Archived
TD0267: TLSS testing - Empty Certificate Authorities list
A TLSS test found in PP_APP_v1.2, PP_MDM_v3.0, and PP_BASE_VIRTUALIZATION_v1.0 cannot be performed unless the TOE sends a list of Certificate Authorities in its Certificate Request message. There are implementations of TLS that do not send this list of Certificate Authorities, so this test should be made conditional.
07/30/2019: This TD is no longer applicable to the Base Virtualization PP v1.0 as TD0431 incorporates the necessary changes related to the Base Virtualization PP.
The test will be modified in the PPs as follows:
PP_APP_v1.2:
FCS_TLSS_EXT.1.5 Test 4 shall be changed as follows:
"Test 4: If the TOE supports sending a non-empty Certificate Authorities list in its Certificate Request message, the evaluator shall configure the client to send a certificate that does not chain to one of the Certificate Authorities (either a Root or Intermediate CA) in the server’s Certificate Request message. The evaluator shall verify that the attempted connection is denied. If the TOE doesn't support sending a non-empty Certificate Authorities list in its Certificate Request message, this test shall be omitted."
PP_MDM_v3.0:
FCS_TLSS_EXT.1.4 Test 4 shall be changed as follows:
"Test 4: If the TOE supports sending a non-empty Certificate Authorities list in its Certificate Request message, the evaluator shall configure the client to send a certificate that does not chain to one of the Certificate Authorities (either a Root or Intermediate CA) in the server’s Certificate Request message. The evaluator shall verify that the attempted connection is denied. If the TOE doesn't support sending a non-empty Certificate Authorities list in its Certificate Request message, this test shall be omitted."
PP_BASE_VIRTUALIZATION_v1.0:
FCS_TLSS_EXT.2.4 Test 4 shall be changed as follows:
"Test 4: If the TOE supports sending a non-empty Certificate Authorities list in its Certificate Request message, the evaluator shall configure the client to send a certificate that does not chain to one of the Certificate Authorities (either a Root or Intermediate CA) in the server’s Certificate Request message. The evaluator shall verify that the attempted connection is denied. If the TOE doesn't support sending a non-empty Certificate Authorities list in its Certificate Request message, this test shall be omitted."