TC_A_06_CS — TLS - server-side certificate - TLS version too low
TC_A_06_CS — TLS - server-side certificate - TLS version too low
Source: OCPP 2.0.1 Part 6 — Test Cases (Core & Advanced Security, FINAL, 2023-06-30) — Functional block A. Security, page 11.
Identification
| Field | Value |
|---|---|
| Test case name | TLS - server-side certificate - TLS version too low |
| Test case Id | TC_A_06_CS |
| Use case Id(s) | A00 |
| Requirement(s) | A00.FR.314,A00.FR.316,A00.FR.416,A00.FR.417,A00.FR.419 |
| System under test | Charging Station |
| Functional block | A. Security |
Description
The CSMS uses a server-side certificate to identify itself to the Charging Station, when using security profile 2 or 3.
Purpose
To verify whether the Charging Station is able to terminate the connection when it notices the used TLS version is lower than 1.2.
Prerequisite(s)
- The charging station supports security profile 2 and/or 3
- The active NetworkConnectionProfile uses either security profile 2 OR 3.
Before (Preparations)
Configuration State:
- OCPPCommCtrlr.NetworkProfileConnectionAttempts is 1
Memory State:
- N/a
Reusable State(s):
- N/a
Main (Test scenario)
| Charging Station | CSMS |
|---|---|
| 1. The Charging Station initiates a TLS handshake and sends a Client Hello to the OCTT. | 2. The OCTT responds with a Server Hello, but uses a TLS version lower than 1.2; With a <Configured server certificate> |
| 3. The Charging Station notices the used TLS version is lower than 1.2 and terminates the connection. | |
| 4. The Charging Station initiates a TLS handshake and sends a Client Hello to the OCTT. | 5. The OCTT responds with a Server Hello; With the <Configured server certificate> |
| 6. The Charging Station performs the following actions: Send client certificate Client Key Exchange Certificate verify Change Cipher Spec Finished; Note(s):; - The client certificate is only sent when the Charging Station uses security profile 3. | 7. The OCTT performs the following actions: Change Cipher Spec Finished |
| 8. The Charging Station sends a HTTP upgrade request to the OCTT; Note(s):; - The HTTP request only contains a username/password combination when the Charging Station uses security profile 2. | 9. The OCTT upgrades the connection to a (secured) WebSocket connection. |
| 10. The Charging Station sends a BootNotificationRequest | 11. The OCTT responds with a BootNotificationResponse; with status Accepted |
| 12. The Charging Station notifies the CSMS about the current state of all connectors. | 13. The OCTT responds accordingly. |
| 14 The Charging Station sends a SecurityEventNotificationRequest | 15 The OCTT responds with a SecurityEventNotificationResponse |
| 16 The Charging Station sends a SecurityEventNotificationRequest | 17 The OCTT responds with a SecurityEventNotificationResponse |
| Note(s):; - The order in which the requests of steps 12 and 14 and 16 arrive is not relevant.; - Steps 16 and 17 are optional as the Charging Station might not be able to detect that the TLS handshake failed, because of invalid TLS version. |
Tool validations
Step 14:
Message: SecurityEventNotificationRequest
- type must be StartupOfTheDevice or ResetOrReboot
Step 16:
Message: SecurityEventNotificationRequest
- type must be InvalidTLSVersion
Post scenario validations
- N/a