SIF HTTPS Information
TLS/SSL
The test harness supports TLS 1.0, SSL 3.0 and the use of SSL 2.0 client-hellos to negotiate TLS 1.0 or SSL 3.0 connections.
Encryption
The test harness typically supports the following cipher suites (corresponding SIF_EncryptionLevels are noted) and it is believed
most implementations will find a cipher suite in common with this list.
| Cipher Suite | SIF_EncryptionLevel |
| TLS_RSA_WITH_NULL_MD5 | 0 |
| TLS_RSA_WITH_NULL_SHA | 0 |
| TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA | 1 |
| TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 | 1 |
| TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA | 1 |
| TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA | 1 |
| TLS_RSA_EXPORT_WITH_DES40_CBC_SHA | 1 |
| TLS_RSA_EXPORT_WITH_RC4_40_MD5 | 1 |
| TLS_DH_anon_WITH_DES_CBC_SHA | 2 |
| TLS_DHE_DSS_WITH_DES_CBC_SHA | 2 |
| TLS_DHE_RSA_WITH_DES_CBC_SHA | 2 |
| TLS_RSA_WITH_DES_CBC_SHA | 2 |
| TLS_DH_anon_WITH_3DES_EDE_CBC_SHA | 3 |
| TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA | 3 |
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA | 3 |
| TLS_RSA_WITH_3DES_EDE_CBC_SHA | 3 |
| TLS_DH_anon_WITH_AES_128_CBC_SHA | 4 |
| TLS_DH_anon_WITH_RC4_128_MD5 | 4 |
| TLS_DHE_DSS_WITH_AES_128_CBC_SHA | 4 |
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA | 4 |
| TLS_RSA_WITH_AES_128_CBC_SHA | 4 |
| TLS_RSA_WITH_RC4_128_MD5 | 4 |
| TLS_RSA_WITH_RC4_128_SHA | 4 |
Authentication
To ease administration, the test harness trusts all valid X.509 certificates. This means the return of any valid certificate results in a calculated
SIF_AuthenticationLevel of 2 as opposed to 1.
When handling client connections, the test harness always requests a certificate from the client, but may or may not require
one to be returned, depending on circumstances.
If a client returns a certificate, the authentication level of successfully negotiated communications with that client is, again, SIF_AuthenticationLevel 2;
if the client does not return a certificate, the level is SIF_AuthenticationLevel 0. Any valid certificates with CN matching the remote host's
address or name result in a calculated SIF_AuthenticationLevel of 3.
If your SIF HTTPS implementation requires test harness certificates to be trusted, the certificates in use at compliance.sifinfo.org, DER-encoded, are:
If you do require trusted certificates, please be sure to trust both certificates (unless you know your supported encryption algorithms exclude one certificate type or the other)— as either may be returned depending on the encryption algorithms supported in your SIF HTTPS implementation.
Note that the same certificates are in use for all test sessions at a given host, so you may trust these same certificates for future
test sessions at compliance.sifinfo.org.