TLS

TLS overview

Transport Layer Security (TLS) is used for two primary purposes:

  • authentication of an end device (client or server) using a digital signature (DS)

    TLS uses PKI for device authentication. DSs are used to authenticate the client or the server. The server typically sends a certificate with a DS to the client.

    In specific situations, the server can request a certificate from the client to authenticate it. The client has a certificate (called a Trust Anchor) from the certificate authority (CA) which is used to authenticate server certificate and its DS. After the client provides a digitally signed certificate to the server and both parties are authenticated, the encryption PDUs can then be transmitted.

    When SR OS is acting as a server and it requests a certificate from the client, the client must provide the certificate. If the client fails to provide a certificate for authentication, SR OS terminates the TLS session. The server TLS settings can be configured to not request certificates, in which case the client is not obligated to send the server a certificate for authentication.

  • encryption and authentication of application PDUs

    After the clients and server have been successfully authenticated, the cipher suite is negotiated between the server and clients, and the PDUs are encrypted based on the agreed cipher protocol.

TLS server interaction with applications

TLS is a standalone configuration. The user must configure TLS server profiles with certificates and trust anchors, and then assign the TLS server profiles to the appropriate applications. When a TLS server profile is assigned to an application, the application should not send any clear text PDUs until the TLS handshake has been successfully completed and the encryption ciphers have been negotiated between the TLS server and the TLS client.

After successful negotiation and handshake, the TLS is operationally up, and the TLS notifies the application which begins transmitting PDUs. These PDUs are encrypted using TLS based on the agreed ciphers. If, at any point, the TLS becomes operationally down, the application should stop transmitting PDUs.

For example, a TLS connection with the gRPC application would operate as follows:

  1. A TLS server profile is assigned to the gRPC application.

  2. gRPC stops sending clear text PDUs because a TLS server profile has been assigned and TLS is not ready to encrypt.

  3. The TLS server begins the handshake.

  4. Authentication occurs at the TLS layer.

  5. The TLS server and TLS client negotiate ciphers.

  6. SALTs are negotiated for the symmetric key. A SALT is a seed for creating AES encryption keys.

  7. When negotiations are successfully completed, the handshake finishes and gRPC is notified.

  8. TLS becomes operationally up, and gRPC can resume transmitting PDUs. Until TLS becomes operationally up, gRPC PDUs arriving from the client are dropped on ingress.

TLS application support

TLS application support lists the applications that support TLS.

Table 1. TLS application support
Application TLS server supported TLS client supported

gRPC

LDAP

RADIUS

Syslog

TLS handshake

TLS handshake shows the TLS handshake.

Figure 1. TLS handshake

TLS handshake step descriptions describes the steps in the TLS handshake.

Table 2. TLS handshake step descriptions
Step Description

1

The TLS handshake begins with the client Hello message. This message includes the cipher list that the client wants to use and negotiate, among other information.

2

The TLS server sends back a server Hello message, along with the first common cipher found on both the client cipher list and the server cipher list. This agreed cipher is used for data encryption.

3

The TLS server continues by sending a server certificate message, where the server provides a certificate to the client so that the client can authenticate the server identity. The public key of this certificate (RSA key) can also be used for encryption of the symmetric key seed that is used by the client and server to create the symmetric encryption key. This occurs only if the PKI is using RSA for asymmetric encryption.

4

Server key exchange is not supported by SR OS.

SR OS only uses RSA keys; Diffie-Hellman key exchange is not supported.

5

The server can optionally be configured to request a certificate from the client to authenticate the client.

6

If the server has requested a certificate, the client should provide a certificate using a client certificate message. If the client does not provide a certificate, the server drops the TLS session.

7

The client uses the server public RSA key that was included in the server certificate to encrypt a seed used for creating the symmetric key. This seed is used by the client and server to create the identical symmetric key for encrypting and decrypting the data plane traffic.

8

The client sends a cipher spec to switch encryption to this symmetric key.

9

The client successfully finishes the handshake.

10

The server sends a cipher spec to switch encryption to this symmetric key.

11

The server successfully finishes the handshake.

After a successful handshake, TLS is operationally up, and applications can then use it for application encryption.

TLS 1.3

TLS 1.3 is required for faster handshakes and stronger encryption and authentication algorithms.

All SR OS applications that use TLS 1.2 also support TLS 1.3, unless specifically stated otherwise.

The user can configure the node to use TLS 1.2, TLS 1.3, or both for its client or server negotiation.

When TLS 1.3 is negotiated with a client, the node no longer negotiates the TLS version down to 1.2 as long as the session is alive.

TLS 1.3 handshake

The TLS 1.3 client handshake is very similar to TLS 1.2 because the client is able to negotiate TLS 1.2 or 1.3 when starting the TLS Hello message to the server. The client includes a "Supported Version" extension in its Hello message. The server responds with its own supported version, agreed ciphers, and so on.

In TLS 1.2 and TLS 1.3, the server can optionally request for the client certificate to authenticate the client. If requested, the client must provide its certificate to the server.

TLS 1.3 configuration

The user can configure the TLS 1.3 cipher list independently of TLS 1.2 for both client and server ciphers. TLS 1.3 ciphers are configured using the tls13-cipher command.

TLS 1.3 also introduces group lists and signature lists for the server and client.

In the Hello message sent by the client, the "supported_groups" extension indicates the named groups that the client supports for the key exchange, ordered from most preferred to least preferred. TLS 1.3 supports Elliptic-Curve Diffie-Hellman Ephemeral (ECDHE) groups.

Note: TLS 1.2 does not support Diffie-Hellman groups as an asymmetric key.

TLS 1.3 also allows the selection of signature algorithms. The "signature_algorithms_cert" extension is included to allow implementations that support different sets of algorithms for certificates and in TLS itself to clearly signal their capabilities.

When the user configures a TLS 1.3 cipher list, the TLS handshake includes TLS 1.3 as a supported TLS version in the TLS handshake.

TLS client certificate

TLS protocol is used for authentication, and therefore, the server can ask to authenticate the client via PKI. If the server requests authentication from the client, the client must provide an X.509v3 certificate to the server so that it can be authenticated via the digital signature of its client. SR OS allows the configuration of an X.509v3 certificate for TLS clients. When the server requests a certificate via the server’s Hello message, the client transmits its certificate to the server using a client certificate message.

TLS symmetric key rollover

SR OS supports key rollover via HelloRequest messages as detailed in RFC 5246, section 7.4.1.1. Some applications have a longer live time than other applications, in which case SR OS can use a timer that prompts the HelloRequest negotiation for the symmetric key rollover. This timer is configurable using CLI.

Use the following command to configure the TLS re-negotiate timer.

configure system security tls server-tls-profile tls-re-negotiate-timer

If an application does not support the HelloRequest message, you can disable the timer configuration. For example, the gRPC application does not support HelloRequest messages. When the time is not configured, the HelloRequest message is not generated, and symmetric keys are not renegotiated.

Supported TLS ciphers

As shown in TLS handshake, TLS negotiates the supported ciphers between the client and the server.

The client sends the supported cipher suites in the client Hello message, and the server compares them with the server cipher list. The top protocol on both lists is chosen and returned from the server within the server Hello message.

The 7750 SR supports the following ciphers as a TLS 1.2 client or TLS server:

  • tls-rsa-with3des-ede-cbc-sha

  • tls-rsa-with-aes128-cbc-sha

  • tls-rsa-with-aes256-cbc-sha

  • tls-rsa-with-aes128-cbc-sha256

  • tls-rsa-with-aes256-cbc-sha256

  • tls-rsa-with-aes128-gcm-sha256

  • tls-rsa-with-aes256-gcm-sha384

The 7750 SR supports the following TLS 1.3 ciphers, groups, and signature algorithms as a TLS client or TLS server:

  • tls-aes128-gcm-sha256

  • tls-aes256-gcm-sha384

  • tls-chacha20-poly1305-sha256

  • tls-aes128-ccm-sha256

  • tls-aes128-ccm8-sha256

  • Groups:

    • tls-ecdhe-256

    • tls-ecdhe-384

    • tls-ecdhe-521

    • tls-x25519

    • tls-x448

  • Signature algorithms:

    • tls-rsa-pkcs1-sha256

    • tls-rsa-pkcs1-sha384

    • tls-rsa-pkcs1-sha512

    • tls-ecdsa-secp256r1-sha256

    • tls-ecdsa-secp384r1-sha384

    • tls-ecdsa-secp521r1-sha512

    • tls-rsa-pss-rsae-sha256

    • tls-rsa-pss-rsae-sha384

    • tls-rsa-pss-rsae-sha512

    • tls-rsa-pss-pss-sha256

    • tls-rsa-pss-pss-sha384

    • tls-rsa-pss-pss-sha512

    • tls-ed25519

    • tls-ed448

SR OS certificate management

SR OS implements a centralized certificate management protocol that can be used by TLS and IPsec. See the 7450 ESS, 7750 SR, and VSR Multiservice ISA and ESA Guide for information about the configuration of the certificates and the corresponding protocols, such as OCSP, CMPv2, and CRL.

Use the commands in the following contexts to configure and manage certificates:

  • MD-CLI
    admin system security pki
configure system security pki
  • classic CLI
    admin certificate
configure system security pki

Certificate profile

The certificate profile is available for both the TLS server and the TLS client. The cert-profile command is configured for the server or client to transmit the provider certificate and its DS to the peer so that the peer can authenticate it via the trust-anchor and CA certificate.

Multiple provider certificates can be configured on SR OS; however, SR OS currently uses the smallest index as the active provider certificate, and only sends the certificate to the peer.

TLS server authentication of the client certificate CN field

If the client provides a certificate upon request by the server, SR OS checks the certificate’s common name (CN) field against local CN configurations. The CN is validated via the client IPv4/IPv6 address or FQDN.

If the common-name list authentication option is not enabled, SR OS does not authenticate via the CN field and only relies on certificate signature authentication.

CN regexp format

Use commands in the following context to configure CN entries.

configure system security pki common-name-list

Entries should use regular expression (regexp), for example FQDN or the IP address.

For information about regexp, see the 7450 ESS, 7750 SR, 7950 XRS, and VSR Classic CLI Command Reference Guide, Entering CLI commands section.

Operational guidelines

Server authentication behavior

Following the Hello messages, the server sends its certificate in a certificate message if it is to be authenticated. If required, a ServerKeyExchange message may also be sent. See RFC 5246, section 7.3, for more information about the authentication behavior on the LDAP server.

Use the commands in the following context to configure client TLS security. The trust-anchor-profile command determines whether the server must be authenticated by the client.

configure system security tls client-tls-profile trust-anchor-profile
Note: If the trust-anchor-profile is configured and the ca-certificate or ca-profile is missing from this trust-anchor-profile, the TLS connection fails and an ‟unknown_ca” error is generated, as per RFC 5246 section 7.2.2.

One of the following two configurations can be used to establish server connectivity:

  1. If trust-anchor-profile is configured under the TLS client-tls-profile context, the server must be authenticated via the trust-anchor-profile command before a trusted connection is established between the server and the client.

  2. If there is no trust-anchor-profile under the client-tls-profile context, the trusted connection can be established without server authentication. The RSA key of the certificate is used for public key encryption, requiring basic certificate checks to validate the certificate. These basic checks are as follows:

    • time validity

      The certificate is checked to ensure that it is neither expired nor not yet valid.

    • certificate type

      The certificate is not a CA certificate.

    • keyUsage extension

      If present, this must contain a digital signature and key encryption.

    • host verification

      The IP address or DNS name of the server is looked up, if available (for LDAP, only the IP address is used), in the common name (cn) or subjectAltName extension. This is to verify that the certificate was issued to that server and not to another.

Client TLS profile and trust anchor behavior and scale

SR OS allows the creation of client TLS profiles, which can be assigned to applications such as LDAP to encrypt the application layer.

The client-tls-profiles command is used for negotiating and authenticating the server. After the server is authenticated via the trust anchor profile (configured using the trust-anchor-profile command) of a client TLS profile, it negotiates the ciphers and authentication algorithms to be used for encryption of the data.

The client TLS profile must be assigned to an application for it to start encrypting. Up to 16 client TLS profiles can be configured. Because each of these client TLS profiles needs a trust anchor profile to authenticate the server, up to 16 trust anchor profiles can be configured. A trust anchor profile holds up to 8 trust anchors (configured using the trust-anchor command), which each hold a CA profile (ca-profile).

A CA profile is a container for installing CA certificates (ca-certificates). These CA certificates are used to authenticate the server certificate. When the client receives the server certificate, it reads through the trust anchor profile CA certificates and tries to authenticate the server certificate against each CA certificate. The first CA certificate that authenticates the server is used.

LDAP redundancy and TLS

LDAP supports up to five redundant (backup) servers, as shown in LDAP and TLS redundancy and the configuration examples below. Depending on the timeout and retry configurations, if an LDAP server is determined to be out of service or operationally down, SR OS switches to the redundant servers. SR OS selects the LDAP server with the next largest configured server index.

Figure 2. LDAP and TLS redundancy

Each LDAP server can have its own TLS profile, each of which can have its own configuration of trust-anchor and cipher-list. For security reasons, the LDAP servers may be in different geographical areas and, therefore, each are assigned their own server certificate and trust anchor. The design is open to allow the user to mix and match all components.

MD-CLI

[ex:/configure system security aaa remote-servers ldap]
A:admin@node-2# info
    public-key-authentication true
    server 1 {
        address 1.1.1.1 
        server-name "active-server"
        tls-profile "server-1-profile"{
        }
    }

[ex:/configure system security tls]
A:admin@node-2# info
    client-tls-profile "server-1-profile" {
        admin-state enable
        cipher-list "to-active-server"
        trust-anchor-profile "server-1-ca"
    }

[ex:/configure system security aaa remote-servers ldap]
A:admin@node-2# info
    public-key-authentication true
    server 5 {
        address 5.5.5.1 
        server-name "backup-server"
        tls-profile "server-5-profile"{
        }
    }

[ex:/configure system security tls]
A:admin@node-2# info
    client-tls-profile "server-5-profile" {
        admin-state enable
        cipher-list "to-backup-server-5"
        trust-anchor-profile "server-5-ca"
    }

classic CLI

A:node-2>config>system>security>ldap# info
    public-key-authentication
    server 1 create
        address 1.1.1.1
        ldap-server ‟active-server”
        tls-profile ‟server-1-profile”

A:node-2>config>system>security>tls# info
    client-tls-profile ‟server-1-profile” create
        cipher-list ‟to-active-server”
        trust-anchor-profile ‟server-1-ca”
        no shutdown
    exit

A:node-2>config>system>security>ldap# info
    public-key-authentication
    server 5 create
        address 5.5.5.1
        ldap-server ‟backup-server-5”
        tls-profile ‟server-5-profile”

A:node-2>config>system>security>tls# info
    client-tls-profile ‟server-5-profile” create
        cipher-list ‟to-backup-server-5”
        trust-anchor-profile ‟server-5-ca”
        no shutdown
    exit

Basic TLS configuration

Basic TLS server configuration requires the following:

  • Use the following command to create a cipher list.

    configure system security tls server-cipher-list

  • Use the following command to assign the cipher list to the TLS server profile.

    configure system security tls server-tls-profile cipher-list

  • Use the following command to create a certificate profile.

    configure system security tls cert-profile

  • Use the following command to assign the certificate profile to the TLS server profile.

     configure system security tls server-tls-profile cert-profile

Basic TLS client configuration requires the following:

  • Use the following command to create a cipher list.

    configure system security tls client-cipher-list

  • Use the following command to assign a TLS client to the TLS client profile.

    configure system security tls client-tls-profile cipher-list

TLS imports the trust anchor certificate for (TLS) peer certificate authentication and public key retrieval.

The following example shows a TLS configuration.

MD-CLI

[ex:/configure system security tls]
A:admin@node-2# info
    client-cipher-list "to-active-server" {
        tls12-cipher 1 {
            name tls-rsa-with-aes256-cbc-sha256
        }
        tls12-cipher 2 {
            name tls-rsa-with-aes128-cbc-sha256
        }
        tls12-cipher 3 {
            name tls-rsa-with-aes256-cbc-sha
        }
    }
    client-tls-profile "server-1-profile" {
        admin-state enable
        cipher-list "to-active-server"
        trust-anchor-profile "server-1-ca"
    }
    trust-anchor-profile "server-1-ca" {
        trust-anchor "tls-server-1-ca" { }
    }

classic CLI

A:node-2>config>system>security>tls# info
----------------------------------------------
        trust-anchor-profile "server-1-ca" create
            trust-anchor "tls-server-1-ca"
        exit
        client-cipher-list "to-active-server" create
            cipher 1 name tls-rsa-with-aes256-cbc-sha256
            cipher 2 name tls-rsa-with-aes128-cbc-sha256
            cipher 3 name tls-rsa-with-aes256-cbc-sha
        exit
        client-tls-profile "server-1-profile" create
            cipher-list "to-active-server"
            trust-anchor-profile ‟server-1-ca‟
            no shutdown
        exit
----------------------------------------------

Common configuration tasks

Configuring a server TLS profile

Use the commands in the following context to configure a TLS server profile.

configure system security tls server-tls-profile

Configuring a client TLS profile

Use the commands in the following context to configure a TLS client profile.

configure system security tls client-tls-profile

Configuring a TLS client or TLS server certificate

Use the following commands to configure TLS certificate management.

configure system security tls cert-profile
configure system security tls client-tls-profile cert-profile
configure system security tls server-tls-profile cert-profile

Configuring a TLS trust anchor

Use the commands in the following contexts to configure a TLS trust anchor.

configure system security pki ca-profile
configure system security pki certificate-display-format
configure system security tls trust-anchor-profile
configure system security tls client-tls-profile

The following example shows a TLS trust anchor configuration.

MD-CLI

[ex:/configure system security pki]
A:admin@node-2# info
    ca-profile "tls-server-1-ca" {
        admin-state enable
        cert-file "tls-1-Root-CERT"
        crl-file "tls-1-CRL-CERT"
    }

[ex:/configure system security tls]
A:admin@node-2# info
    client-tls-profile "server-1-profile" {
        admin-state enable
        cipher-list "to-active-server"
        trust-anchor-profile "server-1-ca"
    }
    trust-anchor-profile "server-1-ca" {
        trust-anchor "tls-server-1-ca" { }
    }

classic CLI

A:node-2>config>system>security>pki# info
----------------------------------------------
        ca-profile ‟tls-server-1-ca" create
            cert-file ‟tls-1-Root-CERT"
            crl-file ‟tls-1-CRL-CERT‟
            no shutdown
        exit
----------------------------------------------
*A:node-2>config>system>security>tls# info
----------------------------------------------
        trust-anchor-profile "server-1-ca" create
            trust-anchor "tls-server-1-ca"
        exit
        client-tls-profile "server-1-profile" create
            cipher-list "to-active-server"
            trust-anchor-profile ‟server-1-ca‟
            no shutdown
        exit