Non-sensitive error messages can be provided over a non-mutually authenticated HTTPS session; further options for alternative authentication are not acceptable under the assumptions of the PP functional package that refines the RFC to require termination.

FCS_TLSS_EXT.2.2 in PKG_TLS_V1.1 is modified as follows, with underlines highlighted in green indicating additions and strikethroughs highlighted in red indicating deletions.

FCS_TLSS_EXT.2.2: The product shall [selection: not establish a trusted channel, establish a temporary non-mutually authenticated channel only used to transmit error messages] if the client certificate is invalid.

Application Note: The use of X.509v3 certificates for TLS is addressed in FIA_X509_EXT.2.1 This requirement adds that this use must include support for client-side certificates for TLS mutual authentication. Validity is determined by the certificate path, the expiration date, and the revocation status in accordance with RFC 5280. Certificate validity shall be tested in accordance with testing performed for FIA_X509_EXT.1. Termination of the session resulting from an invalid or missing certificate may occur after non-sensitive error messages provided under a non-mutually authenticated session established in accordance with FCS_TLSS_EXT.1.

TSS

The evaluator shall ensure that the TSS description required per FIA_X509_EXT.2.1 includes the use of client-side certificates for TLS mutual authentication.

If error messages are provided prior to terminating a session, the evaluator shall ensure the error messages are described.

Tests

The evaluator shall use TLS as a function to verify that the validation rules in FIA_X509_EXT.1.1 are adhered to and shall perform the following tests. The evaluator shall apply the AGD guidance to configure the server to require TLS mutual authentication of clients for the following tests, unless overridden by instructions in the test activity.

If error messages are provided prior to terminating a session, the evaluator shall configure the test client to be able to observe application data sent over the non-mutually authenticated channel, and in addition to observing that the TSF terminates the session, that the only data received under the channel is the error message as described in the TSS:

·       Test 1: The evaluator shall configure the server to send a certificate request to the client. The client shall send a certificate_list structure which has a length of zero. The evaluator shall verify that the handshake is not finished successfully and no sensitive application data flows prior to termination; if error messages are sent, the evaluator shall observe that an non-mutually authenticated channel is established, observe the data received by the test client to ensure only the error message indicated in the TSS is provided, and observe that the channel is then terminated.

·       Test 2: The evaluator shall configure the server to send a certificate request to the client. The client shall send no client certificate message, and instead send a client key exchange message in an attempt to continue the handshake. The client is required to respond to the certificate request message, even if the certificate message is empty. The evaluator shall verify that the handshake is not finished successfully and no application data flows. 

·       Test 3: The evaluator shall configure the server to send a certificate request to the client without the supported_signature_algorithm used by the client’s certificate. The evaluator shall attempt a connection using the client certificate and verify that the handshake is not finished successfully and no sensitive application data flows prior to termination; if error messages are sent, the evaluator shall observe that an non-mutually authenticated channel is established, observe the data received by the test client to ensure only the error message indicated in the TSS is provided, and observe that the channel is then terminated.

·       Test 4: The evaluator shall demonstrate that using a certificate without a valid certification path results in the function failing. Using the administrative guidance, the evaluator shall then load a certificate or certificates needed to validate the certificate to be used in the function, and demonstrate that the function succeeds. The evaluator then shall delete one of the certificates, and show that the function fails load the modified certificate path, and verify that no sensitive application data flows prior to termination; if error messages are sent, the evaluator shall observe that an non-mutually authenticated channel is established, observe the data received by the test client to ensure only the error message indicated in the TSS is provided, and observe that the channel is then terminated.

·       Test 5: The aim of this test is to check the response of the server when it receives a client identity certificate that is signed by an impostor CA (either Root CA or intermediate CA). To carry out this test the evaluator shall configure the client to send a client identity certificate with an issuer field that identifies a CA recognised by the TOE as a trusted CA, but where the key used for the signature on the client certificate does not in fact correspond to the CA certificate trusted by the TOE (meaning that the client certificate is invalid because its certification path does not in fact terminate in the claimed CA certificate). The evaluator shall verify that the attempted connection is deniedthat no sensitive application data flows prior to termination; if error messages are sent, the evaluator shall observe that an non-mutually authenticated channel is established, observe the data received by the test client to ensure only the error message indicated in the TSS is provided, and observe that the channel is then terminated.

·       Test 6: The evaluator shall configure the client to send a certificate with the Client Authentication purpose in the extendedKeyUsage field and verify that the server accepts the attempted connection. The evaluator shall repeat this test without the Client Authentication purpose and shall verify that the server denies the connectionno sensitive application data flows prior to termination; if error messages are sent, the evaluator shall observe that an non-mutually authenticated channel is established, observe the data received by the test client to ensure only the error message indicated in the TSS is provided, and observe that the channel is then terminated. Ideally, the two certificates should be identical except for the Client Authentication purpose.

·       Test 7: The evaluator shall perform the following modifications to the traffic: a) Configure the server to require mutual authentication and then modify a byte in the client’s certificate. The evaluator shall verify that the server rejects the connection. b) Configure the server to require mutual authentication and then modify a byte in the signature block of the client’s Certificate Verify handshake message. The evaluator shall verify that the server rejects the connection.

See Issue Description.