6181 } 6183 identity tls-ecdhe-psk-with-aes-128-ccm-sha256 { 6184 base cipher-suite-alg-base; 6185 description 6186 "TLS-ECDHE-PSK-WITH-AES-128-CCM-SHA256"; 6187 reference 6188 "RFC 8442: 6189 ECDHE_PSK with AES-GCM and AES-CCM Cipher Suites"; 6190 } 6191 // Protocol-accessible Nodes 6193 container supported-algorithms { 6194 config false; 6195 description 6196 "A container for a list of cipher suite algorithms supported 6197 by the server."; 6198 leaf-list supported-algorithm { 6199 type identityref { 6200 base "tlscsa:cipher-suite-alg-base"; 6201 } 6202 description 6203 "A cipher suite algorithm supported by the server."; 6204 } 6205 } 6207 } 6209 6211 Appendix B. Change Log 6213 This section is to be removed before publishing as an RFC. 6215 B.1. 00 to 01 6217 * Noted that '0.0.0.0' and '::' might have special meanings. 6219 * Renamed "keychain" to "keystore". 6221 B.2. 01 to 02 6223 * Removed the groupings containing transport-level configuration. 6224 Now modules contain only the transport-independent groupings. 6226 * Filled in previously incomplete 'ietf-tls-client' module. 6228 * Added cipher suites for various algorithms into new 'ietf-tls- 6229 common' module. 6231 B.3. 02 to 03 6233 * Added a 'must' statement to container 'server-auth' asserting that 6234 at least one of the various auth mechanisms must be specified. 6236 * Fixed description statement for leaf 'trusted-ca-certs'. 6238 B.4. 03 to 04 6240 * Updated title to "YANG Groupings for TLS Clients and TLS Servers" 6242 * Updated leafref paths to point to new keystore path 6244 * Changed the YANG prefix for ietf-tls-common from 'tlscom' to 6245 'tlscmn'. 6247 * Added TLS protocol verions 1.0 and 1.1. 6249 * Made author lists consistent 6251 * Now tree diagrams reference ietf-netmod-yang-tree-diagrams 6253 * Updated YANG to use typedefs around leafrefs to common keystore 6254 paths 6256 * Now inlines key and certificates (no longer a leafref to keystore) 6258 B.5. 04 to 05 6260 * Merged changes from co-author. 6262 B.6. 05 to 06 6264 * Updated to use trust anchors from trust-anchors draft (was 6265 keystore draft) 6267 * Now Uses new keystore grouping enabling asymmetric key to be 6268 either locally defined or a reference to the keystore. 6270 B.7. 06 to 07 6272 * factored the tls-[client|server]-groupings into more reusable 6273 groupings. 6275 * added if-feature statements for the new "x509-certificates" 6276 feature defined in draft-ietf-netconf-trust-anchors. 6278 B.8. 07 to 08 6280 * Added a number of compatibility matrices to Section 5 (thanks 6281 Frank!) 6283 * Clarified that any configured "cipher-suite" values need to be 6284 compatible with the configured private key. 6286 B.9. 08 to 09 6288 * Updated examples to reflect update to groupings defined in the 6289 keystore draft. 6291 * Add TLS keepalives features and groupings. 6293 * Prefixed top-level TLS grouping nodes with 'tls-' and support 6294 mashups. 6296 * Updated copyright date, boilerplate template, affiliation, and 6297 folding algorithm. 6299 B.10. 09 to 10 6301 * Reformatted the YANG modules. 6303 B.11. 10 to 11 6305 * Collapsed all the inner groupings into the top-level grouping. 6307 * Added a top-level "demux container" inside the top-level grouping. 6309 * Added NACM statements and updated the Security Considerations 6310 section. 6312 * Added "presence" statements on the "keepalive" containers, as was 6313 needed to address a validation error that appeared after adding 6314 the "must" statements into the NETCONF/RESTCONF client/server 6315 modules. 6317 * Updated the boilerplate text in module-level "description" 6318 statement to match copyeditor convention. 6320 B.12. 11 to 12 6322 * In server model, made 'client-authentication' a 'presence' node 6323 indicating that the server supports client authentication. 6325 * In the server model, added a 'required-or-optional' choice to 6326 'client-authentication' to better support protocols such as 6327 RESTCONF. 6329 * In the server model, added a 'local-or-external' choice to 6330 'client-authentication' to better support consuming data models 6331 that prefer to keep client auth with client definitions than in a 6332 model principally concerned with the "transport". 6334 * In both models, removed the "demux containers", floating the 6335 nacm:default-deny-write to each descendant node, and adding a note 6336 to model designers regarding the potential need to add their own 6337 demux containers. 6339 * Fixed a couple references (section 2 --> section 3) 6341 B.13. 12 to 13 6343 * Updated to reflect changes in trust-anchors drafts (e.g., s/trust- 6344 anchors/truststore/g + s/pinned.//) 6346 B.14. 12 to 13 6348 * Removed 'container' under 'client-identity' to match server model. 6350 * Updated examples to reflect change grouping in keystore module. 6352 B.15. 13 to 14 6354 * Removed the "certificate" container from "client-identity" in the 6355 ietf-tls-client module. 6357 * Updated examples to reflect ietf-crypto-types change (e.g., 6358 identities --> enumerations) 6360 B.16. 14 to 15 6362 * Updated "server-authentication" and "client-authentication" nodes 6363 from being a leaf of type "ts:certificates-ref" to a container 6364 that uses "ts:local-or-truststore-certs-grouping". 6366 B.17. 15 to 16 6368 * Removed unnecessary if-feature statements in the -client and 6369 -server modules. 6371 * Cleaned up some description statements in the -client and -server 6372 modules. 6374 * Fixed a canonical ordering issue in ietf-tls-common detected by 6375 new pyang. 6377 B.18. 16 to 17 6379 * Removed choice local-or-external by removing the 'external' case 6380 and flattening the 'local' case and adding a "client-auth- 6381 supported" feature. 6383 * Removed choice required-or-optional. 6385 * Updated examples to include the "*-key-format" nodes. 6387 * Augmented-in "must" expressions ensuring that locally-defined 6388 public-key-format are "ct:tls-public-key-format" (must expr for 6389 ref'ed keys are TBD). 6391 B.19. 17 to 18 6393 * Removed the unused "external-client-auth-supported" feature. 6395 * Made client-indentity optional, as there may be over-the-top auth 6396 instead. 6398 * Added augment to uses of local-or-keystore-symmetric-key-grouping 6399 for a psk "id" node. 6401 * Added missing presence container "psks" to ietf-tls-server's 6402 "client-authentication" container. 6404 * Updated examples to reflect new "bag" addition to truststore. 6406 * Removed feature-limited caseless 'case' statements to improve tree 6407 diagram rendering. 6409 * Refined truststore/keystore groupings to ensure the key formats 6410 "must" be particular values. 6412 * Switched to using truststore's new "public-key" bag (instead of 6413 separate "ssh-public-key" and "raw-public-key" bags). 6415 * Updated client/server examples to cover ALL cases (local/ref x 6416 cert/raw-key/psk). 6418 B.20. 18 to 19 6420 * Updated the "keepalives" containers in part to address Michal 6421 Vasko's request to align with RFC 8071, and in part to better 6422 align to RFC 6520. 6424 * Removed algorithm-mapping tables from the "TLS Common Model" 6425 section 6427 * Removed the 'algorithm' node from the examples. 6429 * Renamed both "client-certs" and "server-certs" to "ee-certs" 6430 * Added a "Note to Reviewers" note to first page. 6432 B.21. 19 to 20 6434 * Modified the 'must' expression in the "ietf-tls-client:server- 6435 authention" node to cover the "raw-public-keys" and "psks" nodes 6436 also. 6438 * Added a "must 'ca-certs or ee-certs or raw-public-keys or psks'" 6439 statement to the ietf-tls-server:client-authentication" node. 6441 * Added "mandatory true" to "choice auth-type" and a "presence" 6442 statement to its ancestor. 6444 * Expanded "Data Model Overview section(s) [remove "wall" of tree 6445 diagrams]. 6447 * Moved the "ietf-tls-common" module section to proceed the other 6448 two module sections. 6450 * Updated the Security Considerations section. 6452 B.22. 20 to 21 6454 * Updated examples to reflect new "cleartext-" prefix in the crypto- 6455 types draft. 6457 B.23. 21 to 22 6459 * In both the "client-authentication" and "server-authentication" 6460 subtrees, replaced the "psks" node from being a P-container to a 6461 leaf of type "empty". 6463 * Cleaned up examples (e.g., removed FIXMEs) 6465 * Fixed issues found by the SecDir review of the "keystore" draft. 6467 * Updated the "psk" sections in the "ietf-tls-client" and "ietf-tls- 6468 server" modules to more correctly reflect RFC 4279. 6470 B.24. 22 to 23 6472 * Addressed comments raised by YANG Doctor in the ct/ts/ks drafts. 6474 B.25. 23 to 24 6476 * Added missing reference to "FIPS PUB 180-4". 6478 * Added identity "tls-1.3" and updated description statement in 6479 other identities indicating that the protocol version is obsolete 6480 and enabling the feature is NOT RECOMMENDED. 6482 * Added XML-comment above examples explaining the reason for the 6483 unexpected top-most element's presence. 6485 * Added missing "client-ident-raw-public-key" and "client-ident-psk" 6486 featutes. 6488 * Aligned modules with `pyang -f` formatting. 6490 * Fixed nits found by YANG Doctor reviews. 6492 * Added a 'Contributors' section. 6494 B.26. 24 to 25 6496 * Added TLS 1.3 references. 6498 * Clarified support for various TLS protocol versions. 6500 * Moved algorithms in ietf-tls-common (plus more) to IANA-maintained 6501 modules 6503 * Added "config false" lists for algorithms supported by the server. 6505 * Fixed issues found during YANG Doctor review. 6507 B.27. 25 to 26 6509 * Replaced "base64encodedvalue==" with "BASE64VALUE=" in examples. 6511 * Minor editorial nits 6513 Acknowledgements 6515 The authors would like to thank for following for lively discussions 6516 on list and in the halls (ordered by first name): Alan Luchuk, Andy 6517 Bierman, Balazs Kovacs, Benoit Claise, Bert Wijnen, David Lamparter, 6518 Dhruv Dhody, Gary Wu, Henk Birkholz, Juergen Schoenwaelder, Ladislav 6519 Lhotka, Liang Xia, Martin Bjoerklund, Mehmet Ersue, Michal Vasko, 6520 Phil Shafer, Radek Krejci, Sean Turner, and Tom Petch. 6522 Contributors 6524 Special acknowledgement goes to Gary Wu who contributed the "ietf- 6525 tls-common" module, and Tom Petch who carefully ensured that 6526 references were set correctly throughout. 6528 Author's Address 6530 Kent Watsen 6531 Watsen Networks 6533 Email: kent+ietf@watsen.net