The PT-TLS (RFC 6876) clients <b>carol</b> and <b>dave</b> set up a connection each to the policy decision
point (PDP) <b>alice</b>. Endpoint <b>carol</b> uses password-based SASL PLAIN client authentication during the
<b>PT-TLS negotiation phase</b> whereas endpoint <b>dave</b> uses certificate-based TLS client authentication
-during the <b>TLS setup phase</b>.
+during the <b>TLS setup phase</b>. In both connections TLS 1.3 is used.
<p/>
During the ensuing <b>PT-TLS data transport phase</b> the <b>OS</b> and <b>SWIMA</b> IMC/IMV pairs
loaded by the PT-TLS clients and PDP, respectively, exchange PA-TNC (RFC 5792) messages
}
libtls {
- suites = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+ suites = TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256
+ ke_group = curve25519, curve448
+ version_max = 1.3
}
libimcv {
# /etc/strongswan.conf - strongSwan configuration file
libtls {
- suites = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+ suites = TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384
+ ke_group = curve25519, curve448
+ version_max = 1.3
}
libimcv {
}
libtls {
- suites = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+ suites = TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384
+ ke_group = curve25519, curve448
+ version_max = 1.3
}
pt-tls-client {
The hosts <b>moon</b> and <b>sun</b> do mutual TNC measurements using the
PA-TNC, PB-TNC and PT-TLS protocols. The authentication is based on
-X.509 certificates.
+X.509 certificates and transport on TLS 1.3.
}
libtls {
- suites = TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+ version_max = 1.3
+ suites = TLS_AES_128_GCM_SHA256
+ ke_group = curve25519
}
libimcv {
}
libtls {
- suites = TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+ version_max = 1.3
+ suites = TLS_AES_128_GCM_SHA256
+ ke_group = curve25519
}
libimcv {
The PT-TLS (RFC 6876) clients <b>carol</b> and <b>dave</b> set up a connection each to the policy decision
point (PDP) <b>alice</b>. Endpoint <b>carol</b> uses password-based SASL PLAIN client authentication during the
<b>PT-TLS negotiation phase</b> whereas endpoint <b>dave</b> uses certificate-based TLS client authentication
-during the <b>TLS setup phase</b>.
+during the <b>TLS setup phase</b>. In both connections TLS 1.3 is used.
<p/>
During the ensuing <b>PT-TLS data transport phase</b> the <b>OS</b> and <b>SWIMA</b> IMC/IMV pairs
loaded by the PT-TLS clients and PDP, respectively, exchange PA-TNC (RFC 5792) messages
}
libtls {
- suites = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+ version_max = 1.3
+ suites = TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384
}
libimcv {
# /etc/strongswan.conf - strongSwan configuration file
libtls {
- suites = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+ version_max = 1.3
+ suites = TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384
}
libimcv {
}
libtls {
- suites = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+ version_max = 1.3
+ suites = TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384
}
pt-tls-client {