ietf-tls-server

This module defines reusable groupings for TLS servers that can be used as a basis for specific TLS server instances. The key w...
Version: 2024-10-10
ietf-tls-server@2024-10-10


  module ietf-tls-server {

    yang-version 1.1;

    namespace
      "urn:ietf:params:xml:ns:yang:ietf-tls-server";

    prefix tlss;

    import ietf-netconf-acm {
      prefix nacm;
      reference
        "RFC 8341: Network Configuration Access Control Model";


    }
    import ietf-crypto-types {
      prefix ct;
      reference
        "RFC 9640: YANG Data Types and Groupings for Cryptography";


    }
    import ietf-truststore {
      prefix ts;
      reference
        "RFC 9641: A YANG Data Model for a Truststore";


    }
    import ietf-keystore {
      prefix ks;
      reference
        "RFC 9642: A YANG Data Model for a Keystore";


    }
    import ietf-tls-common {
      prefix tlscmn;
      reference
        "RFC 9645: YANG Groupings for TLS Clients and TLS Servers";


    }

    organization
      "IETF NETCONF (Network Configuration) Working Group";

    contact
      "WG List:  NETCONF WG list <mailto:netconf@ietf.org>
     WG Web:   https://datatracker.ietf.org/wg/netconf
     Author:   Kent Watsen <mailto:kent+ietf@watsen.net>
     Author:   Jeff Hartley <mailto:intensifysecurity@gmail.com>";

    description
      "This module defines reusable groupings for TLS servers that
     can be used as a basis for specific TLS server instances.

     The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
     'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
     'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
     are to be interpreted as described in BCP 14 (RFC 2119)
     (RFC 8174) when, and only when, they appear in all
     capitals, as shown here.

     Copyright (c) 2024 IETF Trust and the persons identified
     as authors of the code. All rights reserved.

     Redistribution and use in source and binary forms, with
     or without modification, is permitted pursuant to, and
     subject to the license terms contained in, the Revised
     BSD License set forth in Section 4.c of the IETF Trust's
     Legal Provisions Relating to IETF Documents
     (https://trustee.ietf.org/license-info).

     This version of this YANG module is part of RFC 9645
     (https://www.rfc-editor.org/info/rfc9645); see the RFC
     itself for full legal notices.";

    revision "2024-10-10" {
      description "Initial version.";
      reference
        "RFC 9645: YANG Groupings for TLS Clients and TLS Servers";

    }


    feature tls-server-keepalives {
      description
        "Per-socket TLS keepalive parameters are configurable for
       TLS servers on the server implementing this feature.";
    }

    feature server-ident-x509-cert {
      description
        "Indicates that the server supports identifying itself
       using X.509 certificates.";
      reference
        "RFC 5280:
          Internet X.509 Public Key Infrastructure Certificate
          and Certificate Revocation List (CRL) Profile";

    }

    feature server-ident-raw-public-key {
      description
        "Indicates that the server supports identifying itself
       using raw public keys.";
      reference
        "RFC 7250:
          Using Raw Public Keys in Transport Layer Security (TLS)
          and Datagram Transport Layer Security (DTLS)";

    }

    feature server-ident-tls12-psk {
      if-feature tlscmn:tls12;
      description
        "Indicates that the server supports identifying itself
       using TLS 1.2 PSKs (pre-shared or pairwise symmetric keys).";
      reference
        "RFC 4279:
          Pre-Shared Key Ciphersuites for Transport Layer Security
          (TLS)";

    }

    feature server-ident-tls13-epsk {
      if-feature tlscmn:tls13;
      description
        "Indicates that the server supports identifying itself
       using TLS 1.3 External PSKs (pre-shared keys).";
      reference
        "RFC 8446:
          The Transport Layer Security (TLS) Protocol Version 1.3";

    }

    feature client-auth-supported {
      description
        "Indicates that the configuration for how to authenticate
       clients can be configured herein.  TLS-level client
       authentication may not be needed when client authentication
       is expected to occur only at another protocol layer.";
    }

    feature client-auth-x509-cert {
      description
        "Indicates that the server supports authenticating clients
       using X.509 certificates.";
      reference
        "RFC 5280:
          Internet X.509 Public Key Infrastructure Certificate
          and Certificate Revocation List (CRL) Profile";

    }

    feature client-auth-raw-public-key {
      description
        "Indicates that the server supports authenticating clients
       using raw public keys.";
      reference
        "RFC 7250:
          Using Raw Public Keys in Transport Layer Security (TLS)
          and Datagram Transport Layer Security (DTLS)";

    }

    feature client-auth-tls12-psk {
      description
        "Indicates that the server supports authenticating clients
       using PSKs (pre-shared or pairwise symmetric keys).";
      reference
        "RFC 4279:
          Pre-Shared Key Ciphersuites for Transport Layer Security
          (TLS)";

    }

    feature client-auth-tls13-epsk {
      description
        "Indicates that the server supports authenticating clients
       using TLS 1.3 External PSKs (pre-shared keys).";
      reference
        "RFC 8446:
          The Transport Layer Security (TLS) Protocol Version 1.3";

    }
  }  // module ietf-tls-server