testing: Negotiate TLS 1.3 for part of the EAP-TLS scenarios

2025-10-04 00:00:14 -04:00 · 2023-03-01 10:42:06 +01:00 · 2023-03-01 10:42:06 +01:00 · edd3c797b0
commit edd3c797b0
parent d605584a7a
42 changed files with 114 additions and 42 deletions
--- a/testing/tests/ikev2/rw-eap-peap-md5/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-peap-md5/evaltest.dat
@ -1,10 +1,12 @@
 carol::cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES
 carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
+carol::cat /var/log/daemon.log::negotiated TLS 1.3 using suite TLS_AES_256_GCM_SHA384::YES
 carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
 carol::cat /var/log/daemon.log::EAP method EAP_PEAP succeeded, MSK established::YES
 carol::cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, CN=moon.strongswan.org' with EAP successful::YES
 dave:: cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES
 dave:: cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
+dave:: cat /var/log/daemon.log::negotiated TLS 1.2 using suite TLS_DHE_RSA_WITH_AES_256_GCM_SHA384::YES
 dave:: cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
 dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
 moon:: cat /var/log/daemon.log::EAP_PEAP phase2 authentication of 'carol@strongswan.org' with EAP_MD5 successful::YES
--- a/testing/tests/ikev2/rw-eap-peap-md5/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-peap-md5/hosts/carol/etc/strongswan.conf
@ -16,5 +16,6 @@ charon-systemd {
 }

 libtls {
-  suites = TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
+  version_max = 1.3
+  suites = TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384
 }
--- a/testing/tests/ikev2/rw-eap-peap-md5/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-peap-md5/hosts/moon/etc/strongswan.conf
@ -20,3 +20,7 @@ charon-systemd {
    }
  }
 }
+
+libtls {
+  version_max = 1.3
+}
--- a/testing/tests/ikev2/rw-eap-peap-mschapv2/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/evaltest.dat
@ -1,10 +1,12 @@
 carol::cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES
 carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
+carol::cat /var/log/daemon.log::negotiated TLS 1.3 using suite TLS_AES_256_GCM_SHA384::YES
 carol::cat /var/log/daemon.log::server requested EAP_MSCHAPV2 authentication::YES
 carol::cat /var/log/daemon.log::EAP method EAP_PEAP succeeded, MSK established::YES
 carol::cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, CN=moon.strongswan.org' with EAP successful::YES
 dave:: cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES
 dave:: cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
+dave:: cat /var/log/daemon.log::negotiated TLS 1.2 using suite TLS_DHE_RSA_WITH_AES_256_GCM_SHA384::YES
 dave:: cat /var/log/daemon.log::server requested EAP_MSCHAPV2 authentication::YES
 dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
 moon:: cat /var/log/daemon.log::EAP_PEAP phase2 authentication of 'carol@strongswan.org' with EAP_MSCHAPV2 successful::YES
--- a/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/carol/etc/strongswan.conf
@ -16,5 +16,6 @@ charon-systemd {
 }

 libtls {
-  suites = TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
+  version_max = 1.3
+  suites = TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384
 }
--- a/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/moon/etc/strongswan.conf
@ -19,3 +19,7 @@ charon-systemd {
    }
  }
 }
+
+libtls {
+  version_max = 1.3
+}
--- a/testing/tests/ikev2/rw-eap-tls-only/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-tls-only/evaltest.dat
@ -1,6 +1,6 @@
 carol::cat /var/log/daemon.log::server requested EAP_TLS authentication::YES
 carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
-carol::cat /var/log/daemon.log::negotiated TLS 1.2 using suite TLS_DHE_RSA_WITH_AES_256_GCM_SHA384::YES
+carol::cat /var/log/daemon.log::negotiated TLS 1.3 using suite TLS_AES_256_GCM_SHA384::YES
 carol::cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, CN=moon.strongswan.org' with EAP successful::YES
 dave::cat /var/log/daemon.log::no issuer certificate found for \"C=CH, O=strongSwan Project, CN=moon.strongswan.org\"::YES
 dave::cat /var/log/daemon.log::no TLS public key found for server 'C=CH, O=strongSwan Project, CN=moon.strongswan.org'::YES
--- a/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf
@ -14,3 +14,7 @@ charon-systemd {
    }
  }
 }
+
+libtls {
+  version_max = 1.3
+}
--- a/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf
@ -16,5 +16,6 @@ charon-systemd {
 }

 libtls {
-  suites = TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
+  version_max = 1.3
+  suites = TLS_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
 }
--- a/testing/tests/ikev2/rw-eap-tls-sha3-rsa/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-tls-sha3-rsa/evaltest.dat
@ -1,4 +1,6 @@
+carol::cat /var/log/daemon.log::negotiated TLS 1.3 using suite TLS_AES_128_GCM_SHA256::YES
 carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: cat /var/log/daemon.log::negotiated TLS 1.2 using suite TLS_DHE_RSA_WITH_AES_128_CBC_SHA256::YES
 dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
 moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
 moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
--- a/testing/tests/ikev2/rw-eap-tls-sha3-rsa/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-tls-sha3-rsa/hosts/carol/etc/strongswan.conf
@ -5,9 +5,10 @@ swanctl {
 }

 charon-systemd {
-  load = random nonce md5 sha1 sha2 sha3 aes hmac kdf pem pkcs1 x509 revocation constraints pubkey curve25519 mgf1 gmp curl eap-tls kernel-netlink socket-default updown vici
+  load = random nonce md5 sha1 sha2 sha3 aes hmac gcm kdf pem pkcs1 x509 revocation constraints pubkey curve25519 mgf1 gmp curl eap-tls kernel-netlink socket-default updown vici
 }

 libtls {
-  suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+  version_max = 1.3
+  suites = TLS_AES_128_GCM_SHA256
 }
--- a/testing/tests/ikev2/rw-eap-tls-sha3-rsa/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-tls-sha3-rsa/hosts/moon/etc/strongswan.conf
@ -5,5 +5,9 @@ swanctl {
 }

 charon-systemd {
-  load = random nonce md5 sha1 sha2 sha3 aes hmac kdf pem pkcs1 x509 revocation constraints pubkey curve25519 mgf1 gmp curl eap-tls kernel-netlink socket-default updown vici
+  load = random nonce md5 sha1 sha2 sha3 aes hmac gcm kdf pem pkcs1 x509 revocation constraints pubkey curve25519 mgf1 gmp curl eap-tls kernel-netlink socket-default updown vici
+}
+
+libtls {
+  version_max = 1.3
 }
--- a/testing/tests/ikev2/rw-eap-ttls-only/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-ttls-only/evaltest.dat
@ -1,10 +1,12 @@
 carol::cat /var/log/daemon.log::server requested EAP_TTLS authentication::YES
 carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
+carol::cat /var/log/daemon.log::negotiated TLS 1.3 using suite TLS_AES_256_GCM_SHA384::YES
 carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
 carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 carol::cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, CN=moon.strongswan.org' with EAP successful::YES
 dave:: cat /var/log/daemon.log::server requested EAP_TTLS authentication::YES
 dave:: cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
+dave:: cat /var/log/daemon.log::negotiated TLS 1.2 using suite TLS_DHE_RSA_WITH_AES_256_GCM_SHA384::YES
 dave:: cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
 dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
 moon:: cat /var/log/daemon.log::EAP_TTLS phase2 authentication of 'carol@strongswan.org' with EAP_MD5 successful::YES
--- a/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/strongswan.conf
@ -16,5 +16,6 @@ charon-systemd {
 }

 libtls {
-  suites = TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
+  version_max = 1.3
+  suites = TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384
 }
--- a/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/strongswan.conf
@ -19,3 +19,7 @@ charon-systemd {
    }
  }
 }
+
+libtls {
+  version_max = 1.3
+}
--- a/testing/tests/tnc/tnccs-11/evaltest.dat
+++ b/testing/tests/tnc/tnccs-11/evaltest.dat
@ -1,6 +1,8 @@
+carol::cat /var/log/daemon.log::negotiated TLS 1.3 using suite TLS_AES_128_GCM_SHA256::YES
 carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
 carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+dave:: cat /var/log/daemon.log::negotiated TLS 1.2 using suite TLS_DHE_RSA_WITH_AES_128_CBC_SHA256::YES
 dave:: cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES
 dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
--- a/testing/tests/tnc/tnccs-11/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-11/hosts/carol/etc/strongswan.conf
@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file

 charon-systemd {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac kdf x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac gcm curve25519 kdf x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown

  multiple_authentication=no

@ -19,7 +19,8 @@ charon-systemd {
 }

 libtls {
-  suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+  version_max = 1.3
+  suites = TLS_AES_128_GCM_SHA256
 }

 libimcv {
--- a/testing/tests/tnc/tnccs-11/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-11/hosts/moon/etc/strongswan.conf
@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file

 charon-systemd {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac kdf x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-11 tnc-imv updown
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac gcm curve25519 kdf x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-11 tnc-imv updown

  multiple_authentication = no

@ -25,7 +25,8 @@ charon-systemd {
 }

 libtls {
-  suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+  version_max = 1.3
+  suites = TLS_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
 }

 libimcv {
--- a/testing/tests/tnc/tnccs-20-block/evaltest.dat
+++ b/testing/tests/tnc/tnccs-20-block/evaltest.dat
@ -1,6 +1,8 @@
+carol::cat /var/log/daemon.log::negotiated TLS 1.3 using suite TLS_AES_128_GCM_SHA256::YES
 carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES
 carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+dave:: cat /var/log/daemon.log::negotiated TLS 1.2 using suite TLS_DHE_RSA_WITH_AES_128_CBC_SHA256::YES
 dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Denied'::YES
 dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
 moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
--- a/testing/tests/tnc/tnccs-20-block/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-block/hosts/carol/etc/strongswan.conf
@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file

 charon-systemd {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac kdf x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac gcm curve25519 kdf x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown

  multiple_authentication = no

@ -19,7 +19,8 @@ charon-systemd {
 }

 libtls {
-  suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+  version_max = 1.3
+  suites = TLS_AES_128_GCM_SHA256
 }

 libimcv {
--- a/testing/tests/tnc/tnccs-20-block/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-block/hosts/moon/etc/strongswan.conf
@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file

 charon-systemd {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac kdf x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 tnc-imv updown
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac gcm curve25519 kdf x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 tnc-imv updown

  multiple_authentication = no

@ -24,5 +24,6 @@ charon-systemd {
 }

 libtls {
-  suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+  version_max = 1.3
+  suites = TLS_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
 }
--- a/testing/tests/tnc/tnccs-20-client-retry/evaltest.dat
+++ b/testing/tests/tnc/tnccs-20-client-retry/evaltest.dat
@ -1,6 +1,8 @@
+carol::cat /var/log/daemon.log::negotiated TLS 1.3 using suite TLS_AES_128_GCM_SHA256::YES
 carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES
 carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES
+dave:: cat /var/log/daemon.log::negotiated TLS 1.2 using suite TLS_DHE_RSA_WITH_AES_128_CBC_SHA256::YES
 dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
 moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
--- a/testing/tests/tnc/tnccs-20-client-retry/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-client-retry/hosts/carol/etc/strongswan.conf
@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file

 charon-systemd {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac kdf x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac gcm curve25519 kdf x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown

  multiple_authentication = no

@ -14,7 +14,8 @@ charon-systemd {
 }

 libtls {
-  suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+  version_max = 1.3
+  suites = TLS_AES_128_GCM_SHA256
 }

 libimcv {
--- a/testing/tests/tnc/tnccs-20-client-retry/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-client-retry/hosts/moon/etc/strongswan.conf
@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file

 charon-systemd {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac kdf x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 tnc-imv updown
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac gcm curve25519 kdf x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 tnc-imv updown

  multiple_authentication = no

@ -21,7 +21,8 @@ charon-systemd {
 }

 libtls {
-  suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+  version_max = 1.3
+  suites = TLS_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
 }

 libimcv {
--- a/testing/tests/tnc/tnccs-20-pdp-eap/evaltest.dat
+++ b/testing/tests/tnc/tnccs-20-pdp-eap/evaltest.dat
@ -1,9 +1,11 @@
 dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
+dave:: cat /var/log/daemon.log::negotiated TLS 1.2 using suite TLS_DHE_RSA_WITH_AES_128_CBC_SHA256::YES
 dave:: cat /var/log/daemon.log::PDP server.*aaa.strongswan.org.*is listening on port 271::YES
 dave:: cat /var/log/daemon.log::collected ... SW records::YES
 dave:: cat /var/log/daemon.log::PB-TNC access recommendation is .*Quarantined::YES
 dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
+carol::cat /var/log/daemon.log::negotiated TLS 1.3 using suite TLS_AES_128_GCM_SHA256::YES
 carol::cat /var/log/daemon.log::PDP server.*aaa.strongswan.org.*is listening on port 271::YES
 carol::cat /var/log/daemon.log::collected ... SW ID records::YES
 carol::cat /var/log/daemon.log::strongswan.org__strongSwan.*swidtag::YES
--- a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongswan.conf
@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file

 charon-systemd {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac kdf x509 revocation curl vici socket-default kernel-netlink eap-identity eap-ttls eap-md5 eap-tnc tnc-pdp tnc-imv tnc-tnccs tnccs-20 sqlite
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac gcm curve25519 kdf x509 revocation curl vici socket-default kernel-netlink eap-identity eap-ttls eap-md5 eap-tnc tnc-pdp tnc-imv tnc-tnccs tnccs-20 sqlite

  syslog {
    daemon {
@ -42,3 +42,7 @@ libimcv {
    }
  }
 }
+
+libtls {
+  version_max = 1.3
+}
--- a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/strongswan.conf
@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file

 charon-systemd {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac kdf x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac gcm curve25519 kdf x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown

  syslog {
    daemon {
@ -24,5 +24,6 @@ charon-systemd {
 }

 libtls {
-  suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+  version_max = 1.3
+  suites = TLS_AES_128_GCM_SHA256
 }
--- a/testing/tests/tnc/tnccs-20-pts-no-ecc/evaltest.dat
+++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/evaltest.dat
@ -1,6 +1,8 @@
+carol::cat /var/log/daemon.log::negotiated TLS 1.3 using suite TLS_AES_128_GCM_SHA256::YES
 carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES
 carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+dave:: cat /var/log/daemon.log::negotiated TLS 1.2 using suite TLS_DHE_RSA_WITH_AES_128_CBC_SHA256::YES
 dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES
 dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
--- a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/strongswan.conf
@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file

 charon-systemd {
-  load = random nonce aes sha1 sha2 md5 mgf1 gmp hmac kdf pem pkcs1 x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown
+  load = random nonce aes sha1 sha2 md5 mgf1 gmp hmac gcm curve25519 kdf pem pkcs1 x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown

  multiple_authentication = no

@ -20,7 +20,8 @@ charon-systemd {
 }

 libtls {
-  suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+  version_max = 1.3
+  suites = TLS_AES_128_GCM_SHA256
 }

 libimcv {
--- a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/strongswan.conf
@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file

 charon-systemd {
-  load = random nonce aes sha1 sha2 md5 mgf1 gmp hmac kdf pem pkcs1 x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown sqlite
+  load = random nonce aes sha1 sha2 md5 mgf1 gmp hmac gcm curve25519 kdf pem pkcs1 x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown sqlite

  multiple_authentication = no

@ -23,7 +23,8 @@ charon-systemd {
 }

 libtls {
-  suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+  version_max = 1.3
+  suites = TLS_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
 }

 libimcv {
--- a/testing/tests/tnc/tnccs-20-pts/evaltest.dat
+++ b/testing/tests/tnc/tnccs-20-pts/evaltest.dat
@ -1,6 +1,8 @@
+carol::cat /var/log/daemon.log::negotiated TLS 1.3 using suite TLS_AES_128_GCM_SHA256::YES
 carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES
 carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+dave:: cat /var/log/daemon.log::negotiated TLS 1.2 using suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256::YES
 dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES
 dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
--- a/testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/strongswan.conf
@ -20,7 +20,8 @@ charon-systemd {
 }

 libtls {
-  suites = TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+  version_max = 1.3
+  suites = TLS_AES_128_GCM_SHA256
 }

 libimcv {
--- a/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/strongswan.conf
@ -23,7 +23,8 @@ charon-systemd {
 }

 libtls {
-  suites = TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+  version_max = 1.3
+  suites = TLS_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
 }

 libimcv {
--- a/testing/tests/tnc/tnccs-20-tls/evaltest.dat
+++ b/testing/tests/tnc/tnccs-20-tls/evaltest.dat
@ -1,6 +1,8 @@
+carol::cat /var/log/daemon.log::negotiated TLS 1.3 using suite TLS_AES_128_GCM_SHA256::YES
 carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES
 carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+dave:: cat /var/log/daemon.log::negotiated TLS 1.2 using suite TLS_DHE_RSA_WITH_AES_128_CBC_SHA256::YES
 dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES
 dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
--- a/testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/strongswan.conf
@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file

 charon-systemd {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac kdf x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp curve25519 hmac gcm kdf x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown

  multiple_authentication = no

@ -14,7 +14,8 @@ charon-systemd {
 }

 libtls {
-  suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+  version_max = 1.3
+  suites = TLS_AES_128_GCM_SHA256
 }

 libimcv {
--- a/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/strongswan.conf
@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file

 charon-systemd {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac kdf x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnccs-20 tnc-imv updown
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp curve25519 hmac gcm kdf x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnccs-20 tnc-imv updown

  multiple_authentication = no

@ -21,5 +21,6 @@ charon-systemd {
 }

 libtls {
-  suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+  version_max = 1.3
+  suites = TLS_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
 }
--- a/testing/tests/tnc/tnccs-20/evaltest.dat
+++ b/testing/tests/tnc/tnccs-20/evaltest.dat
@ -1,6 +1,8 @@
+carol::cat /var/log/daemon.log::negotiated TLS 1.3 using suite TLS_AES_128_GCM_SHA256::YES
 carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES
 carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+dave:: cat /var/log/daemon.log::negotiated TLS 1.2 using suite TLS_DHE_RSA_WITH_AES_128_CBC_SHA256::YES
 dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES
 dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
--- a/testing/tests/tnc/tnccs-20/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20/hosts/carol/etc/strongswan.conf
@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file

 charon-systemd {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac kdf x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac gcm curve25519 kdf x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown

  multiple_authentication = no

@ -14,7 +14,8 @@ charon-systemd {
 }

 libtls {
-  suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+  version_max = 1.3
+  suites = TLS_AES_128_GCM_SHA256
 }

 libimcv {
--- a/testing/tests/tnc/tnccs-20/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20/hosts/moon/etc/strongswan.conf
@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file

 charon-systemd {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac kdf x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac gcm curve25519 kdf x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown

  multiple_authentication = no

@ -21,7 +21,8 @@ charon-systemd {
 }

 libtls {
-  suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+  version_max = 1.3
+  suites = TLS_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
 }

 libimcv {
--- a/testing/tests/tnc/tnccs-dynamic/evaltest.dat
+++ b/testing/tests/tnc/tnccs-dynamic/evaltest.dat
@ -1,6 +1,8 @@
+carol::cat /var/log/daemon.log::negotiated TLS 1.3 using suite TLS_AES_128_GCM_SHA256::YES
 carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
 carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+dave:: cat /var/log/daemon.log::negotiated TLS 1.2 using suite TLS_DHE_RSA_WITH_AES_128_CBC_SHA256::YES
 dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES
 dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
--- a/testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/strongswan.conf
@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file

 charon-systemd {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac kdf x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac gcm curve25519 kdf x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown

  multiple_authentication=no
  integrity_test = yes
@ -19,8 +19,9 @@ charon-systemd {
  }
 }

-ilibtls {
-  suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+libtls {
+  version_max = 1.3
+  suites = TLS_AES_128_GCM_SHA256
 }

 libimcv {
--- a/testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/strongswan.conf
@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file

 charon-systemd {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac kdf x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-dynamic tnccs-11 tnccs-20 tnc-imv updown
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac gcm curve25519 kdf x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-dynamic tnccs-11 tnccs-20 tnc-imv updown

  multiple_authentication=no
  integrity_test = yes
@ -26,6 +26,7 @@ charon-systemd {
 }

 libtls {
-  suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+  version_max = 1.3
+  suites = TLS_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
 }