module ietf-tls-server {
yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-tls-server";
prefix "tlss";
import ietf-tls-common {
prefix tlscmn;
revision-date 2018-09-20; // stable grouping definitions
reference
"RFC XXXX: YANG Groupings for TLS Clients and TLS Servers";
}
import ietf-trust-anchors {
prefix ta;
reference
"RFC YYYY: YANG Data Model for Global Trust Anchors";
}
import ietf-keystore {
prefix ks;
reference
"RFC ZZZZ: YANG Data Model for a 'Keystore' Mechanism";
}
organization
"IETF NETCONF (Network Configuration) Working Group";
contact
"WG Web:
WG List:
Author: Kent Watsen
Author: Gary Wu
";
description
"This module defines a reusable grouping for a TLS server that
can be used as a basis for specific TLS server instances.
Copyright (c) 2018 IETF Trust and the persons identified as
authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD
License set forth in Section 4.c of the IETF Trust's
Legal Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see
the RFC itself for full legal notices.";
revision "2018-09-20" {
description
"Initial version";
reference
"RFC XXXX: YANG Groupings for TLS Clients and TLS Servers";
}
// features
feature tls-server-hello-params-config {
description
"TLS hello message parameters are configurable on a TLS
server.";
}
// groupings
grouping tls-server-grouping {
description
"A reusable grouping for configuring a TLS server without
any consideration for how underlying TCP sessions are
established.";
uses server-identity-grouping;
uses client-auth-grouping;
uses hello-params-grouping;
}
grouping server-identity-grouping {
description
"A reusable grouping for configuring a TLS server identity.";
container server-identity {
description
"A locally-defined or referenced end-entity certificate,
including any configured intermediate certificates, the
TLS server will present when establishing a TLS connection
in its Certificate message, as defined in Section 7.4.2
in RFC 5246.";
reference
"RFC 5246:
The Transport Layer Security (TLS) Protocol Version 1.2
RFC ZZZZ:
YANG Data Model for a 'Keystore' Mechanism";
uses ks:local-or-keystore-end-entity-certificate-grouping;
}
} // end server-identity-grouping
grouping client-auth-grouping {
description
"A reusable grouping for configuring a TLS client
authentication.";
container client-auth {
description
"A reference to a list of pinned certificate authority (CA)
certificates and a reference to a list of pinned client
certificates.";
leaf pinned-ca-certs {
if-feature "ta:x509-certificates";
type ta:pinned-certificates-ref;
description
"A reference to a list of certificate authority (CA)
certificates used by the TLS server to authenticate
TLS client certificates. A client certificate is
authenticated if it has a valid chain of trust to
a configured pinned CA certificate.";
reference
"RFC YYYY: YANG Data Model for Global Trust Anchors";
}
leaf pinned-client-certs {
if-feature "ta:x509-certificates";
type ta:pinned-certificates-ref;
description
"A reference to a list of client certificates used by
the TLS server to authenticate TLS client certificates.
A clients certificate is authenticated if it is an
exact match to a configured pinned client certificate.";
reference
"RFC YYYY: YANG Data Model for Global Trust Anchors";
}
}
} // end client-auth-grouping
grouping hello-params-grouping {
description
"A reusable grouping for configuring a TLS transport
parameters.";
container hello-params {
if-feature tls-server-hello-params-config;
uses tlscmn:hello-params-grouping;
description
"Configurable parameters for the TLS hello message.";
}
} // end tls-server-grouping
}