5 Standards Compliance

5.1  Purpose

This section describes the current state of standards compliance of the ssl application.

5.2  Common (pre TLS 1.3)

  • For security reasons RSA key exchange cipher suites are no longer supported by default, but can be configured. (OTP 21)
  • For security reasons DES cipher suites are no longer supported by default, but can be configured. (OTP 20)
  • For security reasons 3DES cipher suites are no longer supported by default, but can be configured. (OTP 21)
  • Renegotiation Indication Extension RFC 5746 is supported
  • Ephemeral Diffie-Hellman cipher suites are supported, but not Diffie Hellman Certificates cipher suites.
  • Elliptic Curve cipher suites are supported if the Crypto application supports it and named curves are used.
  • Export cipher suites are not supported as the U.S. lifted its export restrictions in early 2000.
  • IDEA cipher suites are not supported as they have become deprecated by the TLS 1.2 specification so it is not motivated to implement them.
  • Compression is not supported.

5.3  Common

  • CRL validation is supported.
  • Policy certificate extensions are not supported.
  • 'Server Name Indication' extension (RFC 6066) is supported.
  • Application Layer Protocol Negotiation (ALPN) and its successor Next Protocol Negotiation (NPN) are supported.
  • It is possible to use Pre-Shared Key (PSK) and Secure Remote Password (SRP) cipher suites, but they are not enabled by default.

5.4  SSL 2.0

For security reasons SSL-2.0 is not supported. Interoperability with SSL-2.0 enabled clients dropped. (OTP 21)

5.5  SSL 3.0

For security reasons SSL-3.0 is no longer supported by default, but can be configured. (OTP 19)

5.6  TLS 1.0

For security reasons TLS-1.0 is no longer supported by default, but can be configured. (OTP 22)

5.7  TLS 1.1

For security reasons TLS-1.1 is no longer supported by default, but can be configured. (OTP 22)

5.8  TLS 1.2

Supported

5.9  DTLS 1.0

For security reasons DTLS-1.0 (based on TLS 1.1) is no longer supported by default, but can be configured. (OTP 22)

5.10  DTLS 1.2

Supported (based on TLS 1.2)

5.11  DTLS 1.3

Not yet supported

5.12  TLS 1.3

OTP-22 introduces support for TLS 1.3. The current implementation supports a selective set of cryptographic algorithms:

  • Key Exchange: ECDHE
  • Groups: all standard groups supported for the Diffie-Hellman key exchange
  • Ciphers: TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256 and TLS_AES_128_CCM_SHA256
  • Signature Algorithms: rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pkcs1_sha1 and ecdsa_sha1
  • Certificates: RSA (it MUST use the rsaEncryption OID) and ECDSA keys

Other notable features:

  • PSK and session resumption is supported (stateful and stateless tickets)
  • Anti-replay protection using Bloom-filters with stateless tickets
  • Early data and 0-RTT not supported
  • Key and Initialization Vector Update not supported

For more detailed information see the Standards Compliance below.

The following table describes the current state of standards compliance for TLS 1.3.

(C = Compliant, NC = Non-Compliant, PC = Partially-Compliant, NA = Not Applicable)

Section Feature State Since
1.3. Updates Affecting TLS 1.2 C 22
Version downgrade protection mechanism C 22
RSASSA-PSS signature schemes PC 22
supported_versions (ClientHello) extension C 22
signature_algorithms_cert extension C 22
2. Protocol Overview PC 22
(EC)DHE C 22
PSK-only NC
PSK with (EC)DHE C 22.2
2.1. Incorrect DHE share HelloRetryRequest C 22
2.2. Resumption and Pre-Shared Key (PSK) C 22.2
2.3. 0-RTT Data NC
4.1.1. Cryptographic Negotiation C 22.2
supported_groups extension C 22
signature_algorithms extension C 22
pre_shared_key extension C 22.2
4.1.2. Client Hello Client PC 22.1
server_name (RFC6066) PC 22.2
max_fragment_length (RFC6066) NC
status_request (RFC6066) NC
supported_groups (RFC7919) C 22.1
signature_algorithms (RFC8446) C 22.1
use_srtp (RFC5764) NC
heartbeat (RFC6520) NC
application_layer_protocol_negotiation (RFC7301) C 22.1
signed_certificate_timestamp (RFC6962) NC
client_certificate_type (RFC7250) NC
server_certificate_type (RFC7250) NC
padding (RFC7685) NC
key_share (RFC8446) C 22.1
pre_shared_key (RFC8446) C 22.2
psk_key_exchange_modes (RFC8446) C 22.2
early_data (RFC8446) NC
cookie (RFC8446) NC
supported_versions (RFC8446) C 22.1
certificate_authorities (RFC8446) NC
oid_filters (RFC8446) NC
post_handshake_auth (RFC8446) NC
signature_algorithms_cert (RFC8446) C 22.1
Server PC 22
server_name (RFC6066) PC 22.2
max_fragment_length (RFC6066) NC
status_request (RFC6066) NC
supported_groups (RFC7919) C 22
signature_algorithms (RFC8446) C 22
use_srtp (RFC5764) NC
heartbeat (RFC6520) NC
application_layer_protocol_negotiation (RFC7301) C 22.1
signed_certificate_timestamp (RFC6962) NC
client_certificate_type (RFC7250) NC
server_certificate_type (RFC7250) NC
padding (RFC7685) NC
key_share (RFC8446) C 22
pre_shared_key (RFC8446) C 22.2
psk_key_exchange_modes (RFC8446) C 22.2
early_data (RFC8446) NC
cookie (RFC8446) NC
supported_versions (RFC8446) C 22
certificate_authorities (RFC8446) NC
oid_filters (RFC8446) NC
post_handshake_auth (RFC8446) NC
signature_algorithms_cert (RFC8446) C 22
4.1.3. Server Hello Client C 22.2
Version downgrade protection C 22.1
key_share (RFC8446) C 22.1
pre_shared_key (RFC8446) C 22.2
supported_versions (RFC8446) C 22.1
Server C 22.2
Version downgrade protection C 22
key_share (RFC8446) C 22
pre_shared_key (RFC8446) C 22.2
supported_versions (RFC8446) C 22
4.1.4. Hello Retry Request Server PC 22
key_share (RFC8446) C 22
cookie (RFC8446) NC
supported_versions (RFC8446) C 22
4.2.1. Supported Versions Client C 22.1
Server C 22
4.2.2. Cookie Client NC
Server NC
4.2.3. Signature Algorithms Client PC 22.1
rsa_pkcs1_sha256 C 22.1
rsa_pkcs1_sha384 C 22.1
rsa_pkcs1_sha512 C 22.1
ecdsa_secp256r1_sha256 C 22.1
ecdsa_secp384r1_sha384 C 22.1
ecdsa_secp521r1_sha512 C 22.1
rsa_pss_rsae_sha256 C 22.1
rsa_pss_rsae_sha384 C 22.1
rsa_pss_rsae_sha512 C 22.1
ed25519 NC
ed448 NC
rsa_pss_pss_sha256 NC
rsa_pss_pss_sha384 NC
rsa_pss_pss_sha512 NC
rsa_pkcs1_sha1 C 22.1
ecdsa_sha1 C 22.1
Server PC 22
rsa_pkcs1_sha256 C 22
rsa_pkcs1_sha384 C 22
rsa_pkcs1_sha512 C 22
ecdsa_secp256r1_sha256 C 22.1
ecdsa_secp384r1_sha384 C 22.1
ecdsa_secp521r1_sha512 C 22.1
rsa_pss_rsae_sha256 C 22
rsa_pss_rsae_sha384 C 22
rsa_pss_rsae_sha512 C 22
ed25519 NC
ed448 NC
rsa_pss_pss_sha256 NC
rsa_pss_pss_sha384 NC
rsa_pss_pss_sha512 NC
rsa_pkcs1_sha1 C 22
ecdsa_sha1 C 22
4.2.4. Certificate Authorities Client NC
Server NC
4.2.5. OID Filters Client NC
Server NC
4.2.6. Post-Handshake Client Authentication Client NC
Server NC
4.2.7. Supported Groups Client C 22.1
secp256r1 C 22.1
secp384r1 C 22.1
secp521r1 C 22.1
x25519 C 22.1
x448 C 22.1
ffdhe2048 C 22.1
ffdhe3072 C 22.1
ffdhe4096 C 22.1
ffdhe6144 C 22.1
ffdhe8192 C 22.1
Server C 22
secp256r1 C 22
secp384r1 C 22
secp521r1 C 22
x25519 C 22
x448 C 22
ffdhe2048 C 22
ffdhe3072 C 22
ffdhe4096 C 22
ffdhe6144 C 22
ffdhe8192 C 22
4.2.8. Key Share Client C 22.1
Server C 22
4.2.9. Pre-Shared Key Exchange Modes Client C 22.2
Server C 22.2
4.2.10. Early Data Indication Client NC
Server NC
4.2.11. Pre-Shared Key Extension Client C 22.2
Server C 22.2
4.2.11.1. Ticket Age Client C 22.2
Server C 22.2
4.2.11.2. PSK Binder Client C 22.2
Server C 22.2
4.2.11.3. Processing Order Client NC
Server NC
4.3.1. Encrypted Extensions Client PC 22.1
server_name (RFC6066) NC
max_fragment_length (RFC6066) NC
supported_groups (RFC7919) NC
use_srtp (RFC5764) NC
heartbeat (RFC6520) NC
application_layer_protocol_negotiation (RFC7301) NC
client_certificate_type (RFC7250) NC
server_certificate_type (RFC7250) NC
early_data (RFC8446) NC
supported_versions (RFC8446) NC
Server PC 22
server_name (RFC6066) NC
max_fragment_length (RFC6066) NC
supported_groups (RFC7919) NC
use_srtp (RFC5764) NC
heartbeat (RFC6520) NC
application_layer_protocol_negotiation (RFC7301) NC
client_certificate_type (RFC7250) NC
server_certificate_type (RFC7250) NC
early_data (RFC8446) NC
supported_versions (RFC8446) NC
4.3.2. Certificate Request Client PC 22.1
status_request (RFC6066) NC
signature_algorithms (RFC8446) C 22.1
signed_certificate_timestamp (RFC6962) NC
certificate_authorities (RFC8446) NC
oid_filters (RFC8446) NC
signature_algorithms_cert (RFC8446) C 22.1
Server PC 22
status_request (RFC6066) NC
signature_algorithms (RFC8446) C 22
signed_certificate_timestamp (RFC6962) NC
certificate_authorities (RFC8446) NC
oid_filters (RFC8446) NC
signature_algorithms_cert (RFC8446) C 22
4.4.1. The Transcript Hash C 22
4.4.2. Certificate Client PC 22.1
status_request (RFC6066) NC
signed_certificate_timestamp (RFC6962) NC
Server PC 22
status_request (RFC6066) NC
signed_certificate_timestamp (RFC6962) NC
4.4.2.1. OCSP Status and SCT Extensions Client NC
Server NC
4.4.2.2. Server Certificate Selection PC 22
The certificate type MUST be X.509v3, unless explicitly negotiated otherwise C 22
The server's end-entity certificate's public key (and associated restrictions) MUST be compatible with the selected authentication algorithm from the client's "signature_algorithms" extension (currently RSA, ECDSA, or EdDSA). C 22
The certificate MUST allow the key to be used for signing with a signature scheme indicated in the client's "signature_algorithms"/"signature_algorithms_cert" extensions C 22
The "server_name" and "certificate_authorities" extensions are used to guide certificate selection. As servers MAY require the presence of the "server_name" extension, clients SHOULD send this extension, when applicable. NC
4.4.2.3. Client Certificate Selection PC 22.1
The certificate type MUST be X.509v3, unless explicitly negotiated otherwise C 22.1
If the "certificate_authorities" extension in the CertificateRequest message was present, at least one of the certificates in the certificate chain SHOULD be issued by one of the listed CAs. NC
The certificates MUST be signed using an acceptable signature algorithm C 22.1
If the CertificateRequest message contained a non-empty "oid_filters" extension, the end-entity certificate MUST match the extension OIDs that are recognized by the client NC
4.4.2.4. Receiving a Certificate Message Client C 22.1
Server C 22
4.4.3. Certificate Verify Client C 22.1
Server C 22
4.4.4. Finished Client C 22.1
Server C 22
4.5. End of Early Data Client NC
Server NC
4.6.1. New Session Ticket Message Client PC 22.2
early_data (RFC8446) NC
Server PC 22.2
early_data (RFC8446) NC
4.6.2. Post-Handshake Authentication Client NC
Server NC
4.6.3. Key and Initialization Vector Update Client C 22.3
Server C 22.3
5.1. Record Layer C 22
MUST NOT be interleaved with other record types C 22
MUST NOT span key changes C 22
MUST NOT send zero-length fragments C 22
Alert messages MUST NOT be fragmented C 22
5.2. Record Payload Protection C 22
5.3. Per-Record Nonce C 22
5.4. Record Padding PC 22
MAY choose to pad NC
MUST NOT send Handshake and Alert records that have a zero-length TLSInnerPlaintext.content NC
The padding sent is automatically verified C 22
5.5. Limits on Key Usage C 22.3
6.1. Closure Alerts NC
close_notify NC
user_cancelled NC
6.2. Error Alerts PC 22
7.1. Key Schedule C 22
7.2. Updating Traffic Secrets C 22
7.3. Traffic Key Calculation C 22
7.5. Exporters NC
8. 0-RTT and Anti-Replay C 22.2
8.1. Single-Use Tickets C 22.2
8.2. Client Hello Recording C 22.2
8.3. Freshness Checks C 22.2
9.1. Mandatory-to-Implement Cipher Suites C 22.1
MUST implement the TLS_AES_128_GCM_SHA256 C 22
SHOULD implement the TLS_AES_256_GCM_SHA384 C 22
SHOULD implement the TLS_CHACHA20_POLY1305_SHA256 C 22
Digital signatures C 22.1
MUST support rsa_pkcs1_sha256 (for certificates) C 22
MUST support rsa_pss_rsae_sha256 (for CertificateVerify and certificates) C 22
MUST support ecdsa_secp256r1_sha256 C 22.1
Key Exchange C 22
MUST support key exchange with secp256r1 C 22
SHOULD support key exchange with X25519 C 22
9.2. Mandatory-to-Implement Extensions PC 22
Supported Versions C 22
Cookie NC
Signature Algorithms C 22
Signature Algorithms Certificate C 22
Negotiated Groups C 22
Key Share C 22
Server Name Indication NC
MUST send and use these extensions C 22.2
"supported_versions" is REQUIRED for ClientHello, ServerHello and HelloRetryRequest C 22.1
"signature_algorithms" is REQUIRED for certificate authentication C 22
"supported_groups" is REQUIRED for ClientHello messages using (EC)DHE key exchange C 22
"key_share" is REQUIRED for (EC)DHE key exchange C 22
"pre_shared_key" is REQUIRED for PSK key agreement C 22.2
"psk_key_exchange_modes" is REQUIRED for PSK key agreement C 22.2
TLS 1.3 ClientHello C 22.1
If not containing a "pre_shared_key" extension, it MUST contain both a "signature_algorithms" extension and a "supported_groups" extension. C 22.1
If containing a "supported_groups" extension, it MUST also contain a "key_share" extension, and vice versa. An empty KeyShare.client_shares vector is permitted. C 22.1
TLS 1.3 ServerHello PC 22
MUST support the use of the "server_name" extension NC
9.3. Protocol Invariants C 22.1
MUST correctly handle extensible fields C 22.1
A client sending a ClientHello MUST support all parameters advertised in it. Otherwise, the server may fail to interoperate by selecting one of those parameters. C 22.1
A server receiving a ClientHello MUST correctly ignore all unrecognized cipher suites, extensions, and other parameters. Otherwise, it may fail to interoperate with newer clients. In TLS 1.3, a client receiving a CertificateRequest or NewSessionTicket MUST also ignore all unrecognized extensions. C 22.1
A middlebox which terminates a TLS connection MUST behave as a compliant TLS server NA
A middlebox which forwards ClientHello parameters it does not understand MUST NOT process any messages beyond that ClientHello. It MUST forward all subsequent traffic unmodified. Otherwise, it may fail to interoperate with newer clients and servers. NA
B.4. Cipher Suites PC 22
TLS_AES_128_GCM_SHA256 C 22
TLS_AES_256_GCM_SHA384 C 22
TLS_CHACHA20_POLY1305_SHA256 C 22
TLS_AES_128_CCM_SHA256 C 22
TLS_AES_128_CCM_8_SHA256 NC
C.1. Random Number Generation and Seeding C 22
C.2. Certificates and Authentication C 22
C.3. Implementation Pitfalls PC 22
C.4. Client Tracking Prevention C 22.2
C.5. Unauthenticated Operation C 22
D.1. Negotiating with an Older Server C 22.2
D.2. Negotiating with an Older Client C 22
D.3. 0-RTT Backward Compatibility NC
D.4. Middlebox Compatibility Mode PC 22
D.5. Security Restrictions Related to Backward Compatibility C 22

Table 5.1:   Standards Compliance