Secure Socket Layer (SSL)
Version: 2020-07-02
module huawei-ssl { yang-version 1; namespace "urn:huawei:yang:huawei-ssl"; prefix ssl; import huawei-extension { prefix ext; } import huawei-pub-type { prefix pub-type; } organization "Huawei Technologies Co., Ltd."; contact "Huawei Industrial Base Bantian, Longgang Shenzhen 518129 People's Republic of China Website: http://www.huawei.com Email: support@huawei.com"; description "Secure Socket Layer (SSL)"; revision "2020-07-02" { description "Initial revision."; reference "Huawei private."; } ext:task-name "ssl"; typedef ssl-password-type { type pub-type:password-extend { } description "SSL password type."; } typedef ssl-cert-type { type enumeration { enum "asn1-cert" { value 1; description "Certype_asn1."; } enum "pem-cert" { value 2; description "Certype_pem."; } enum "pfx-cert" { value 3; description "Certype_pfx."; } enum "pem-chain" { value 4; description "Certype_pem-chain."; } } description "SSL certification type list."; } typedef ssl-key-type { type enumeration { enum "rsa" { value 1; description "Keytype_rsa."; } enum "dsa" { value 2; description "Keytype_dsa."; } } description "SSL public key encryption type list."; } typedef ssl-crl-type { type enumeration { enum "asn1-crl" { value 1; description "Crltype_asn1."; } enum "pem-crl" { value 2; description "Crltype_pem."; } } description "Certification revocation type list."; } typedef ssl-ca-type { type enumeration { enum "asn1-ca" { value 1; description "Catype_asn1-ca."; } enum "pem-ca" { value 2; description "Catype_pem-ca."; } enum "pfx-ca" { value 3; description "Catype_pfx-ca."; } } description "Certificate authority type list."; } typedef ssl-version { type enumeration { enum "tls1.0" { value 2; status obsolete; description "SSL version tls1.0. This version is insecure and is not supported currently. It is used for query compatibility only."; } enum "tls1.1" { value 3; description "SSL version tls1.1."; } enum "tls1.2" { value 4; description "SSL version tls1.2."; } enum "tls1.3" { value 5; description "SSL version tls1.3."; } } description "SSL version type list."; } typedef encrypted { type enumeration { enum "ISENCRYPTED" { value 0; description "IS ENCRYPTED."; } enum "NOTENCRYPTED" { value 1; description "NOT ENCRYPTED."; } } description "SSL encrypted flag list."; } typedef ssl-bool { type enumeration { enum "enable" { value 1; description "Service Enable."; } enum "disable" { value 2; description "Service Disable."; } } description "Certificate Verify bool switch."; } typedef ssl-cipher-type { type enumeration { enum "rsa-with-aes-256-sha" { value 1; description "RSA-WITH-AES-256-SHA cipher suite."; } enum "rsa-with-aes-128-sha" { value 2; description "RSA-WITH-AES-128-SHA cipher suite."; } enum "dhe-rsa-with-aes-256-sha" { value 3; description "DHE-RSA-WITH-AES-256-SHA cipher suite."; } enum "dhe-dss-with-aes-256-sha" { value 4; description "DHE-DSS-WITH-AES-256-SHA cipher suite."; } enum "dhe-rsa-with-aes-128-sha" { value 5; description "DHE-RSA-WITH-AES-128-SHA cipher suite."; } enum "dhe-dss-with-aes-128-sha" { value 6; description "DHE-DSS-WITH-AES-128-SHA cipher suite."; } enum "rsa-aes-128-cbc-sha" { value 7; description "RSA-AES-128-CBC-SHA cipher suite."; } enum "rsa-aes-256-cbc-sha" { value 8; description "RSA-AES-256-CBC-SHA cipher suite."; } enum "rsa-aes-128-cbc-sha256" { value 9; description "RSA-AES-128-CBC-SHA256 cipher suite."; } enum "rsa-aes-256-cbc-sha256" { value 10; description "RSA-AES-256-CBC-SHA256 cipher suite."; } enum "dhe-dss-aes-128-cbc-sha" { value 11; description "DHE-DSS-AES-128-CBC-SHA cipher suite."; } enum "dhe-rsa-aes-128-cbc-sha" { value 12; description "DHE-RSA-AES-128-CBC-SHA cipher suite."; } enum "dhe-dss-aes-256-cbc-sha" { value 13; description "DHE-DSS-AES-256-CBC-SHA cipher suite."; } enum "dhe-rsa-aes-256-cbc-sha" { value 14; description "DHE-RSA-AES-256-CBC-SHA cipher suite."; } enum "dhe-dss-aes-128-cbc-sha256" { value 15; description "DHE-DSS-AES-128-CBC-SHA256 cipher suite."; } enum "dhe-rsa-aes-128-cbc-sha256" { value 16; description "DHE-RSA-AES-128-CBC-SHA256 cipher suite."; } enum "dhe-dss-aes-256-cbc-sha256" { value 17; description "DHE-DSS-AES-256-CBC-SHA256 cipher suite."; } enum "dhe-rsa-aes-256-cbc-sha256" { value 18; description "DHE-RSA-AES-256-CBC-SHA256 cipher suite."; } enum "rsa-with-aes-128-gcm-sha256" { value 19; description "RSA-WITH-AES-128-GCM-SHA256 cipher suite."; } enum "rsa-with-aes-256-gcm-sha384" { value 20; description "RSA-WITH-AES-256-GCM-SHA384 cipher suite."; } enum "dhe-rsa-with-aes-128-gcm-sha256" { value 21; description "DHE-RSA-WITH-AES-128-GCM-SHA256 cipher suite."; } enum "dhe-rsa-with-aes-256-gcm-sha384" { value 22; description "DHE-RSA-WITH-AES-256-GCM-SHA384 cipher suite."; } enum "dhe-dss-with-aes-128-gcm-sha256" { value 23; description "DHE-DSS-WITH-AES-128-GCM-SHA256 cipher suite."; } enum "dhe-dss-with-aes-256-gcm-sha384" { value 24; description "DHE-DSS-WITH-AES-256-GCM-SHA384 cipher suite."; } enum "ecdhe-rsa-with-aes-128-gcm-sha256" { value 25; description "ECDHE-RSA-WITH-AES-128-GCM-SHA256 cipher suite."; } enum "ecdhe-rsa-with-aes-256-gcm-sha384" { value 26; description "ECDHE-RSA-WITH-AES-256-GCM-SHA384 cipher suite."; } enum "aes-128-gcm-sha256" { value 27; description "AES-128-GCM-SHA256 cipher suite."; } enum "aes-256-gcm-sha384" { value 28; description "AES_256_GCM_SHA384 cipher suite."; } enum "chacha20-poly1305-sha256" { value 29; description "CHACHA20_POLY1305_SHA256 cipher suite."; } enum "aes-128-ccm-sha256" { value 30; description "AES_128_CCM_SHA256 cipher suite."; } } description "Enumeration of ssl cipher type."; } container ssl { description "Secure Socket Layer (SSL)"; container ssl-policys { description "List of all SSL policys."; list ssl-policy { key "policy-name"; max-elements 4; description "Configure SSL policy, which is a collection of certificate and certification agency's. Other features can use the SSL policy by referring to the SSL policy name."; leaf policy-name { type string { length "1..23"; pattern '[a-z0-9_]*'; } description "Name for identifying an SSL policy, the ranging from 1 to 23. You can only use underline, letter and digit. The letter does not differentiate the capital, and will transforms to the small letter."; } leaf pki-realm { type string { length "1..64"; } description "PKI domain."; } leaf mini-version { type ssl-version; default "tls1.2"; description "Set SSL version, surport tls1.1 and tls1.2, the defult value is tls1.2."; } leaf cert-ver3-enable { type ssl-bool; default "disable"; description "Whether to enable X509v3 verification for certificates."; } leaf crl-ver2-enable { type ssl-bool; default "disable"; description "Whether to enable X509v2 verification for CRLs."; } leaf basic-const-enable { type ssl-bool; default "disable"; description "Whether to enable Basic Constraints Field verification for certificates."; } leaf mini-path-len { type uint32 { range "1..1024"; } default "1"; description "Whether to enable minimum path length verification for certificates."; } leaf key-usage-enable { type ssl-bool; default "disable"; description "Whether to enable Key Usage Field verification for certificates."; } leaf diffie-hellman-modulus { type uint32 { range "2048 | 3072 | 4096"; } default "3072"; description "Set modulus for diffie-hellman key exchange algorithm."; } container ecdh-group { must "not (./nist='false' and ./curve='false' and ./brainpool='false')"; description "Configure the ecdh groups for SSL policy."; leaf nist { type boolean; default "false"; description "Enable/disable nist groups of ecdh."; } leaf curve { type boolean; default "true"; description "Enable/disable curve groups of ecdh."; } leaf brainpool { type boolean; default "true"; description "Enable/disable brainpool groups of ecdh."; } } // container ecdh-group container signature-alg { must "not (./ecdsa-secp256r1-sha256='false' and ./ecdsa-secp384r1-sha384='false' and ./ecdsa-secp521r1-sha512='false' and ./rsa-pss-pss-sha256='false' and ./rsa-pss-pss-sha384='false' and ./rsa-pss-pss-sha512='false' and ./rsa-pss-rsae-sha256='false' and ./rsa-pss-rsae-sha384='false' and ./rsa-pss-rsae-sha512='false' and ./rsa-pkcs1-sha256='false' and ./rsa-pkcs1-sha384='false' and ./rsa-pkcs1-sha512='false' and ./ecdsa-sha1='false' and ./ecdsa-sha224='false' and ./rsa-sha1='false' and ./rsa-sha224='false' and ./dsa-sha1='false' and ./dsa-sha224='false' and ./ed25519='false' and ./ed448='false' and ./dsa-sha256='false' and ./dsa-sha384='false' and ./dsa-sha512='false' )"; description "Configure signature algorithms for SSL policy."; leaf ecdsa-secp256r1-sha256 { type boolean; default "false"; description "Enable/disable ecdsa-secp256r1-sha256 signature algorithm."; } leaf ecdsa-secp384r1-sha384 { type boolean; default "false"; description "Enable/disable ecdsa-secp384r1-sha384 signature algorithm."; } leaf ecdsa-secp521r1-sha512 { type boolean; default "false"; description "Enable/disable ecdsa-secp521r1-sha512 signature algorithm."; } leaf ed25519 { type boolean; default "true"; description "Enable/disable ed25519 signature algorithm."; } leaf ed448 { type boolean; default "true"; description "Enable/disable ed448 signature algorithm."; } leaf rsa-pss-pss-sha256 { type boolean; default "true"; description "Enable/disable rsa-pss-pss-sha256 signature algorithm."; } leaf rsa-pss-pss-sha384 { type boolean; default "true"; description "Enable/disable rsa-pss-pss-sha384 signature algorithm."; } leaf rsa-pss-pss-sha512 { type boolean; default "true"; description "Enable/disable rsa-pss-pss-sha512 signature algorithm."; } leaf rsa-pss-rsae-sha256 { type boolean; default "true"; description "Enable/disable rsa-pss-rsae-sha256 signature algorithm."; } leaf rsa-pss-rsae-sha384 { type boolean; default "true"; description "Enable/disable rsa-pss-rsae-sha384 signature algorithm."; } leaf rsa-pss-rsae-sha512 { type boolean; default "true"; description "Enable/disable rsa-pss-rsae-sha512 signature algorithm."; } leaf rsa-pkcs1-sha256 { type boolean; default "false"; description "Enable/disable rsa-pkcs1-sha256 signature algorithm."; } leaf rsa-pkcs1-sha384 { type boolean; default "false"; description "Enable/disable rsa-pkcs1-sha384 signature algorithm."; } leaf rsa-pkcs1-sha512 { type boolean; default "false"; description "Enable/disable rsa-pkcs1-sha512 signature algorithm."; } leaf ecdsa-sha1 { type boolean; default "false"; description "Enable/disable ecdsa-sha1 signature algorithm."; } leaf ecdsa-sha224 { type boolean; default "false"; description "Enable/disable ecdsa-sha224 signature algorithm."; } leaf rsa-sha1 { type boolean; default "false"; description "Enable/disable rsa-sha1 signature algorithm."; } leaf rsa-sha224 { type boolean; default "false"; description "Enable/disable rsa-sha224 signature algorithm."; } leaf dsa-sha1 { type boolean; default "false"; description "Enable/disable dsa-sha1 signature algorithm."; } leaf dsa-sha224 { type boolean; default "false"; description "Enable/disable dsa-sha224 signature algorithm."; } leaf dsa-sha256 { type boolean; default "false"; description "Enable/disable dsa-sha256 signature algorithm."; } leaf dsa-sha384 { type boolean; default "false"; description "Enable/disable dsa-sha384 signature algorithm."; } leaf dsa-sha512 { type boolean; default "false"; description "Enable/disable dsa-sha512 signature algorithm."; } } // container signature-alg container cert-loads { description "List of all SSL certificate file loaded by SSL policy."; list cert-load { key "cert-file"; description "Configure SSL certificate file loaded by SSL policy."; leaf cert-file { type string { length "1..64"; } description "Cert file."; } leaf cert-type { type ssl-cert-type; must "(../cert-type='pfx-cert' and ((../is-mac and ../is-mac=1 and not (../key-file)) or (../key-file and not (../is-mac)))) or (../cert-type!='pfx-cert' and ../key-file and not (../is-mac))"; mandatory true; description "CertType."; } leaf auth-code-crt { when "not(../cert-type='asn1-cert')"; type ssl-password-type { length "1..168"; } mandatory true; description "AuthCode."; } leaf is-mac { when "(../cert-type='pfx-cert')"; type uint32 { range "0..1"; } description "Mark for using MAC."; } leaf key-type { type ssl-key-type; mandatory true; description "KeyType."; } leaf auth-code-mac { when "(../cert-type='pfx-cert' and ../is-mac=1)"; type ssl-password-type { length "1..168"; } mandatory true; description "AuthCodeMac."; } leaf key-file { when "not(../is-mac)"; type string { length "1..64"; } description "KeyFile."; } leaf issuer-name { when "not(not(../cert-file)) or not(../cert-file)"; type string { length "1..255"; } config false; description "Issuer name."; } leaf valid-not-before { when "not(not(../cert-file)) or not(../cert-file)"; type string { length "1..255"; } config false; description "Validity Not Before."; } leaf valid-not-after { when "not(not(../cert-file)) or not(../cert-file)"; type string { length "1..255"; } config false; description "Validity Not After."; } leaf is-cert-file-encrypted { type encrypted; config false; description "Is cert-file Encrypted."; } } // list cert-load } // container cert-loads container crl-loads { description "List of sslCrlLoad."; list crl-load { key "crl-file"; max-elements 2; description "Configure sslCrlLoad policy."; leaf crl-file { type string { length "1..64"; } description "CrlFile."; } leaf crl-type { type ssl-crl-type; mandatory true; description "CrlType."; } } // list crl-load } // container crl-loads container trust-ca-loads { description "List of sslTrustCALoads."; list trust-ca-load { key "ca-file"; max-elements 4; description "Configure sslTrustCALoad policy."; leaf ca-file { type string { length "1..64"; } description "CaFile."; } leaf ca-type { type ssl-ca-type; mandatory true; description "CaType."; } leaf auth-code { when "(../ca-type='pfx-ca')"; type ssl-password-type { length "1..168"; } mandatory true; description "AuthCode."; } } // list trust-ca-load } // container trust-ca-loads leaf cipher-suite-name { type leafref { path "/ssl:ssl/ssl:ssl-cipher-suites/ssl:ssl-cipher-suite/ssl:cipher-suite-name"; } description "Name for identifying a cipher suite name."; } leaf exclude-rsa-kex { type ssl-bool; default "enable"; description "Whether to exclude RSA key exchange algorithm."; } leaf exclude-hmac-sha1 { type ssl-bool; default "enable"; description "Whether to exclude SHA-1 HMAC algorithm."; } leaf exclude-ciphermode-cbc { type ssl-bool; default "enable"; description "Whether to exclude Cipher Block Chaining (CBC) mode algorithm."; } } // list ssl-policy } // container ssl-policys container dtls-policys { description "List of all DTLS policys."; list dtls-policy { key "policy-name"; max-elements 4; description "Configure DTLS policy, which is a collection of certificate and certification agency's. Other features can use the DTLS policy by referring to the DTLS policy name."; leaf policy-name { type string { length "1..23"; pattern '[a-z0-9_]*'; } description "Name for identifying an DTLS policy, the ranging from 1 to 23. You can only use underline, letter and digit. The letter does not differentiate the capital, and will transforms to the small letter."; } leaf pki-domain-name { type string { length "1..64"; } description "PKI domain."; } leaf basic-const-enable { type ssl-bool; default "disable"; description "Whether to enable Basic Constraints Field verification for certificates."; } leaf mini-path-len { type uint32 { range "1..1024"; } default "1"; description "Whether to enable minimum path length verification for certificates."; } leaf key-usage-enable { type ssl-bool; default "disable"; description "Whether to enable Key Usage Field verification for certificates."; } } // list dtls-policy } // container dtls-policys container ssl-cipher-suites { description "List of SSL cipher suites to configure."; list ssl-cipher-suite { key "cipher-suite-name"; description "Configure SSL cipher suite."; leaf cipher-suite-name { type string { length "1..32"; pattern '[a-z0-9_\*]*'; } description "Configure name of cipher suite policy."; } leaf-list ssl-ciphers { type ssl-cipher-type; max-elements 4096; description "Configure list of SSL ciphers to configure policy."; } } // list ssl-cipher-suite } // container ssl-cipher-suites container certificate-alarm { description "Configure the certificate expiration alarm."; leaf early-warning-time { type uint32 { range "7..180"; } units "d"; default "90"; description "Configure the time when an alarm is generated before the SSL certificate expires."; } leaf interval { type uint32 { range "1..168"; } units "h"; default "24"; description "Configure the SSL certificate expiration check interval."; } } // container certificate-alarm } // container ssl } // module huawei-ssl
© 2023 YumaWorks, Inc. All rights reserved.