module ietf-tls-client {
yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-tls-client";
prefix tlsc;
import ietf-tls-common {
prefix tlscmn;
revision-date 2019-10-18; // stable grouping definitions
reference
"RFC XXXX: YANG Groupings for TLS Clients and TLS Servers";
}
import ietf-truststore {
prefix ts;
reference
"RFC YYYY: A YANG Data Model for a Truststore";
}
import ietf-keystore {
prefix ks;
reference
"RFC ZZZZ: A YANG Data Model for a Keystore";
}
import ietf-netconf-acm {
prefix nacm;
reference
"RFC 8341: Network Configuration Access Control Model";
}
organization
"IETF NETCONF (Network Configuration) Working Group";
contact
"WG Web:
WG List:
Author: Kent Watsen
Author: Gary Wu ";
description
"This module defines reusable groupings for TLS clients that
can be used as a basis for specific TLS client instances.
Copyright (c) 2019 IETF Trust and the persons identified
as authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with
or without modification, is permitted pursuant to, and
subject to the license terms contained in, the Simplified
BSD License set forth in Section 4.c of the IETF Trust's
Legal Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX
(https://www.rfc-editor.org/info/rfcXXXX); see the RFC
itself for full legal notices.;
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
are to be interpreted as described in BCP 14 (RFC 2119)
(RFC 8174) when, and only when, they appear in all
capitals, as shown here.";
revision 2019-10-18 {
description
"Initial version";
reference
"RFC XXXX: YANG Groupings for TLS Clients and TLS Servers";
}
// Features
feature tls-client-hello-params-config {
description
"TLS hello message parameters are configurable on a TLS
client.";
}
feature tls-client-keepalives {
description
"Per socket TLS keepalive parameters are configurable for
TLS clients on the server implementing this feature.";
}
// Groupings
grouping tls-client-grouping {
description
"A reusable grouping for configuring a TLS client without
any consideration for how an underlying TCP session is
established.
Note that this grouping uses fairly typical descendent
node names such that a stack of 'uses' statements will
have name conflicts. It is intended that the consuming
data model will resolve the issue (e.g., by wrapping
the 'uses' statement in a container called
'tls-client-parameters'). This model purposely does
not do this itself so as to provide maximum flexibility
to consuming models.";
container client-identity { // FIXME: what about PSKs?
nacm:default-deny-write;
description
"A locally-defined or referenced end-entity certificate,
including any configured intermediate certificates, the
TLS client will present when establishing a TLS connection
in its Certificate message, as defined in Section 7.4.2
in RFC 5246.";
reference
"RFC 5246:
The Transport Layer Security (TLS) Protocol Version 1.2
RFC ZZZZ:
YANG Data Model for a 'Keystore' Mechanism";
uses ks:local-or-keystore-end-entity-cert-with-key-grouping;
} // container client-identity
container server-authentication { // FIXME: what about PSKs?
nacm:default-deny-write;
must 'ca-certs or server-certs';
description
"Trusted server identities.";
container ca-certs {
if-feature "ts:x509-certificates";
presence
"Indicates that the client can authenticate servers
using the configured trust anchor certificates.";
description
"A list of certificate authority (CA) certificates used by
the TLS client to authenticate TLS server certificates.
A server certificate is authenticated if it has a valid
chain of trust to a configured CA certificate.";
uses ts:local-or-truststore-certs-grouping;
}
container server-certs {
if-feature "ts:x509-certificates";
presence
"Indicates that the client can authenticate servers
using the configured server certificates.";
description
"A list of server certificates used by the TLS client
to authenticate TLS server certificates. A server
certificate is authenticated if it is an exact match
to a configured server certificate.";
uses ts:local-or-truststore-certs-grouping;
}
} // container server-authentication
container hello-params {
nacm:default-deny-write;
if-feature "tls-client-hello-params-config";
uses tlscmn:hello-params-grouping;
description
"Configurable parameters for the TLS hello message.";
} // container hello-params
container keepalives {
nacm:default-deny-write;
if-feature "tls-client-keepalives";
presence "Indicates that keepalives are enabled.";
description
"Configures the keep-alive policy, to proactively test
the aliveness of the TLS server. An unresponsive
TLS server is dropped after approximately max-wait
* max-attempts seconds.";
leaf max-wait {
type uint16 {
range "1..max";
}
units "seconds";
default "30";
description
"Sets the amount of time in seconds after which if
no data has been received from the TLS server, a
TLS-level message will be sent to test the
aliveness of the TLS server.";
}
leaf max-attempts {
type uint8;
default "3";
description
"Sets the maximum number of sequential keep-alive
messages that can fail to obtain a response from
the TLS server before assuming the TLS server is
no longer alive.";
}
} // container keepalives
} // grouping tls-client-grouping
}