testing: Use TLS 1.2 in RADIUS test cases

This took a while as in the OpenSSL package shipped with Debian and on which
our FIPS-enabled package is based, the function SSL_export_keying_material(),
which is used by FreeRADIUS to derive the MSK, did not use the correct digest
to calculate the result when TLS 1.2 was used.  This caused IKE to fail with
"verification of AUTH payload with EAP MSK failed".  The fix was only
backported to jessie recently.

diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf
index 4c778a7214dfe5400c1e70a2e9e1c4d2be85587c..50f0389d391f4e03bd0b25c14046c4f21332fa4e 100644 (file)
--- a/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf
@@ -4,3 +4,6 @@ charon {
   load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-tls updown
   multiple_authentication=no
 }
+libtls {
+  suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+}

diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/strongswan.conf
index 80c96b6773888cce985f6671a242a26fcc3de1e6..09ca9d0e4ba7d7502cef3520642108faa7a6ff3f 100644 (file)
--- a/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/strongswan.conf
@@ -32,3 +32,6 @@ libimcv {
     }
   }
 }
+libtls {
+  suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+}