The test case defined in clause 5.2.3 provides for this requirement:
"All conformance tests listed in Clause 6 shall be performed for each value (mandatory and optional) supported in this parameter".
The only mandatory TLS protocol version is, according to IEC 62351-3 the TLSv1.2 [RFC 5246], while the others are left optional (TLSv1.1 and TLSv1.0 are actually considered conditional in IEC62351-3:2023 and optional in IEC62351-3:AMD2:2020).
Nevertheless, considering that TLS versions TLSv1.1 [RFC 4346] and TLSv1.0 [RFC 2246] have been deprecated with RFC 8996, it would be inappropriate to perform conformance assessment considering those TLS versions; this also in the light of the fact that that IEC 62351-3 does not address peculiarities of those TLS protocol versions (to the point that relevant RFCs ([RFC 4346] and [RFC 2246]) are not even mentioned/referenced neither in Ed. 1 - IEC 62351-3:AMD2:2020 nor in Ed. 2.0 - IEC 62351-3:2023) and IEC 62351-3:2023 only focuses on TLSv1.2 [RFC 5246] and TLSv1.3 [RFC 8446].
In addition to the above, considering that it is also not feasible to apply conformance assessment as per the description of the test cases currently reported in clause 6 of IEC 62351-100-3:2020 to the TLS protocol version 1.3 [RFC 8446], also TLSv1.3 should not be considered for conformance assessment.
Proposal
Replace currently reported text for the test case in clause 5.2.3:
"All conformance tests listed in Clause 6 shall be performed for each value (mandatory and optional) supported in this parameter."
with:
"All conformance tests listed in Clause 6 shall be performed for TLS protocol version 1.2 [RFC 5246]"
or alternatively:
"All conformance tests listed in Clause 6 shall be performed for the mandatory value supported in this parameter."
Discussion
Created
Status
Agreed to the proposal.
The text in 5.2.3:
"All conformance tests listed in Clause 6 shall be performed for each value (mandatory and optional) supported in this parameter."
Shall be changed to:
"All conformance tests listed in Clause 6 shall be performed for TLS protocol version 1.2 [RFC 5246]
If TLS versions 1.0 and 1.1 are supported, then only test cases 6.3.1 and 6.3.2 shall be performed.
If TLS versions prior to 1.2 are not supported, then only test case 6.3.3 shall be performed.
NOTE: TLS version 1.3 is not verified during conformance testing because not all features are specified for this version in
IEC 62351-3:2020. This does not allow to declare conformity to this TLS protocol version as part of IEC 62351-3:2020."
13 Apr 26
Approval (Editoral)
All conformance test cases shall be performed for TLS protocol version 1.2 [RFC 5246] since this version is mandatory to be supported in IEC 62351-3.
For TLS protocol versions 1.1 and 1.0, entire conformance testing should not be required since those version are deprecated. However, if those versions are supported, only test cases 6.3.1 and 6.3.2 should be performed just to verify backward compatibility as stated in IEC 62351-3, because security events are associated when those versions are negotiated during TLS Handshake.
Consider that TLS versions prior to 1.2 are not recommended to be supported.
13 Apr 26
Discussion (red)
Agreed to discuss this topic with IEC TC57 WG15
13 Jan 26
Accepted
In general I also tend to agree with the statement. In IEC 62351-3:2023 we concentrated on TLS 1.2 as mandatory to support TLS version and deprecated TLS 1.0 and 1.1. Part 3 states that there are vulnerabilities known, without listing or addressing them and deprecates the use of TLS 1.1 and 1.0. So if somebody uses it for backward compatibility it is in the operators responsibility and needs to be addressed by compensating counter measures.
13 Jan 26
Triage
I tend to agree with the observation. But, maybe it is better to discuss this during a WG15 meeting.
12 Jan 26
Triage
I would support to concentrate on TLS 1.2 as the mandatory to support version of the protocol. As outlined, for TLS 1.1 and 1.0 specific extensions, which address certain short comings, like the support of the renegotiation extension in TLS 1.2 have not been enumerated.