limits on deprecated ciphers in TTTC/TTTS #9
Description
Currently FCS_TTTC_EXT.1 and FCS_TTTS_EXT.1 require the TSF to process a wide variety of TLS ciphersuites, presumably to mitigate the risk of a malicious user or remote host deliberately negotiating a deprecated ciphersuite in the hope that any sort of man in the middle would not be able to decrypt it.
For the updated version of this module, it is recommended that the option also exist simply to discard traffic that doesn't use one of the supported ciphersuites (I would defer on whether that could be done silently or if for IDS purposes the TSF would need to generate a record of such an attempt). The reason for this is because it is possible that the STIP product could be managing traffic that flows from a software agent in the OE, and if this agent is a NIAP-approved product, by definition it would be incapable of attempting any communications outside of the ciphersuites permitted by the TLS functional package.
Recommendation is to change FCS_TTTC_EXT.1.1 and FCS_TTTS_EXT.1.1 to have all the TLS ciphers that are currently listed be selectable between processing (i.e. TOE as a proxy decrypts traffic for further inspection) and discarding.