testing: Use TLS 1.3 in TNC PT-TLS tests

2025-12-07 00:00:13 -05:00 · 2021-02-21 09:48:34 +01:00 · 2021-02-21 09:48:34 +01:00 · 20c47af319
commit 20c47af319
parent 9f55246018
11 changed files with 24 additions and 11 deletions
--- a/testing/tests/tnc/tnccs-20-ev-pt-tls/description.txt
+++ b/testing/tests/tnc/tnccs-20-ev-pt-tls/description.txt
@ -1,7 +1,7 @@
 The PT-TLS (RFC 6876) clients <b>carol</b> and <b>dave</b> set up a connection each to the policy decision 
 point (PDP) <b>alice</b>. Endpoint <b>carol</b> uses password-based SASL PLAIN client authentication during the
 <b>PT-TLS negotiation phase</b> whereas endpoint <b>dave</b> uses certificate-based TLS client authentication
-during the <b>TLS setup phase</b>.
+during the <b>TLS setup phase</b>. In both connections TLS 1.3 is used.
 <p/>
 During the ensuing <b>PT-TLS data transport phase</b> the <b>OS</b> and <b>SWIMA</b> IMC/IMV pairs
 loaded by the PT-TLS clients and PDP, respectively, exchange PA-TNC (RFC 5792) messages
--- a/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/alice/etc/strongswan.conf
@ -24,7 +24,9 @@ charon-systemd {
 }

 libtls {
-  suites = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+  suites = TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256
+  ke_group = curve25519, curve448
+  version_max = 1.3
 }

 libimcv {
--- a/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/carol/etc/strongswan.conf
@ -1,7 +1,9 @@
 # /etc/strongswan.conf - strongSwan configuration file

 libtls {
-  suites = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+  suites = TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384
+  ke_group = curve25519, curve448
+  version_max = 1.3
 }

 libimcv {
--- a/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/dave/etc/strongswan.conf
@ -12,7 +12,9 @@ libimcv {
 }

 libtls {
-  suites = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+  suites = TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384
+  ke_group = curve25519, curve448
+  version_max = 1.3
 }

 pt-tls-client {
--- a/testing/tests/tnc/tnccs-20-mutual-pt-tls/description.txt
+++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/description.txt
@ -1,3 +1,3 @@
 The hosts <b>moon</b> and <b>sun</b> do mutual TNC measurements using the
 PA-TNC, PB-TNC and PT-TLS protocols. The authentication is based on
-X.509 certificates.
+X.509 certificates and transport on TLS 1.3.
--- a/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/strongswan.conf
@ -5,7 +5,9 @@ pt-tls-client {
 }

 libtls {
-  suites = TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+  version_max = 1.3
+  suites = TLS_AES_128_GCM_SHA256
+  ke_group = curve25519
 }

 libimcv {
--- a/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/strongswan.conf
@ -24,7 +24,9 @@ charon-systemd {
 }

 libtls {
-  suites = TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+  version_max = 1.3
+  suites = TLS_AES_128_GCM_SHA256
+  ke_group = curve25519
 }

 libimcv {
--- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/description.txt
+++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/description.txt
@ -1,7 +1,7 @@
 The PT-TLS (RFC 6876) clients <b>carol</b> and <b>dave</b> set up a connection each to the policy decision 
 point (PDP) <b>alice</b>. Endpoint <b>carol</b> uses password-based SASL PLAIN client authentication during the
 <b>PT-TLS negotiation phase</b> whereas endpoint <b>dave</b> uses certificate-based TLS client authentication
-during the <b>TLS setup phase</b>.
+during the <b>TLS setup phase</b>. In both connections TLS 1.3 is used.
 <p/>
 During the ensuing <b>PT-TLS data transport phase</b> the <b>OS</b> and <b>SWIMA</b> IMC/IMV pairs
 loaded by the PT-TLS clients and PDP, respectively, exchange PA-TNC (RFC 5792) messages
--- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongswan.conf
@ -24,7 +24,8 @@ charon-systemd {
 }

 libtls {
-  suites = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+  version_max = 1.3
+  suites = TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384
 }

 libimcv {
--- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/strongswan.conf
@ -1,7 +1,8 @@
 # /etc/strongswan.conf - strongSwan configuration file

 libtls {
-  suites = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+  version_max = 1.3
+  suites = TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384
 }

 libimcv {
--- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/strongswan.conf
@ -19,7 +19,8 @@ libimcv {
 }

 libtls {
-  suites = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+  version_max = 1.3
+  suites = TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384
 }

 pt-tls-client {