TLS
TLS overview
Transport Layer Security (TLS) is used for two primary purposes:
authentication of an end device (client or server) using a digital signature (DS)
TLS uses PKI for device authentication. DSs are used to authenticate the client or the server. The server typically sends a certificate with a DS to the client.
In specific situations, the server can request a certificate from the client to authenticate it. The client has a certificate (called a Trust Anchor) from the certificate authority (CA) which is used to authenticate server certificate and its DS. After the client provides a digitally signed certificate to the server and both parties are authenticated, the encryption PDUs can then be transmitted.
When SR OS is acting as a server and it requests a certificate from the client, the client must provide the certificate. If the client fails to provide a certificate for authentication, SR OS terminates the TLS session. The server TLS settings can be configured to not request certificates, in which case the client is not obligated to send the server a certificate for authentication.
encryption and authentication of application PDUs
After the clients and server have been successfully authenticated, the cipher suite is negotiated between the server and clients, and the PDUs are encrypted based on the agreed cipher protocol.
TLS server interaction with applications
TLS is a standalone configuration. The user must configure TLS server profiles with certificates and trust anchors, and then assign the TLS server profiles to the appropriate applications. When a TLS server profile is assigned to an application, the application should not send any clear text PDUs until the TLS handshake has been successfully completed and the encryption ciphers have been negotiated between the TLS server and the TLS client.
After successful negotiation and handshake, the TLS is operationally up, and the TLS notifies the application which begins transmitting PDUs. These PDUs are encrypted using TLS based on the agreed ciphers. If, at any point, the TLS becomes operationally down, the application should stop transmitting PDUs.
For example, a TLS connection with the gRPC application would operate as follows:
A TLS server profile is assigned to the gRPC application.
gRPC stops sending clear text PDUs because a TLS server profile has been assigned and TLS is not ready to encrypt.
The TLS server begins the handshake.
Authentication occurs at the TLS layer.
The TLS server and TLS client negotiate ciphers.
SALTs are negotiated for the symmetric key. A SALT is a seed for creating AES encryption keys.
When negotiations are successfully completed, the handshake finishes and gRPC is notified.
TLS becomes operationally up, and gRPC can resume transmitting PDUs. Until TLS becomes operationally up, gRPC PDUs arriving from the client are dropped on ingress.
TLS application support
TLS application support lists the applications that support TLS.
Application | TLS server supported | TLS client supported |
---|---|---|
gRPC |
✓ |
✓ |
LDAP |
✓ |
|
RADIUS |
✓ |
|
Syslog |
✓ |
TLS handshake
TLS handshake shows the TLS handshake.
TLS handshake step descriptions describes the steps in the TLS handshake.
Step | Description |
---|---|
1 |
The TLS handshake begins with the client Hello message. This message includes the cipher list that the client wants to use and negotiate, among other information. |
2 |
The TLS server sends back a server Hello message, along with the first common cipher found on both the client cipher list and the server cipher list. This agreed cipher is used for data encryption. |
3 |
The TLS server continues by sending a server certificate message, where the server provides a certificate to the client so that the client can authenticate the server identity. The public key of this certificate (RSA key) can also be used for encryption of the symmetric key seed that is used by the client and server to create the symmetric encryption key. This occurs only if the PKI is using RSA for asymmetric encryption. |
4 |
Server key exchange is not supported by SR OS. SR OS only uses RSA keys; Diffie-Hellman key exchange is not supported. |
5 |
The server can optionally be configured to request a certificate from the client to authenticate the client. |
6 |
If the server has requested a certificate, the client should provide a certificate using a client certificate message. If the client does not provide a certificate, the server drops the TLS session. |
7 |
The client uses the server public RSA key that was included in the server certificate to encrypt a seed used for creating the symmetric key. This seed is used by the client and server to create the identical symmetric key for encrypting and decrypting the data plane traffic. |
8 |
The client sends a cipher spec to switch encryption to this symmetric key. |
9 |
The client successfully finishes the handshake. |
10 |
The server sends a cipher spec to switch encryption to this symmetric key. |
11 |
The server successfully finishes the handshake. |
After a successful handshake, TLS is operationally up, and applications can then use it for application encryption.
TLS 1.3
TLS 1.3 is required for faster handshakes and stronger encryption and authentication algorithms.
All SR OS applications that use TLS 1.2 also support TLS 1.3, unless specifically stated otherwise.
The user can configure the node to use TLS 1.2, TLS 1.3, or both for its client or server negotiation.
When TLS 1.3 is negotiated with a client, the node no longer negotiates the TLS version down to 1.2 as long as the session is alive.
TLS 1.3 handshake
The TLS 1.3 client handshake is very similar to TLS 1.2 because the client is able to negotiate TLS 1.2 or 1.3 when starting the TLS Hello message to the server. The client includes a "Supported Version" extension in its Hello message. The server responds with its own supported version, agreed ciphers, and so on.
In TLS 1.2 and TLS 1.3, the server can optionally request for the client certificate to authenticate the client. If requested, the client must provide its certificate to the server.
TLS 1.3 configuration
The user can configure the TLS 1.3 cipher list independently of TLS 1.2 for both client and server ciphers. TLS 1.3 ciphers are configured using the tls13-cipher command.
TLS 1.3 also introduces group lists and signature lists for the server and client.
In the Hello message sent by the client, the "supported_groups" extension indicates the named groups that the client supports for the key exchange, ordered from most preferred to least preferred. TLS 1.3 supports Elliptic-Curve Diffie-Hellman Ephemeral (ECDHE) groups.
TLS 1.3 also allows the selection of signature algorithms. The "signature_algorithms_cert" extension is included to allow implementations that support different sets of algorithms for certificates and in TLS itself to clearly signal their capabilities.
When the user configures a TLS 1.3 cipher list, the TLS handshake includes TLS 1.3 as a supported TLS version in the TLS handshake.
TLS client certificate
TLS protocol is used for authentication, and therefore, the server can ask to authenticate the client via PKI. If the server requests authentication from the client, the client must provide an X.509v3 certificate to the server so that it can be authenticated via the digital signature of its client. SR OS allows the configuration of an X.509v3 certificate for TLS clients. When the server requests a certificate via the server’s Hello message, the client transmits its certificate to the server using a client certificate message.
Certificate revocation status verification for TLS
A certificate authority (CA) can revoke issued certificates by listing them in a certificate revocation list (CRL). In TLS, an optional CRL is applied for CA certificates. The CRL does not apply to the intermediate or end issuer of an end entity (EE) certificate. To extend this optional configuration to include EE certificates, use the status-verify default-result commands under the following contexts:
- configure system security tls client-tls-profile
- configure system security tls server-tls-profile
The command options are revoked (default value) or good.
This default result is used when the revocation status of a certificate cannot be determined because of an invalid CRL (for example, it is missing, expired, or corrupt).
The TLS default-result for EE certificates is set to revoked for safety purposes. If an expired CRL in the CA profile is matched as the issuer of the EE certificate, the EE certificate is treated as revoked. If the expired CRL is further up in the certificate chain, the optional CRL works as expected.
The status-verify default-result commands allow users to override the recommended revocation check policy when there is legitimate reason to accept EE certificates without checking their revocation status (for example, to keep the automatic CRL update working during a temporary network issue).
TLS symmetric key rollover
SR OS supports key rollover via HelloRequest messages as detailed in RFC 5246, section 7.4.1.1. Some applications have a longer live time than other applications, in which case SR OS can use a timer that prompts the HelloRequest negotiation for the symmetric key rollover. This timer is configurable using CLI.
Use the following command to configure the TLS re-negotiate timer.
configure system security tls server-tls-profile tls-re-negotiate-timer
If an application does not support the HelloRequest message, you can disable the timer configuration. For example, the gRPC application does not support HelloRequest messages. When the time is not configured, the HelloRequest message is not generated, and symmetric keys are not renegotiated.
Supported TLS ciphers
As shown in TLS handshake, TLS negotiates the supported ciphers between the client and the server.
The client sends the supported cipher suites in the client Hello message, and the server compares them with the server cipher list. The top protocol on both lists is chosen and returned from the server within the server Hello message.
The 7750 SR supports the following ciphers as a TLS 1.2 client or TLS server:
tls-rsa-with3des-ede-cbc-sha
tls-rsa-with-aes128-cbc-sha
tls-rsa-with-aes256-cbc-sha
tls-rsa-with-aes128-cbc-sha256
tls-rsa-with-aes256-cbc-sha256
tls-rsa-with-aes128-gcm-sha256
tls-rsa-with-aes256-gcm-sha384
The 7750 SR supports the following TLS 1.3 ciphers, groups, and signature algorithms as a TLS client or TLS server:
-
tls-aes128-gcm-sha256
-
tls-aes256-gcm-sha384
-
tls-chacha20-poly1305-sha256
-
tls-aes128-ccm-sha256
-
tls-aes128-ccm8-sha256
-
Groups:
-
tls-ecdhe-256
-
tls-ecdhe-384
-
tls-ecdhe-521
-
tls-x25519
-
tls-x448
-
-
Signature algorithms:
-
tls-rsa-pkcs1-sha256
-
tls-rsa-pkcs1-sha384
-
tls-rsa-pkcs1-sha512
-
tls-ecdsa-secp256r1-sha256
-
tls-ecdsa-secp384r1-sha384
-
tls-ecdsa-secp521r1-sha512
-
tls-rsa-pss-rsae-sha256
-
tls-rsa-pss-rsae-sha384
-
tls-rsa-pss-rsae-sha512
-
tls-rsa-pss-pss-sha256
-
tls-rsa-pss-pss-sha384
-
tls-rsa-pss-pss-sha512
-
tls-ed25519
-
tls-ed448
-
SR OS certificate management
SR OS implements a centralized certificate management protocol that can be used by TLS and IPsec.
Use the commands in the following contexts to configure and manage certificates:
- MD-CLI
admin system security pki configure system security pki
- classic CLI
admin certificate configure system security pki
Certificate profile
The certificate profile is available for both the TLS server and the TLS client. The cert-profile command is configured for the server or client to transmit the provider certificate and its DS to the peer so that the peer can authenticate it via the trust-anchor and CA certificate.
Multiple provider certificates can be configured on SR OS; however, SR OS currently uses the smallest index as the active provider certificate, and only sends the certificate to the peer.
TLS server authentication of the client certificate CN field
If the client provides a certificate upon request by the server, SR OS checks the certificate’s common name (CN) field against local CN configurations. The CN is validated via the client IPv4/IPv6 address or FQDN.
If the common-name list authentication option is not enabled, SR OS does not authenticate via the CN field and only relies on certificate signature authentication.
CN regexp format
Use commands in the following context to configure CN entries.
configure system security pki common-name-list
Entries should use regular expression (regexp), for example FQDN or the IP address.
For information about regexp, see the 7450 ESS, 7750 SR, 7950 XRS, and VSR Classic CLI Command Reference Guide, Entering CLI commands section.
Operational guidelines
Server authentication behavior
Following the Hello messages, the server sends its certificate in a certificate message if it is to be authenticated. If required, a ServerKeyExchange message may also be sent. See RFC 5246, section 7.3, for more information about the authentication behavior on the LDAP server.
Use the commands in the following context to configure client TLS security. The trust-anchor-profile command determines whether the server must be authenticated by the client.
configure system security tls client-tls-profile trust-anchor-profile
One of the following two configurations can be used to establish server connectivity:
If trust-anchor-profile is configured under the TLS client-tls-profile context, the server must be authenticated via the trust-anchor-profile command before a trusted connection is established between the server and the client.
If there is no trust-anchor-profile under the client-tls-profile context, the trusted connection can be established without server authentication. The RSA key of the certificate is used for public key encryption, requiring basic certificate checks to validate the certificate. These basic checks are as follows:
time validity
The certificate is checked to ensure that it is neither expired nor not yet valid.
certificate type
The certificate is not a CA certificate.
keyUsage extension
If present, this must contain a digital signature and key encryption.
host verification
The IP address or DNS name of the server is looked up, if available (for LDAP, only the IP address is used), in the common name (cn) or subjectAltName extension. This is to verify that the certificate was issued to that server and not to another.
Client TLS profile and trust anchor behavior and scale
SR OS allows the creation of client TLS profiles, which can be assigned to applications such as LDAP to encrypt the application layer.
The client-tls-profiles command is used for negotiating and authenticating the server. After the server is authenticated via the trust anchor profile (configured using the trust-anchor-profile command) of a client TLS profile, it negotiates the ciphers and authentication algorithms to be used for encryption of the data.
The client TLS profile must be assigned to an application for it to start encrypting. Up to 16 client TLS profiles can be configured. Because each of these client TLS profiles needs a trust anchor profile to authenticate the server, up to 16 trust anchor profiles can be configured. A trust anchor profile holds up to 8 trust anchors (configured using the trust-anchor command), which each hold a CA profile (ca-profile).
A CA profile is a container for installing CA certificates (ca-certificates). These CA certificates are used to authenticate the server certificate. When the client receives the server certificate, it reads through the trust anchor profile CA certificates and tries to authenticate the server certificate against each CA certificate. The first CA certificate that authenticates the server is used.
LDAP redundancy and TLS
LDAP supports up to five redundant (backup) servers, as shown in LDAP and TLS redundancy and the configuration examples below. Depending on the timeout and retry configurations, if an LDAP server is determined to be out of service or operationally down, SR OS switches to the redundant servers. SR OS selects the LDAP server with the next largest configured server index.
Each LDAP server can have its own TLS profile, each of which can have its own configuration of trust-anchor and cipher-list. For security reasons, the LDAP servers may be in different geographical areas and, therefore, each are assigned their own server certificate and trust anchor. The design is open to allow the user to mix and match all components.
MD-CLI
[ex:/configure system security aaa remote-servers ldap]
A:admin@node-2# info
public-key-authentication true
server 1 {
address 1.1.1.1
server-name "active-server"
tls-profile "server-1-profile"{
}
}
[ex:/configure system security tls]
A:admin@node-2# info
client-tls-profile "server-1-profile" {
admin-state enable
cipher-list "to-active-server"
trust-anchor-profile "server-1-ca"
}
[ex:/configure system security aaa remote-servers ldap]
A:admin@node-2# info
public-key-authentication true
server 5 {
address 5.5.5.1
server-name "backup-server"
tls-profile "server-5-profile"{
}
}
[ex:/configure system security tls]
A:admin@node-2# info
client-tls-profile "server-5-profile" {
admin-state enable
cipher-list "to-backup-server-5"
trust-anchor-profile "server-5-ca"
}
classic CLI
A:node-2>config>system>security>ldap# info
public-key-authentication
server 1 create
address 1.1.1.1
ldap-server ‟active-server”
tls-profile ‟server-1-profile”
A:node-2>config>system>security>tls# info
client-tls-profile ‟server-1-profile” create
cipher-list ‟to-active-server”
trust-anchor-profile ‟server-1-ca”
no shutdown
exit
A:node-2>config>system>security>ldap# info
public-key-authentication
server 5 create
address 5.5.5.1
ldap-server ‟backup-server-5”
tls-profile ‟server-5-profile”
A:node-2>config>system>security>tls# info
client-tls-profile ‟server-5-profile” create
cipher-list ‟to-backup-server-5”
trust-anchor-profile ‟server-5-ca”
no shutdown
exit
Basic TLS configuration
Basic TLS server configuration requires the following:
Use the following command to create a cipher list.
configure system security tls server-cipher-list
-
Use the following command to assign the cipher list to the TLS server profile.
configure system security tls server-tls-profile cipher-list
Use the following command to create a certificate profile.
configure system security tls cert-profile
-
Use the following command to assign the certificate profile to the TLS server profile.
configure system security tls server-tls-profile cert-profile
Basic TLS client configuration requires the following:
-
Use the following command to create a cipher list.
configure system security tls client-cipher-list
-
Use the following command to assign a TLS client to the TLS client profile.
configure system security tls client-tls-profile cipher-list
TLS imports the trust anchor certificate for (TLS) peer certificate authentication and public key retrieval.
The following example shows a TLS configuration.
MD-CLI
[ex:/configure system security tls]
A:admin@node-2# info
client-cipher-list "to-active-server" {
tls12-cipher 1 {
name tls-rsa-with-aes256-cbc-sha256
}
tls12-cipher 2 {
name tls-rsa-with-aes128-cbc-sha256
}
tls12-cipher 3 {
name tls-rsa-with-aes256-cbc-sha
}
}
client-tls-profile "server-1-profile" {
admin-state enable
cipher-list "to-active-server"
trust-anchor-profile "server-1-ca"
}
trust-anchor-profile "server-1-ca" {
trust-anchor "tls-server-1-ca" { }
}
classic CLI
A:node-2>config>system>security>tls# info
----------------------------------------------
trust-anchor-profile "server-1-ca" create
trust-anchor "tls-server-1-ca"
exit
client-cipher-list "to-active-server" create
cipher 1 name tls-rsa-with-aes256-cbc-sha256
cipher 2 name tls-rsa-with-aes128-cbc-sha256
cipher 3 name tls-rsa-with-aes256-cbc-sha
exit
client-tls-profile "server-1-profile" create
cipher-list "to-active-server"
trust-anchor-profile ‟server-1-ca‟
no shutdown
exit
----------------------------------------------
Common configuration tasks
Configuring a server TLS profile
Use the commands in the following context to configure a TLS server profile.
configure system security tls server-tls-profile
Configuring a client TLS profile
Use the commands in the following context to configure a TLS client profile.
configure system security tls client-tls-profile
Configuring a TLS client or TLS server certificate
Use the following commands to configure TLS certificate management.
configure system security tls cert-profile
configure system security tls client-tls-profile cert-profile
configure system security tls server-tls-profile cert-profile
Configuring a TLS trust anchor
Use the commands in the following contexts to configure a TLS trust anchor.
configure system security pki ca-profile
configure system security pki certificate-display-format
configure system security tls trust-anchor-profile
configure system security tls client-tls-profile
The following example shows a TLS trust anchor configuration.
MD-CLI
[ex:/configure system security pki]
A:admin@node-2# info
ca-profile "tls-server-1-ca" {
admin-state enable
cert-file "tls-1-Root-CERT"
crl-file "tls-1-CRL-CERT"
}
[ex:/configure system security tls]
A:admin@node-2# info
client-tls-profile "server-1-profile" {
admin-state enable
cipher-list "to-active-server"
trust-anchor-profile "server-1-ca"
}
trust-anchor-profile "server-1-ca" {
trust-anchor "tls-server-1-ca" { }
}
classic CLI
A:node-2>config>system>security>pki# info
----------------------------------------------
ca-profile ‟tls-server-1-ca" create
cert-file ‟tls-1-Root-CERT"
crl-file ‟tls-1-CRL-CERT‟
no shutdown
exit
----------------------------------------------
A:node-2>config>system>security>tls# info
----------------------------------------------
trust-anchor-profile "server-1-ca" create
trust-anchor "tls-server-1-ca"
exit
client-tls-profile "server-1-profile" create
cipher-list "to-active-server"
trust-anchor-profile ‟server-1-ca‟
no shutdown
exit