View Source Standards Compliance

Purpose

This section describes the current state of standards compliance of the ssl application.

Common (pre TLS 1.3)

  • For security reasons RSA key exchange cipher suites are no longer supported by default, but can be configured. (OTP 21)
  • For security reasons DES cipher suites are no longer supported by default, but can be configured. (OTP 20)
  • For security reasons 3DES cipher suites are no longer supported by default, but can be configured. (OTP 21)
  • Renegotiation Indication Extension RFC 5746 is supported
  • Ephemeral Diffie-Hellman cipher suites are supported, but not Diffie Hellman Certificates cipher suites.
  • Elliptic Curve cipher suites are supported if the Crypto application supports it and named curves are used.
  • Export cipher suites are not supported as the U.S. lifted its export restrictions in early 2000.
  • IDEA cipher suites are not supported as they have become deprecated by the TLS 1.2 specification so it is not motivated to implement them.
  • Compression is not supported.

Common

  • CRL validation is supported.
  • Policy certificate extensions are not supported.
  • 'Server Name Indication' extension (RFC 6066) is supported.
  • Application Layer Protocol Negotiation (ALPN) and its successor Next Protocol Negotiation (NPN) are supported.
  • It is possible to use Pre-Shared Key (PSK) and Secure Remote Password (SRP) cipher suites, but they are not enabled by default.

SSL 2.0

For security reasons SSL-2.0 is not supported. Interoperability with SSL-2.0 enabled clients dropped. (OTP 21)

SSL 3.0

For security reasons SSL-3.0 is no longer supported at all. (OTP 23)

For security reasons SSL-3.0 is no longer supported by default, but can be configured. (OTP 19)

TLS 1.0

For security reasons TLS-1.0 is no longer supported by default, but can be configured. (OTP 22)

TLS 1.1

For security reasons TLS-1.1 is no longer supported by default, but can be configured. (OTP 22)

TLS 1.2

Supported

DTLS 1.0

For security reasons DTLS-1.0 (based on TLS 1.1) is no longer supported by default, but can be configured. (OTP 22)

DTLS 1.2

Supported (based on TLS 1.2)

DTLS 1.3

Not yet supported

TLS 1.3

OTP-22 introduces support for TLS 1.3. The current implementation supports a selective set of cryptographic algorithms:

  • Key Exchange: ECDHE
  • Groups: all standard groups supported for the Diffie-Hellman key exchange
  • Ciphers: all cipher suites are supported
  • Signature Algorithms: All algorithms form RFC 8446
  • Certificates: RSA, ECDSA and EDDSA keys

Other notable features:

  • PSK and session resumption is supported (stateful and stateless tickets)
  • Anti-replay protection using Bloom-filters with stateless tickets
  • Early data and 0-RTT is supported
  • Key and Initialization Vector Update is supported

For more detailed information see the Standards Compliance below.

The following table describes the current state of standards compliance for TLS 1.3.

(C = Compliant, NC = Non-Compliant, PC = Partially-Compliant, NA = Not Applicable)

SectionFeatureStateSince
1.3. Updates Affecting TLS 1.2C24.1
Version downgrade protection mechanismC22
RSASSA-PSS signature schemesC24.1
supported_versions (ClientHello) extensionC22
signature_algorithms_cert extensionC24.1
2. Protocol OverviewPC22
(EC)DHEC22
PSK-onlyNC
PSK with (EC)DHEC22.2
2.1. Incorrect DHE shareHelloRetryRequestC22
2.2. Resumption and Pre-Shared Key (PSK)C22.2
2.3. 0-RTT DataPC23.3
4.1.1. Cryptographic NegotiationC22.2
supported_groups extensionC22
signature_algorithms extensionC22
pre_shared_key extensionC22.2
4.1.2. Client HelloClientPC22.1
server_name (RFC6066)C23.2
max_fragment_length (RFC6066)C23.0
status_request (RFC6066)C27.0
supported_groups (RFC7919)C22.1
signature_algorithms (RFC8446)C22.1
use_srtp (RFC5764)C26.0
heartbeat (RFC6520)NC
application_layer_protocol_negotiation (RFC7301)C22.1
signed_certificate_timestamp (RFC6962)NC
client_certificate_type (RFC7250)NC
server_certificate_type (RFC7250)NC
padding (RFC7685)NC
key_share (RFC8446)C22.1
pre_shared_key (RFC8446)C22.2
psk_key_exchange_modes (RFC8446)C22.2
early_data (RFC8446)C23.3
cookie (RFC8446)C23.1
supported_versions (RFC8446)C22.1
certificate_authorities (RFC8446)C24.3
oid_filters (RFC8446)NC
post_handshake_auth (RFC8446)NC
signature_algorithms_cert (RFC8446)C22.1
ServerPC22
server_name (RFC6066)C23.2
max_fragment_length (RFC6066)C23.0
status_request (RFC6066)NC
supported_groups (RFC7919)C22
signature_algorithms (RFC8446)C22
use_srtp (RFC5764)C26.0
heartbeat (RFC6520)NC
application_layer_protocol_negotiation (RFC7301)C22.1
signed_certificate_timestamp (RFC6962)NC
client_certificate_type (RFC7250)NC
server_certificate_type (RFC7250)NC
padding (RFC7685)NC
key_share (RFC8446)C22
pre_shared_key (RFC8446)C22.2
psk_key_exchange_modes (RFC8446)C22.2
early_data (RFC8446)C23.3
cookie (RFC8446)C23.1
supported_versions (RFC8446)C22
oid_filters (RFC8446)NC
post_handshake_auth (RFC8446)NC
signature_algorithms_cert (RFC8446)C22
4.1.3. Server HelloClientC22.2
Version downgrade protectionC22.1
key_share (RFC8446)C22.1
pre_shared_key (RFC8446)C22.2
supported_versions (RFC8446)C22.1
use_srtp (RFC5764)C26.0
ServerC22.2
Version downgrade protectionC22
key_share (RFC8446)C22
pre_shared_key (RFC8446)C22.2
supported_versions (RFC8446)C22
use_srtp (RFC5764)C26.0
4.1.4. Hello Retry RequestServerC22
key_share (RFC8446)C22
cookie (RFC8446)C23.1
supported_versions (RFC8446)C22
4.2.1. Supported VersionsClientC22.1
ServerC22
4.2.2. CookieClientC23.1
ServerC23.1
4.2.3. Signature AlgorithmsClientC24
rsa_pkcs1_sha256C22.1
rsa_pkcs1_sha384C22.1
rsa_pkcs1_sha512C22.1
ecdsa_secp256r1_sha256C22.1
ecdsa_secp384r1_sha384C22.1
ecdsa_secp521r1_sha512C22.1
rsa_pss_rsae_sha256C22.1
rsa_pss_rsae_sha384C22.1
rsa_pss_rsae_sha512C22.1
ed25519C24
ed448C24
rsa_pss_pss_sha256C23
rsa_pss_pss_sha384C23
rsa_pss_pss_sha512C23
rsa_pkcs1_sha1C22.1
ecdsa_sha1C22.1
ServerC24
rsa_pkcs1_sha256C22
rsa_pkcs1_sha384C22
rsa_pkcs1_sha512C22
ecdsa_secp256r1_sha256C22.1
ecdsa_secp384r1_sha384C22.1
ecdsa_secp521r1_sha512C22.1
rsa_pss_rsae_sha256C22
rsa_pss_rsae_sha384C22
rsa_pss_rsae_sha512C22
ed25519C24
ed448C24
rsa_pss_pss_sha256C23
rsa_pss_pss_sha384C23
rsa_pss_pss_sha512C23
rsa_pkcs1_sha1C22
ecdsa_sha1C22
4.2.4. Certificate AuthoritiesClientC24.3
ServerC24.3
4.2.5. OID FiltersClientNC
ServerNC
4.2.6. Post-Handshake Client AuthenticationClientNC
ServerNC
4.2.7. Supported GroupsClientC22.1
secp256r1C22.1
secp384r1C22.1
secp521r1C22.1
x25519C22.1
x448C22.1
ffdhe2048C22.1
ffdhe3072C22.1
ffdhe4096C22.1
ffdhe6144C22.1
ffdhe8192C22.1
ServerC22
secp256r1C22
secp384r1C22
secp521r1C22
x25519C22
x448C22
ffdhe2048C22
ffdhe3072C22
ffdhe4096C22
ffdhe6144C22
ffdhe8192C22
4.2.8. Key ShareClientC22.1
ServerC22
4.2.9. Pre-Shared Key Exchange ModesClientC22.2
ServerC22.2
4.2.10. Early Data IndicationClientC23.3
ServerC23.3
4.2.11. Pre-Shared Key ExtensionClientC22.2
ServerC22.2
4.2.11.1. Ticket AgeClientC22.2
ServerC22.2
4.2.11.2. PSK BinderClientC22.2
ServerC22.2
4.2.11.3. Processing OrderClientNC
ServerNC
4.3.1. Encrypted ExtensionsClientPC22.1
server_name (RFC6066)C23.2
max_fragment_length (RFC6066)C23.0
supported_groups (RFC7919)NC
use_srtp (RFC5764)NC
heartbeat (RFC6520)NC
application_layer_protocol_negotiation (RFC7301)C23.0
client_certificate_type (RFC7250)NC
server_certificate_type (RFC7250)NC
early_data (RFC8446)C23.3
ServerPC22
server_name (RFC6066)C23.2
max_fragment_length (RFC6066)C23.0
supported_groups (RFC7919)NC
use_srtp (RFC5764)NC
heartbeat (RFC6520)NC
application_layer_protocol_negotiation (RFC7301)C23.0
client_certificate_type (RFC7250)NC
server_certificate_type (RFC7250)NC
early_data (RFC8446)C23.3
4.3.2. Certificate RequestClientPC22.1
status_request (RFC6066)NC
signature_algorithms (RFC8446)C22.1
signed_certificate_timestamp (RFC6962)NC
certificate_authorities (RFC8446)C24.3
oid_filters (RFC8446)NC
signature_algorithms_cert (RFC8446)C22.1
ServerPC22
status_request (RFC6066)NC
signature_algorithms (RFC8446)C22
signed_certificate_timestamp (RFC6962)NC
certificate_authorities (RFC8446)C24.3
oid_filters (RFC8446)NC
signature_algorithms_cert (RFC8446)C22
4.4.1. The Transcript HashC22
4.4.2. CertificateClientPC22.1
Arbitrary certificate chain orderingsC22.2
Extraneous certificates in chainC23.2
status_request (RFC6066)C27.0
signed_certificate_timestamp (RFC6962)NC
ServerPC22
status_request (RFC6066)NC
signed_certificate_timestamp (RFC6962)NC
4.4.2.1. OCSP Status and SCT ExtensionsClientPC27.0
ServerNC
4.4.2.2. Server Certificate SelectionC24.3
The certificate type MUST be X.509v3, unless explicitly negotiated otherwiseC22
The server's end-entity certificate's public key (and associated restrictions) MUST be compatible with the selected authentication algorithm from the client's "signature_algorithms" extension (currently RSA, ECDSA, or EdDSA).C22
The certificate MUST allow the key to be used for signing with a signature scheme indicated in the client's "signature_algorithms"/"signature_algorithms_cert" extensionsC22
The "server_name" and "certificate_authorities" extensions are used to guide certificate selection. As servers MAY require the presence of the "server_name" extension, clients SHOULD send this extension, when applicable.C24.3
4.4.2.3. Client Certificate SelectionPC22.1
The certificate type MUST be X.509v3, unless explicitly negotiated otherwiseC22.1
If the "certificate_authorities" extension in the CertificateRequest message was present, at least one of the certificates in the certificate chain SHOULD be issued by one of the listed CAs.C24.3
The certificates MUST be signed using an acceptable signature algorithmC22.1
If the CertificateRequest message contained a non-empty "oid_filters" extension, the end-entity certificate MUST match the extension OIDs that are recognized by the clientNC
4.4.2.4. Receiving a Certificate MessageClientC22.1
ServerC22
4.4.3. Certificate VerifyClientC22.1
ServerC22
4.4.4. FinishedClientC22.1
ServerC22
4.5. End of Early DataClientC23.3
ServerC23.3
4.6.1. New Session Ticket MessageClientC23.3
early_data (RFC8446)C23.3
ServerC23.3
early_data (RFC8446)C23.3
4.6.2. Post-Handshake AuthenticationClientNC
ServerNC
4.6.3. Key and Initialization Vector UpdateClientC22.3
ServerC22.3
5.1. Record LayerC22
MUST NOT be interleaved with other record typesC22
MUST NOT span key changesC22
MUST NOT send zero-length fragmentsC22
Alert messages MUST NOT be fragmentedC22
5.2. Record Payload ProtectionC22
5.3. Per-Record NonceC22
5.4. Record PaddingPC22
MAY choose to padNC
MUST NOT send Handshake and Alert records that have a zero-length TLSInnerPlaintext.contentNC
The padding sent is automatically verifiedC22
5.5. Limits on Key UsageC22.3
6.1. Closure Alerts22
close_notifyC22
user_cancelledC22
6.2. Error AlertsPC22
7.1. Key ScheduleC22
7.2. Updating Traffic SecretsC22
7.3. Traffic Key CalculationC22
7.5. ExportersPC26.3
8. 0-RTT and Anti-ReplayC22.2
8.1. Single-Use TicketsC22.2
8.2. Client Hello RecordingC22.2
8.3. Freshness ChecksC22.2
9.1. Mandatory-to-Implement Cipher SuitesC22.1
MUST implement the TLS_AES_128_GCM_SHA256C22
SHOULD implement the TLS_AES_256_GCM_SHA384C22
SHOULD implement the TLS_CHACHA20_POLY1305_SHA256C22
Digital signaturesC22.1
MUST support rsa_pkcs1_sha256 (for certificates)C22
MUST support rsa_pss_rsae_sha256 (for CertificateVerify and certificates)C22
MUST support ecdsa_secp256r1_sha256C22.1
Key ExchangeC22
MUST support key exchange with secp256r1C22
SHOULD support key exchange with X25519C22
9.2. Mandatory-to-Implement ExtensionsC23.2
Supported VersionsC22
CookieC23.1
Signature AlgorithmsC22
Signature Algorithms CertificateC22
Negotiated GroupsC22
Key ShareC22
Server Name IndicationC23.2
MUST send and use these extensionsC22.2
"supported_versions" is REQUIRED for ClientHello, ServerHello and HelloRetryRequestC22.1
"signature_algorithms" is REQUIRED for certificate authenticationC22
"supported_groups" is REQUIRED for ClientHello messages using (EC)DHE key exchangeC22
"key_share" is REQUIRED for (EC)DHE key exchangeC22
"pre_shared_key" is REQUIRED for PSK key agreementC22.2
"psk_key_exchange_modes" is REQUIRED for PSK key agreementC22.2
TLS 1.3 ClientHelloC22.1
If not containing a "pre_shared_key" extension, it MUST contain both a "signature_algorithms" extension and a "supported_groups" extension.C22.1
If containing a "supported_groups" extension, it MUST also contain a "key_share" extension, and vice versa. An empty KeyShare.client_shares vector is permitted.C22.1
TLS 1.3 ServerHelloC23.2
MUST support the use of the "server_name" extensionC23.2
9.3. Protocol InvariantsC22.1
MUST correctly handle extensible fieldsC22.1
A client sending a ClientHello MUST support all parameters advertised in it. Otherwise, the server may fail to interoperate by selecting one of those parameters.C22.1
A server receiving a ClientHello MUST correctly ignore all unrecognized cipher suites, extensions, and other parameters. Otherwise, it may fail to interoperate with newer clients. In TLS 1.3, a client receiving a CertificateRequest or NewSessionTicket MUST also ignore all unrecognized extensions.C22.1
A middlebox which terminates a TLS connection MUST behave as a compliant TLS serverNA
A middlebox which forwards ClientHello parameters it does not understand MUST NOT process any messages beyond that ClientHello. It MUST forward all subsequent traffic unmodified. Otherwise, it may fail to interoperate with newer clients and servers.NA
B.4. Cipher SuitesC23
TLS_AES_128_GCM_SHA256C22
TLS_AES_256_GCM_SHA384C22
TLS_CHACHA20_POLY1305_SHA256C22
TLS_AES_128_CCM_SHA256C22
TLS_AES_128_CCM_8_SHA256C23
C.1. Random Number Generation and SeedingC22
C.2. Certificates and AuthenticationC22
C.3. Implementation PitfallsPC22
C.4. Client Tracking PreventionC22.2
C.5. Unauthenticated OperationC22
D.1. Negotiating with an Older ServerC22.2
D.2. Negotiating with an Older ClientC22
D.3. 0-RTT Backward CompatibilityNC
D.4. Middlebox Compatibility ModeC23
D.5. Security Restrictions Related to Backward CompatibilityC22

Table: Standards Compliance