Introducesupport of 'NIAP mode', (a policy/restriction) that when NIAP-mode is enabled it will:

1-  Enforce that NIAP-compliant cipher suites only are supported (all other non-compliant cipher suites should be disabled in this mode). The following is the list of approved cipher suites at at https://www.niap-ccevs.org/pp/pp_md_v3.0.pdf (FC_TLSC_EXT.1.1) 
·         TLS_RSA_WITH_AES_128_CBC_SHA
·         TLS_RSA_WITH_AES_256_CBC_SHA
·         TLS_DHE_RSA_WITH_AES_128_CBC_SHA
·         TLS_DHE_RSA_WITH_AES_256_CBC_SHA
·         TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
·         TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
·         TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
·         TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
·         TLS_RSA_WITH_AES_128_CBC_SHA256
·         TLS_RSA_WITH_AES_256_CBC_SHA256
·         TLS_RSA_WITH_AES_256_GCM_SHA384
·         TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
·         TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
·         TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
·         TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
·         TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
·         TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

2- Enforce that only NIAP-compliant elliptic curves are supported when in NIAP mode. Specifically, they would need to omit Curve25519 in NIAP mode.

 

Introduce support of 'NIAP mode', (a policy/restriction) that when NIAP-mode is enabled it will:

1-  Enforce that NIAP-compliant cipher suites only are supported (all other non-compliant cipher suites should be disabled in this mode). The following is the list of approved cipher suites at at https://www.niap-ccevs.org/pp/pp_md_v3.0.pdf (FC_TLSC_EXT.1.1) 
·         TLS_RSA_WITH_AES_128_CBC_SHA
·         TLS_RSA_WITH_AES_256_CBC_SHA
·         TLS_DHE_RSA_WITH_AES_128_CBC_SHA
·         TLS_DHE_RSA_WITH_AES_256_CBC_SHA
·         TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
·         TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
·         TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
·         TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
·         TLS_RSA_WITH_AES_128_CBC_SHA256
·         TLS_RSA_WITH_AES_256_CBC_SHA256
·         TLS_RSA_WITH_AES_256_GCM_SHA384
·         TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
·         TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
·         TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
·         TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
·         TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
·         TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

2- Enforce that only NIAP-compliant elliptic curves are supported when in NIAP mode. Specifically, they would need to omit Curve25519 in NIAP mode.