TLS

Transport Layer Security (TLS) is used for the following primary purposes:

authentication of an end device (client or server) using a digital signature (DS)

TLS uses Public Key Infrastructure (PKI) for device authentication. DSs are used to authenticate the client or the server. The server typically sends a certificate with a DS to the client.

In certain situations, the server can request a certificate from the client to authenticate it. The client has a certificate (called a trust anchor) from the certificate authority (CA), which is used to authenticate a server certificate and its DS. After the client provides a digitally signed certificate to the server and both parties are authenticated, the encryption Protocol Data Units (PDUs) are transmitted.

When the SR OS, acting as a server, requests a certificate from the client, the client must provide the certificate. If the client fails to provide a certificate for authentication, the SR OS terminates the TLS session. The server TLS settings can be configured to not request certificates, in which case the client is not required to send the server a certificate for authentication.
encryption and authentication of application PDUs

After the clients and server are successfully authenticated, the cipher suite is negotiated between the server and clients, and the PDUs are encrypted based on the agreed cipher protocol.

TLS server interaction with applications

TLS is a standalone configuration. The user must configure TLS server profiles with certificates and trust anchors, and then assign the TLS server profiles to the appropriate applications. When a TLS server profile is assigned to an application, the application should not send any clear text PDUs until the TLS handshake is successfully completed and the encryption ciphers are negotiated between the TLS server and the TLS client.

After successful negotiation and handshake, the TLS is operationally up and notifies the application, which begins transmitting PDUs. These PDUs are encrypted using TLS based on the agreed ciphers. At any point, if the TLS becomes operationally down, the application stops transmitting PDUs.

For example, the following sequence describes a TLS connection with the gRPC application:

A TLS server profile is assigned to the gRPC application.
The gRPC stops sending clear text PDUs because a TLS server profile has been assigned and TLS is not ready to encrypt.
The TLS server begins the handshake.
Authentication occurs at the TLS layer.
The TLS server and TLS client negotiate ciphers.
Salts are negotiated for the symmetric key. A salt is a seed for creating Advanced Encryptions Standard (AES) encryption keys.
When negotiations are successfully completed, the handshake finishes and the gRPC is notified.
TLS becomes operationally up, and the gRPC can resume transmitting PDUs. Until TLS is operationally up, gRPC PDUs arriving from the client are dropped on ingress.

TLS application support

The following table lists the applications that support TLS.

Table 1. TLS application support
Application	TLS server supported	TLS client supported
gRPC	✓	✓
LDAP		✓
RADIUS		✓
Syslog		✓

TLS handshake

The following figure shows the TLS handshake.

The following table describes the steps in the TLS handshake.

Table 2. TLS handshake step descriptions
Step	Description
1	The TLS handshake begins with the client Hello message. This message includes the cipher list that the client wants to use and negotiate, among other information.
2	The TLS server sends back a server Hello message, along with the first common cipher found on both the client and server cipher lists. The common cipher is used for data encryption.
3	The TLS server sends a server certificate message, in which the server provides a certificate that the client can use to authenticate the server identity. The public key of this certificate (RSA key) can also be used to encrypt the symmetric key seed used by the client and server to create the symmetric encryption key. This occurs only if the PKI is using RSA for asymmetric encryption.
4	SR OS does not support server key exchange. SR OS uses only RSA keys; Diffie-Hellman key exchange is not supported.
5	The server can optionally be configured to request a certificate from the client to authenticate the client.
6	If the server requests a client certificate, the client must provide it by using a client certificate message. If the client does not respond to the certificate request, the server drops the TLS session.
7	The client uses the public server RSA key included in the server certificate to encrypt a seed. The client and server use this seed to create the identical symmetric key used for encrypting and decrypting data plane traffic.
8	The client sends a cipher spec message to switch encryption to this symmetric key.
9	The client successfully finishes the handshake.
10	The server sends a cipher spec message to switch encryption to this symmetric key.
11	The server successfully finishes the handshake.

After a successful handshake, TLS is operationally up and applications can use TLS for application encryption.

TLS 1.3

TLS 1.3 is required for faster handshakes and stronger encryption and authentication algorithms.

All SR OS applications that use TLS 1.2 also support TLS 1.3, unless specifically stated otherwise.

The user can configure the node to use TLS 1.2, TLS 1.3, or both for its client or server negotiation.

When TLS 1.3 is negotiated with a client, the node no longer negotiates the TLS version down to 1.2 as long as the session is alive.

TLS 1.3 handshake

The TLS 1.3 client handshake is very similar to TLS 1.2 because the client is able to negotiate TLS 1.2 or 1.3 when starting the TLS Hello message to the server. The client includes a "Supported Version" extension in its Hello message. The server responds with its own supported version, agreed ciphers, and so on.

In TLS 1.2 and TLS 1.3, the server can optionally request for the client certificate to authenticate the client. If requested, the client must provide its certificate to the server.

TLS 1.3 configuration

The user can configure the TLS 1.3 cipher list independently of TLS 1.2 for both client and server ciphers. TLS 1.3 ciphers are configured using the tls13-cipher command.

TLS 1.3 also introduces group lists and signature lists for the server and client.

In the Hello message sent by the client, the "supported_groups" extension indicates the named groups that the client supports for the key exchange, ordered from most preferred to least preferred. TLS 1.3 supports Elliptic-Curve Diffie-Hellman Ephemeral (ECDHE) groups.

Note: TLS 1.2 does not support Diffie-Hellman groups as an asymmetric key.

TLS 1.3 also allows the selection of signature algorithms. The "signature_algorithms_cert" extension is included to allow implementations that support different sets of algorithms for certificates and in TLS itself to clearly signal their capabilities.

When the user configures a TLS 1.3 cipher list, the TLS handshake includes TLS 1.3 as a supported TLS version in the TLS handshake.

TLS client certificate

The TLS protocol is used for authentication. It allows the server to authenticate the client via PKI. If the server requests authentication from the client, the client response must provide an X.509v3 certificate that the server can authenticate using the digital signature of its client. The SR OS supports the configuration of an X.509v3 certificate for TLS clients. When the server requests a certificate using the Hello message, the client sends a client certificate message to transmit its certificate to the server.

Certificate revocation status verification for TLS

A certificate authority (CA) can revoke issued certificates by listing them in a certificate revocation list (CRL). In TLS, an optional CRL is applied for CA certificates. The CRL does not apply to the intermediate or end issuer of an end entity (EE) certificate. To extend this optional configuration to include EE certificates, use the status-verify default-result commands under the following contexts:

configure system security tls client-tls-profile
configure system security tls server-tls-profile

The command options are revoked (default value) or good.

This default result is used when the revocation status of a certificate cannot be determined because of an invalid CRL (for example, it is missing, expired, or corrupt).

The TLS default-result for EE certificates is set to revoked for safety purposes. If an expired CRL in the CA profile is matched as the issuer of the EE certificate, the EE certificate is treated as revoked. If the expired CRL is further up in the certificate chain, the optional CRL works as expected.

The status-verify default-result commands allow users to override the recommended revocation check policy when there is legitimate reason to accept EE certificates without checking their revocation status (for example, to keep the automatic CRL update working during a temporary network issue).

TLS symmetric key rollover

The SR OS supports key rollover using HelloRequest messages, in accordance with RFC 5246, section 7.4.1.1. Some applications have a longer live time than other applications, in which case the SR OS can use a timer that prompts the HelloRequest negotiation for symmetric key rollover. This timer can be configured using CLI.

Use the following command to configure the TLS re-negotiate timer.

configure system security tls server-tls-profile tls-re-negotiate-timer

You can disable the timer configuration for applications that do not support HelloRequest messages (for example, the gRPC application).

When the tls-re-negotiate-timer command is configured, the HelloRequest message is not generated and symmetric keys are not renegotiated.

Supported TLS ciphers

As shown in TLS handshake, TLS negotiates the supported ciphers between the client and the server.

The client sends the supported cipher suites in the client Hello message, and the server compares them with the server cipher list. The top protocol on both lists is chosen and returned from the server within the server Hello message.

SR OS supports the following TLS 1.2 ciphers as a TLS client or TLS server:

tls-rsa-with3des-ede-cbc-sha
tls-rsa-with-aes128-cbc-sha
tls-rsa-with-aes256-cbc-sha
tls-rsa-with-aes128-cbc-sha256
tls-rsa-with-aes256-cbc-sha256
tls-rsa-with-aes128-gcm-sha256
tls-rsa-with-aes256-gcm-sha384

The SR OS supports the following TLS 1.3 ciphers, groups, and signature algorithms as a TLS client or TLS server:

tls-aes128-gcm-sha256
tls-aes256-gcm-sha384
tls-chacha20-poly1305-sha256
tls-aes128-ccm-sha256
tls-aes128-ccm8-sha256
Groups:
- tls-ecdhe-256
- tls-ecdhe-384
- tls-ecdhe-521
- tls-x25519
- tls-x448
Signature algorithms:
- tls-rsa-pkcs1-sha256
- tls-rsa-pkcs1-sha384
- tls-rsa-pkcs1-sha512
- tls-ecdsa-secp256r1-sha256
- tls-ecdsa-secp384r1-sha384
- tls-ecdsa-secp521r1-sha512
- tls-rsa-pss-rsae-sha256
- tls-rsa-pss-rsae-sha384
- tls-rsa-pss-rsae-sha512
- tls-rsa-pss-pss-sha256
- tls-rsa-pss-pss-sha384
- tls-rsa-pss-pss-sha512
- tls-ed25519
- tls-ed448

SR OS certificate management

SR OS implements a centralized certificate management protocol that can be used by TLS and IPsec.

Use the commands in the following contexts to configure and manage certificates:

MD-CLI

admin system security pki
configure system security pki

classic CLI

admin certificate
configure system security pki

Certificate profile

The certificate profile is available for both the TLS server and the TLS client. The cert-profile command is configured for the server or client to transmit the provider certificate and its DS to the peer so that the peer can authenticate it via the trust-anchor and CA certificate.

Multiple provider certificates can be configured on the SR OS; however, the SR OS currently uses the smallest index as the active provider certificate, and only sends the certificate to the peer.

TLS server authentication of the client certificate CN field

If the client provides a certificate upon request by the server, the SR OS checks the certificate common name (CN) field against local CN configurations. The CN is validated via the client IPv4 or IPv6 address, or FQDN.

If the CN list is not configured using the following command, the SR OS does not authenticate via the CN field and relies only on certificate signature authentication:

MD-CLI

configure system security tls server-tls-profile authenticate-client common-name-list

classic CLI

configure system security tls server-tls-profile authenticate-client cn-authentication

CN regexp format

Use commands in the following context to configure CN entries.

configure system security pki common-name-list

Entries should use regular expression (regexp), FQDN, or the IP address.

For information about regexp, see the 7450 ESS, 7750 SR, 7950 XRS, and VSR Classic CLI Command Reference Guide, Entering CLI commands section.

Operational guidelines

This section provides operational guidelines for TLS.

Server authentication behavior

Following the Hello messages, if the certificate must be authenticated, the server sends its certificate in a certificate message. If required, a ServerKeyExchange message may also be sent. See RFC 5246, section 7.3 for more information about the authentication behavior on the LDAP server.

Use the commands in the following context to configure client TLS security. The trust-anchor-profile command determines whether the server must be authenticated by the client.

configure system security tls client-tls-profile trust-anchor-profile

Note: If the trust-anchor-profile command is configured and the ca-certificate or ca-profile is missing from this trust-anchor-profile, the TLS connection fails and an ‟unknown_ca” error is generated, as defined in RFC 5246 section 7.2.2.

One of the following configurations can be used to establish server connectivity:

If the trust-anchor-profile command is configured under the configure system security tls client-tls-profile context, the server must be authenticated using the trust-anchor-profile command before a trusted connection is established between the server and the client.
If there is no trust-anchor-profile command under the configure system security tls client-tls-profile context, the trusted connection can be established without server authentication. The RSA key of the certificate is used for public key encryption, requiring the following basic checks to validate the certificate:
- time validity
  
  The certificate is checked to ensure that it is neither expired nor not yet valid.
- certificate type
  
  The certificate is not a CA certificate.
- keyUsage extension
  
  If present, this must contain a digital signature and key encryption.
- host verification
  
  The IP address or DNS name of the server is looked up, if available (for LDAP, only the IP address is used), in the common name (cn) or subjectAltName extension. This is to verify that the certificate was issued to that server and not to another.

Client TLS profile and trust anchor behavior and scale

The SR OS supports the creation of client TLS profiles, which can be assigned to applications such as LDAP to encrypt the application layer.

The client-tls-profile command is used for negotiating and authenticating the server. After the server is authenticated via the trust anchor profile (configured using the trust-anchor-profile command) of a client TLS profile, the server negotiates the ciphers and authentication algorithms to use for data encryption.

The client TLS profile must be assigned to an application for it to start encrypting. Up to 16 client TLS profiles can be configured. Because each of these client TLS profiles needs a trust anchor profile to authenticate the server, up to 16 trust anchor profiles can be configured. A trust anchor profile holds up to 8 trust anchors (configured using the trust-anchor command), each of which holds a CA profile (ca-profile).

A CA profile is a container for installing CA certificates (ca-certificates). The CA certificates are used to authenticate the server certificate. When the client receives the server certificate, the client reads through the trust anchor profile CA certificates and tries to authenticate the server certificate against each CA certificate. The first CA certificate that authenticates the server is used.

LDAP redundancy and TLS

LDAP supports up to five redundant (backup) servers, as shown in the following figure and the configuration examples below. Depending on the timeout and retry configurations, if an LDAP server is determined as out of service or operationally down, the SR OS switches to the redundant servers. The SR OS selects the LDAP server with the next largest configured server index.

Each LDAP server can have its own TLS profile, can each profile can have its own configuration of trust-anchor and cipher-list. For security reasons, the LDAP servers may be in different geographical areas, so each server is assigned its own server certificate and trust anchor. The open design allows the user to mix and match all components.

The following example shows the configuration of LDAP Server-1 and Server-5 (backup).

MD-CLI

[ex:/configure system security aaa remote-servers ldap]
A:admin@node-2# info
    public-key-authentication true
    server 1 {
        address 1.1.1.1 
        server-name "active-server"
        tls-profile "server-1-profile"{
        }
    }

[ex:/configure system security tls]
A:admin@node-2# info
    client-tls-profile "server-1-profile" {
        admin-state enable
        cipher-list "to-active-server"
        trust-anchor-profile "server-1-ca"
    }

[ex:/configure system security aaa remote-servers ldap]
A:admin@node-2# info
    public-key-authentication true
    server 5 {
        address 5.5.5.1 
        server-name "backup-server"
        tls-profile "server-5-profile"{
        }
    }

[ex:/configure system security tls]
A:admin@node-2# info
    client-tls-profile "server-5-profile" {
        admin-state enable
        cipher-list "to-backup-server-5"
        trust-anchor-profile "server-5-ca"
    }

classic CLI

A:node-2>config>system>security>ldap# info
    public-key-authentication
    server 1 create
        address 1.1.1.1
        ldap-server ‟active-server”
        tls-profile ‟server-1-profile”

A:node-2>config>system>security>tls# info
    client-tls-profile ‟server-1-profile” create
        cipher-list ‟to-active-server”
        trust-anchor-profile ‟server-1-ca”
        no shutdown
    exit

A:node-2>config>system>security>ldap# info
    public-key-authentication
    server 5 create
        address 5.5.5.1
        ldap-server ‟backup-server-5”
        tls-profile ‟server-5-profile”

A:node-2>config>system>security>tls# info
    client-tls-profile ‟server-5-profile” create
        cipher-list ‟to-backup-server-5”
        trust-anchor-profile ‟server-5-ca”
        no shutdown
    exit

Basic TLS configuration

Basic TLS server configuration requires the following:

Use the following command to create a cipher list.
```
configure system security tls server-cipher-list
```
Use the following command to assign the cipher list to the TLS server profile.
```
configure system security tls server-tls-profile cipher-list
```
Use the following command to create a certificate profile.
```
configure system security tls cert-profile
```
Use the following command to assign the certificate profile to the TLS server profile.
```
 configure system security tls server-tls-profile cert-profile
```

Basic TLS client configuration requires the following:

Use the following command to create a cipher list.
```
configure system security tls client-cipher-list
```
Use the following command to assign a TLS client to the TLS client profile.
```
configure system security tls client-tls-profile cipher-list
```

TLS imports the trust anchor certificate for (TLS) peer certificate authentication and public key retrieval.

The following example shows a TLS configuration.

MD-CLI

[ex:/configure system security tls]
A:admin@node-2# info
    client-cipher-list "to-active-server" {
        tls12-cipher 1 {
            name tls-rsa-with-aes256-cbc-sha256
        }
        tls12-cipher 2 {
            name tls-rsa-with-aes128-cbc-sha256
        }
        tls12-cipher 3 {
            name tls-rsa-with-aes256-cbc-sha
        }
    }
    client-tls-profile "server-1-profile" {
        admin-state enable
        cipher-list "to-active-server"
        trust-anchor-profile "server-1-ca"
    }
    trust-anchor-profile "server-1-ca" {
        trust-anchor "tls-server-1-ca" { }
    }

classic CLI

A:node-2>config>system>security>tls# info
----------------------------------------------
        trust-anchor-profile "server-1-ca" create
            trust-anchor "tls-server-1-ca"
        exit
        client-cipher-list "to-active-server" create
            cipher 1 name tls-rsa-with-aes256-cbc-sha256
            cipher 2 name tls-rsa-with-aes128-cbc-sha256
            cipher 3 name tls-rsa-with-aes256-cbc-sha
        exit
        client-tls-profile "server-1-profile" create
            cipher-list "to-active-server"
            trust-anchor-profile ‟server-1-ca‟
            no shutdown
        exit
----------------------------------------------

Common configuration tasks

This section provides information about common configuration tasks.

Configuring a server TLS profile

Use the commands in the following context to configure a TLS server profile.

configure system security tls server-tls-profile

Configuring a client TLS profile

Use the following command to configure a client TLS profile, which also configures the server authentication behavior.

configure system security tls client-tls-profile

Configuring a TLS client or TLS server certificate

Use the following commands to configure TLS certificate management.

configure system security tls cert-profile
configure system security tls client-tls-profile cert-profile
configure system security tls server-tls-profile cert-profile

Configuring a TLS trust anchor

Use the commands in the following contexts to configure a TLS trust anchor.

configure system security pki ca-profile
configure system security pki certificate-display-format
configure system security tls trust-anchor-profile
configure system security tls client-tls-profile

The following example shows a TLS trust anchor configuration.

MD-CLI

[ex:/configure system security pki]
A:admin@node-2# info
    ca-profile "tls-server-1-ca" {
        admin-state enable
        cert-file "tls-1-Root-CERT"
        crl-file "tls-1-CRL-CERT"
    }

[ex:/configure system security tls]
A:admin@node-2# info
    client-tls-profile "server-1-profile" {
        admin-state enable
        cipher-list "to-active-server"
        trust-anchor-profile "server-1-ca"
    }
    trust-anchor-profile "server-1-ca" {
        trust-anchor "tls-server-1-ca" { }
    }

classic CLI

A:node-2>config>system>security>pki# info
----------------------------------------------
        ca-profile ‟tls-server-1-ca" create
            cert-file ‟tls-1-Root-CERT"
            crl-file ‟tls-1-CRL-CERT‟
            no shutdown
        exit
----------------------------------------------
A:node-2>config>system>security>tls# info
----------------------------------------------
        trust-anchor-profile "server-1-ca" create
            trust-anchor "tls-server-1-ca"
        exit
        client-tls-profile "server-1-profile" create
            cipher-list "to-active-server"
            trust-anchor-profile ‟server-1-ca‟
            no shutdown
        exit