FIA_X509_EXT.2.1 treats TLS support as mandatory even though FTP_ITC_EXT.1.1 treats it as optional.

The SFR and accompanying test for FIA_X509_EXT.2.1 in PP_OS_V4.3 are modified as follows, with green highlights and underlines indicating additions and red highlights with strikethroughs indicating deletions:

FIA_X509_EXT.2.1

The OS shall use X.509v3 certificates as defined by RFC 5280 to support authentication for TLS and [selection: TLS, DTLS, HTTPS, [assignment: other protocols], no other protocols ] connections.

Tests

The evaluator will acquire or develop an application that uses the selected  OS TLS mechanism with an X.509v3 certificate. The evaluator will then run the application and ensure that the provided certificate is used to authenticate the connection.

The evaluator will repeat the activity for any otherall selections listed.

FTP_ITC_EXT.1.1 in PP_OS_V4.3 is modified as follows, with green highlights and underlines indicating additions and red highlights with strikethroughs indicating deletions:

 The OS shall use [selection:

• TLS as conforming to the Functional Package for Transport Layer Security (TLS), version 1.1 as a [selection: client, server ]
• DTLS as conforming to the Functional Package for Transport Layer Security (TLS), version 1.1 as a [selection: client, server ]
• IPsec as conforming to the PP-Module for Virtual Private Network (VPN) Clients, version 2.4

]

and [selection:

• SSH as conforming to the Functional Package for Secure Shell (SSH), version 1.0 as a [selection: client, server ]
• no other protocols

]

] to provide a trusted communication channel between itself and authorized IT entities supporting the following capabilities: [selection: audit server, authentication server, management server, [assignment: other capabilities] ] that is logically distinct from other communication channels and provides assured identification of its end points and protection of the channel data from disclosure and detection of modification of the channel data.

Application Note: The ST author must include the security functional requirements for the trusted channel protocol selected in FTP_ITC_EXT.1.1 in the main body of the ST.

Regardless of the selections made in this requirement, the TSF must be validated against the client TLS requirements in the Functional Package for Transport Layer Security (TLS), version 1.1. It must also be validated against additional requirements in the Functional Package for Transport Layer Security (TLS), version 1.1 if DTLS or server(TLS) selections are made.If TLS or DTLS is selected, the TSF must be validated against the appropriate requirements in the Functional Package for Transport Layer Security (TLS), version 1.1.

If IPsec as conforming to the PP-Module for Virtual Private Network (VPN) Clients, version 2.4 is selected, then FDP_IFC_EXT.1 must be included in the ST.

If SSH is selected, the TSF must be validated against the Functional Package for Secure Shell (SSH), version 1.0 and the corresponding selection is expected to be made in FIA_UAU.5.1. The ST author must include the security functional requirements for the trusted channel protocol selected in FTP_ITC_EXT.1 in the main body of the ST.

Tests

The evaluator willshall configure the OS to communicate with another trusted IT product as identified in the secondthird selection. The evaluator willshall monitor network traffic while the OS performs communication with each of the servers identified in the secondthird selection. The evaluator willshall ensure that for each session a trusted channel was established in conformance with the selected protocols identified in the first selection.

It is not a requirement that every OS supports TLS.