module ietf-tls-common {
yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-tls-common";
prefix tlscmn;
organization
"IETF NETCONF (Network Configuration) Working Group";
contact
"WG Web:
WG List:
Author: Kent Watsen
Author: Gary Wu ";
description
"This module defines a common features, identities, and
groupings for Transport Layer Security (TLS).
Copyright (c) 2020 IETF Trust and the persons identified
as authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with
or without modification, is permitted pursuant to, and
subject to the license terms contained in, the Simplified
BSD License set forth in Section 4.c of the IETF Trust's
Legal Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC FFFF
(https://www.rfc-editor.org/info/rfcFFFF); see the RFC
itself for full legal notices.
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
are to be interpreted as described in BCP 14 (RFC 2119)
(RFC 8174) when, and only when, they appear in all
capitals, as shown here.";
revision 2021-02-10 {
description
"Initial version";
reference
"RFC FFFF: YANG Groupings for TLS Clients and TLS Servers";
}
// Features
feature tls-1_0 {
description
"TLS Protocol Version 1.0 is supported.";
reference
"RFC 2246: The TLS Protocol Version 1.0";
}
feature tls-1_1 {
description
"TLS Protocol Version 1.1 is supported.";
reference
"RFC 4346: The Transport Layer Security (TLS) Protocol
Version 1.1";
}
feature tls-1_2 {
description
"TLS Protocol Version 1.2 is supported.";
reference
"RFC 5246: The Transport Layer Security (TLS) Protocol
Version 1.2";
}
feature tls-1_3 {
description
"TLS Protocol Version 1.2 is supported.";
reference
"RFC 8446: The Transport Layer Security (TLS) Protocol
Version 1.3";
}
feature tls-ecc {
description
"Elliptic Curve Cryptography (ECC) is supported for TLS.";
reference
"RFC 8422: Elliptic Curve Cryptography (ECC) Cipher Suites
for Transport Layer Security (TLS)";
}
feature tls-dhe {
description
"Ephemeral Diffie-Hellman key exchange is supported for TLS.";
reference
"RFC 5246: The Transport Layer Security (TLS) Protocol
Version 1.2";
}
feature tls-3des {
description
"The Triple-DES block cipher is supported for TLS.";
reference
"RFC 5246: The Transport Layer Security (TLS) Protocol
Version 1.2";
}
feature tls-gcm {
description
"The Galois/Counter Mode authenticated encryption mode is
supported for TLS.";
reference
"RFC 5288: AES Galois Counter Mode (GCM) Cipher Suites for
TLS";
}
feature tls-sha2 {
description
"The SHA2 family of cryptographic hash functions is supported
for TLS.";
reference
"FIPS PUB 180-4: Secure Hash Standard (SHS)";
}
// Identities
identity tls-version-base {
description
"Base identity used to identify TLS protocol versions.";
}
identity tls-1.0 {
if-feature "tls-1_0";
base tls-version-base;
description
"TLS Protocol Version 1.0.";
reference
"RFC 2246: The TLS Protocol Version 1.0";
}
identity tls-1.1 {
if-feature "tls-1_1";
base tls-version-base;
description
"TLS Protocol Version 1.1.";
reference
"RFC 4346: The Transport Layer Security (TLS) Protocol
Version 1.1";
}
identity tls-1.2 {
if-feature "tls-1_2";
base tls-version-base;
description
"TLS Protocol Version 1.2.";
reference
"RFC 5246: The Transport Layer Security (TLS) Protocol
Version 1.2";
}
identity cipher-suite-base {
description
"Base identity used to identify TLS cipher suites.";
}
identity rsa-with-aes-128-cbc-sha {
base cipher-suite-base;
description
"Cipher suite TLS_RSA_WITH_AES_128_CBC_SHA.";
reference
"RFC 5246: The Transport Layer Security (TLS) Protocol
Version 1.2";
}
identity rsa-with-aes-256-cbc-sha {
base cipher-suite-base;
description
"Cipher suite TLS_RSA_WITH_AES_256_CBC_SHA.";
reference
"RFC 5246: The Transport Layer Security (TLS) Protocol
Version 1.2";
}
identity rsa-with-aes-128-cbc-sha256 {
if-feature "tls-sha2";
base cipher-suite-base;
description
"Cipher suite TLS_RSA_WITH_AES_128_CBC_SHA256.";
reference
"RFC 5246: The Transport Layer Security (TLS) Protocol
Version 1.2";
}
identity rsa-with-aes-256-cbc-sha256 {
if-feature "tls-sha2";
base cipher-suite-base;
description
"Cipher suite TLS_RSA_WITH_AES_256_CBC_SHA256.";
reference
"RFC 5246: The Transport Layer Security (TLS) Protocol
Version 1.2";
}
identity dhe-rsa-with-aes-128-cbc-sha {
if-feature "tls-dhe";
base cipher-suite-base;
description
"Cipher suite TLS_DHE_RSA_WITH_AES_128_CBC_SHA.";
reference
"RFC 5246: The Transport Layer Security (TLS) Protocol
Version 1.2";
}
identity dhe-rsa-with-aes-256-cbc-sha {
if-feature "tls-dhe";
base cipher-suite-base;
description
"Cipher suite TLS_DHE_RSA_WITH_AES_256_CBC_SHA.";
reference
"RFC 5246: The Transport Layer Security (TLS) Protocol
Version 1.2";
}
identity dhe-rsa-with-aes-128-cbc-sha256 {
if-feature "tls-dhe and tls-sha2";
base cipher-suite-base;
description
"Cipher suite TLS_DHE_RSA_WITH_AES_128_CBC_SHA256.";
reference
"RFC 5246: The Transport Layer Security (TLS) Protocol
Version 1.2";
}
identity dhe-rsa-with-aes-256-cbc-sha256 {
if-feature "tls-dhe and tls-sha2";
base cipher-suite-base;
description
"Cipher suite TLS_DHE_RSA_WITH_AES_256_CBC_SHA256.";
reference
"RFC 5246: The Transport Layer Security (TLS) Protocol
Version 1.2";
}
identity ecdhe-ecdsa-with-aes-128-cbc-sha256 {
if-feature "tls-ecc and tls-sha2";
base cipher-suite-base;
description
"Cipher suite TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256.";
reference
"RFC 5289: TLS Elliptic Curve Cipher Suites with
SHA-256/384 and AES Galois Counter Mode (GCM)";
}
identity ecdhe-ecdsa-with-aes-256-cbc-sha384 {
if-feature "tls-ecc and tls-sha2";
base cipher-suite-base;
description
"Cipher suite TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384.";
reference
"RFC 5289: TLS Elliptic Curve Cipher Suites with
SHA-256/384 and AES Galois Counter Mode (GCM)";
}
identity ecdhe-rsa-with-aes-128-cbc-sha256 {
if-feature "tls-ecc and tls-sha2";
base cipher-suite-base;
description
"Cipher suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256.";
reference
"RFC 5289: TLS Elliptic Curve Cipher Suites with
SHA-256/384 and AES Galois Counter Mode (GCM)";
}
identity ecdhe-rsa-with-aes-256-cbc-sha384 {
if-feature "tls-ecc and tls-sha2";
base cipher-suite-base;
description
"Cipher suite TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384.";
reference
"RFC 5289: TLS Elliptic Curve Cipher Suites with
SHA-256/384 and AES Galois Counter Mode (GCM)";
}
identity ecdhe-ecdsa-with-aes-128-gcm-sha256 {
if-feature "tls-ecc and tls-gcm and tls-sha2";
base cipher-suite-base;
description
"Cipher suite TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256.";
reference
"RFC 5289: TLS Elliptic Curve Cipher Suites with
SHA-256/384 and AES Galois Counter Mode (GCM)";
}
identity ecdhe-ecdsa-with-aes-256-gcm-sha384 {
if-feature "tls-ecc and tls-gcm and tls-sha2";
base cipher-suite-base;
description
"Cipher suite TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384.";
reference
"RFC 5289: TLS Elliptic Curve Cipher Suites with
SHA-256/384 and AES Galois Counter Mode (GCM)";
}
identity ecdhe-rsa-with-aes-128-gcm-sha256 {
if-feature "tls-ecc and tls-gcm and tls-sha2";
base cipher-suite-base;
description
"Cipher suite TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256.";
reference
"RFC 5289: TLS Elliptic Curve Cipher Suites with
SHA-256/384 and AES Galois Counter Mode (GCM)";
}
identity ecdhe-rsa-with-aes-256-gcm-sha384 {
if-feature "tls-ecc and tls-gcm and tls-sha2";
base cipher-suite-base;
description
"Cipher suite TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384.";
reference
"RFC 5289: TLS Elliptic Curve Cipher Suites with
SHA-256/384 and AES Galois Counter Mode (GCM)";
}
identity rsa-with-3des-ede-cbc-sha {
if-feature "tls-3des";
base cipher-suite-base;
description
"Cipher suite TLS_RSA_WITH_3DES_EDE_CBC_SHA.";
reference
"RFC 5246: The Transport Layer Security (TLS) Protocol
Version 1.2";
}
identity ecdhe-rsa-with-3des-ede-cbc-sha {
if-feature "tls-ecc and tls-3des";
base cipher-suite-base;
description
"Cipher suite TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA.";
reference
"RFC 8422: Elliptic Curve Cryptography (ECC) Cipher Suites
for Transport Layer Security (TLS)";
}
identity ecdhe-rsa-with-aes-128-cbc-sha {
if-feature "tls-ecc";
base cipher-suite-base;
description
"Cipher suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA.";
reference
"RFC 8422: Elliptic Curve Cryptography (ECC) Cipher Suites
for Transport Layer Security (TLS)";
}
identity ecdhe-rsa-with-aes-256-cbc-sha {
if-feature "tls-ecc";
base cipher-suite-base;
description
"Cipher suite TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA.";
reference
"RFC 8422: Elliptic Curve Cryptography (ECC) Cipher Suites
for Transport Layer Security (TLS)";
}
// Groupings
grouping hello-params-grouping {
description
"A reusable grouping for TLS hello message parameters.";
reference
"RFC 5246: The Transport Layer Security (TLS) Protocol
Version 1.2";
container tls-versions {
description
"Parameters regarding TLS versions.";
leaf-list tls-version {
type identityref {
base tls-version-base;
}
description
"Acceptable TLS protocol versions.
If this leaf-list is not configured (has zero elements)
the acceptable TLS protocol versions are implementation-
defined.";
}
}
container cipher-suites {
description
"Parameters regarding cipher suites.";
leaf-list cipher-suite {
type identityref {
base cipher-suite-base;
}
ordered-by user;
description
"Acceptable cipher suites in order of descending
preference. The configured host key algorithms should
be compatible with the algorithm used by the configured
private key. Please see Section 5 of RFC FFFF for
valid combinations.
If this leaf-list is not configured (has zero elements)
the acceptable cipher suites are implementation-
defined.";
reference
"RFC FFFF: YANG Groupings for TLS Clients and TLS Servers";
}
}
}
}