--- /dev/null
+module ietf-tls-server {
+ yang-version 1.1;
+ namespace "urn:ietf:params:xml:ns:yang:ietf-tls-server";
+ prefix tlss;
+
+ import ietf-tls-common {
+ prefix tlscmn;
+ revision-date 2019-07-02;
+ reference
+ "RFC XXXX: YANG Groupings for TLS Clients and TLS Servers";
+ }
+ import ietf-truststore {
+ prefix ts;
+ reference
+ "RFC YYYY: A YANG Data Model for a Truststore";
+ }
+ import ietf-keystore {
+ prefix ks;
+ reference
+ "RFC ZZZZ: A YANG Data Model for a Keystore";
+ }
+ import ietf-netconf-acm {
+ prefix nacm;
+ reference
+ "RFC 8341: Network Configuration Access Control Model";
+ }
+
+ organization
+ "IETF NETCONF (Network Configuration) Working Group";
+ contact
+ "WG Web: <http://datatracker.ietf.org/wg/netconf/>
+ WG List: <mailto:netconf@ietf.org>
+ Author: Kent Watsen <mailto:kent+ietf@watsen.net>
+ Author: Gary Wu <mailto:garywu@cisco.com>";
+ description
+ "This module defines reusable groupings for TLS servers that
+ can be used as a basis for specific TLS server instances.
+
+ Copyright (c) 2019 IETF Trust and the persons identified
+ as authors of the code. All rights reserved.
+
+ Redistribution and use in source and binary forms, with
+ or without modification, is permitted pursuant to, and
+ subject to the license terms contained in, the Simplified
+ BSD License set forth in Section 4.c of the IETF Trust's
+ Legal Provisions Relating to IETF Documents
+ (https://trustee.ietf.org/license-info).
+
+ This version of this YANG module is part of RFC XXXX
+ (https://www.rfc-editor.org/info/rfcXXXX); see the RFC
+ itself for full legal notices.;
+
+ The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
+ 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
+ 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
+ are to be interpreted as described in BCP 14 (RFC 2119)
+ (RFC 8174) when, and only when, they appear in all
+ capitals, as shown here.";
+
+ revision 2019-07-02 {
+ description
+ "Initial version";
+ reference
+ "RFC XXXX: YANG Groupings for TLS Clients and TLS Servers";
+ }
+
+ feature tls-server-hello-params-config {
+ description
+ "TLS hello message parameters are configurable on a TLS
+ server.";
+ }
+
+ feature tls-server-keepalives {
+ description
+ "Per socket TLS keepalive parameters are configurable for
+ TLS servers on the server implementing this feature.";
+ }
+
+ feature local-client-auth-supported {
+ description
+ "Indicates that the TLS server supports local
+ configuration of client credentials.";
+ }
+
+ feature external-client-auth-supported {
+ description
+ "Indicates that the TLS server supports external
+ configuration of client credentials.";
+ }
+
+ grouping tls-server-grouping {
+ description
+ "A reusable grouping for configuring a TLS server without
+ any consideration for how underlying TCP sessions are
+ established.
+
+ Note that this grouping uses fairly typical descendent
+ node names such that a stack of 'uses' statements will
+ have name conflicts. It is intended that the consuming
+ data model will resolve the issue (e.g., by wrapping
+ the 'uses' statement in a container called
+ 'tls-server-parameters'). This model purposely does
+ not do this itself so as to provide maximum flexibility
+ to consuming models.";
+ container server-identity {
+ nacm:default-deny-write;
+ description
+ "A locally-defined or referenced end-entity certificate,
+ including any configured intermediate certificates, the
+ TLS server will present when establishing a TLS connection
+ in its Certificate message, as defined in Section 7.4.2
+ in RFC 5246.";
+ reference
+ "RFC 5246:
+ The Transport Layer Security (TLS) Protocol Version 1.2
+ RFC ZZZZ:
+ YANG Data Model for a 'Keystore' Mechanism";
+ uses ks:local-or-keystore-end-entity-cert-with-key-grouping;
+ }
+ container client-authentication {
+ nacm:default-deny-write;
+ presence "Indicates that certificate based client authentication
+ is supported (i.e., the server will request that the
+ client send a certificate).";
+ description
+ "Specifies if TLS client authentication is required or
+ optional, and specifies if the certificates needed to
+ authenticate the TLS client are configured locally or
+ externally. If configured locally, the data model
+ enables both trust anchors and end-entity certificate
+ to be set.";
+ choice required-or-optional {
+ mandatory true;
+ description
+ "Indicates if TLS-level client authentication is required
+ or optional. This is necessary for some protocols (e.g.,
+ RESTCONF) the may optionally authenticate a client via
+ TLS-level authentication, HTTP-level authentication, or
+ both simultaneously).";
+ leaf required {
+ type empty;
+ description
+ "Indicates that TLS-level client authentication is
+ required.";
+ }
+ leaf optional {
+ type empty;
+ description
+ "Indicates that TLS-level client authentication is
+ optional.";
+ }
+ }
+ choice local-or-external {
+ mandatory true;
+ description
+ "Indicates if the certificates needed to authenticate
+ the client are configured locally or externally. The
+ need to support external configuration for client
+ authentication stems from the desire to support
+ consuming data models that prefer to place client
+ authentication with client definitions, rather then
+ in a data model principally concerned with configuring
+ the transport.";
+ case local {
+ if-feature "local-client-auth-supported";
+ description
+ "The certificates needed to authenticate the clients
+ are configured locally.";
+ leaf ca-certs {
+ if-feature "ts:x509-certificates";
+ type ts:certificates-ref;
+ description
+ "A reference to a list of certificate authority (CA)
+ certificates used by the TLS server to authenticate
+ TLS client certificates. A client certificate is
+ authenticated if it has a valid chain of trust to
+ a configured CA certificate.";
+ reference
+ "RFC YYYY: YANG Data Model for Global Trust Anchors";
+ }
+ leaf client-certs {
+ if-feature "ts:x509-certificates";
+ type ts:certificates-ref;
+ description
+ "A reference to a list of client certificates
+ used by the TLS server to authenticate TLS
+ client certificates. A clients certificate
+ is authenticated if it is an exact match to
+ a configured client certificate.";
+ reference
+ "RFC YYYY: YANG Data Model for Global Trust Anchors";
+ }
+ }
+ case external {
+ if-feature "external-client-auth-supported";
+ description
+ "The certificates needed to authenticate the clients
+ are configured externally.";
+ leaf client-auth-defined-elsewhere {
+ type empty;
+ description
+ "Indicates that certificates needed to authenticate
+ clients are configured elsewhere.";
+ }
+ }
+ }
+ }
+ container hello-params {
+ nacm:default-deny-write;
+ if-feature "tls-server-hello-params-config";
+ description
+ "Configurable parameters for the TLS hello message.";
+ uses tlscmn:hello-params-grouping;
+ }
+ container keepalives {
+ nacm:default-deny-write;
+ if-feature "tls-server-keepalives";
+ presence "Indicates that keepalives are enabled.";
+ description
+ "Configures the keep-alive policy, to proactively test
+ the aliveness of the TLS client. An unresponsive
+ TLS client is dropped after approximately max-wait
+ * max-attempts seconds.";
+ leaf max-wait {
+ type uint16 {
+ range "1..max";
+ }
+ units "seconds";
+ default "30";
+ description
+ "Sets the amount of time in seconds after which if
+ no data has been received from the TLS client, a
+ TLS-level message will be sent to test the
+ aliveness of the TLS client.";
+ }
+ leaf max-attempts {
+ type uint8;
+ default "3";
+ description
+ "Sets the maximum number of sequential keep-alive
+ messages that can fail to obtain a response from
+ the TLS client before assuming the TLS client is
+ no longer alive.";
+ }
+ }
+ }
+}
\ No newline at end of file
Code Review / ccsdk / features.git / blobdiff