Endpoint Compliance via PT-TLS Protocol¶
- Table of contents
- Endpoint Compliance via PT-TLS Protocol
- Starting the strongSwan Policy Decision Point (PDP)
- PT-TLS Connection by Access Requestor "carol"
- Supported TLS 1.0, 1.1 and 1.2 Cipher Suites
- TLS Connection Setup
- PT-TLS Negotiation
- SASL Password-based Client Authentication
- PT-TLS Transport Phase
- IF-IMV 1.4 AR Identity
- Operating System Information
- Device Identity
- Policy Manager generating Workitem List
- Sending SWID Request
- Receiving SWID Tag Identifier Inventory
- Human-Readable SWID Tag Identifiers
- Policy Manager integrating Measurement Results
- Closing PT-TLS Connection
- PT-TLS Connection by Access Requestor "dave"
- TLS Connection Setup
- PT-TLS Negotiation
- TLS Certificate-based Client Authentication
- PT-TLS Transport Phase
- IF-IMV 1.4 AR Identity
- Operating System Information
- Device Identity
- Policy Manager generating Workitem List
- Sending SWID Request
- Receiving SWID Tag Inventory
- Human-Readable SWID Tags
- Policy Manager integrating Measurement Results
- Closing PT-TLS Connection
- Terminating the strongSwan Policy Decision Point
- PT-TLS Configuration Parameters
Starting the strongSwan Policy Decision Point (PDP)¶
The strongSwan PDP starts and loads its server certificate and the client credentials
00[DMN] Starting IKE charon daemon (strongSwan 5.2.0dr1, Linux 3.13.5, x86_64) 00[LIB] openssl FIPS mode(0) - disabled 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' 00[CFG] loaded ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" from '/etc/ipsec.d/cacerts/strongswanCert.pem' 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' 00[CFG] loading crls from '/etc/ipsec.d/crls' 00[CFG] loading secrets from '/etc/ipsec.secrets' 00[CFG] loaded RSA private key from '/etc/ipsec.d/private/aaaKey.pem' 00[CFG] loaded EAP secret for carol 00[CFG] loaded EAP secret for dave
Next the OS and SWID IMVs are loaded
00[TNC] TNC recommendation policy is 'default' 00[TNC] loading IMVs from '/etc/tnc_config' 00[TNC] added IETF attributes 00[TNC] added ITA-HSR attributes 00[LIB] libimcv initialized 00[IMV] IMV 1 "OS" initialized 00[TNC] IMV 1 supports 1 message type: 'IETF/Operating System' 0x000000/0x00000001 00[TNC] IMV 1 "OS" loaded from '/usr/local/lib/ipsec/imcvs/imv-os.so' 00[IMV] IMV 2 "SWID" initialized 00[TNC] added TCG attributes 00[LIB] libpts initialized 00[TNC] IMV 2 supports 1 message type: 'TCG/SWID' 0x005597/0x00000003 00[TNC] IMV 2 "SWID" loaded from '/usr/local/lib/ipsec/imcvs/imv-swid.so'
The PDP loads all plugins needed to communicate via its EAP-RADIUS and PT-TLS interfaces and spawns 16 worker threads
00[IKE] eap method EAP_TTLS selected 00[LIB] loaded plugins: charon curl pem pkcs1 nonce x509 revocation constraints openssl socket-default kernel-netlink stroke tnc-pdp tnc-imv tnc-tnccs tnccs-20 sqlite 00[JOB] spawning 16 worker threads 09[CFG] received stroke: add connection 'aaa' 09[CFG] left nor right host is our side, assuming left=local 09[CFG] loaded certificate "C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" from 'aaaCert.pem' 09[CFG] added configuration 'aaa'
PT-TLS Connection by Access Requestor "carol"¶
04[TNC] accepting PT-TLS stream from 192.168.0.100
Supported TLS 1.0, 1.1 and 1.2 Cipher Suites¶
04[TLS] 36 supported TLS cipher suites: 04[TLS] TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA 04[TLS] TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 04[TLS] TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA 04[TLS] TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 04[TLS] TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 04[TLS] TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 04[TLS] TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 04[TLS] TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 04[TLS] TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 04[TLS] TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 04[TLS] TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 04[TLS] TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 04[TLS] TLS_DHE_RSA_WITH_AES_128_CBC_SHA 04[TLS] TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 04[TLS] TLS_DHE_RSA_WITH_AES_256_CBC_SHA 04[TLS] TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 04[TLS] TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 04[TLS] TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 04[TLS] TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA 04[TLS] TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 04[TLS] TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA 04[TLS] TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 04[TLS] TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA 04[TLS] TLS_RSA_WITH_AES_128_CBC_SHA 04[TLS] TLS_RSA_WITH_AES_128_CBC_SHA256 04[TLS] TLS_RSA_WITH_AES_256_CBC_SHA 04[TLS] TLS_RSA_WITH_AES_256_CBC_SHA256 04[TLS] TLS_RSA_WITH_AES_128_GCM_SHA256 04[TLS] TLS_RSA_WITH_AES_256_GCM_SHA384 04[TLS] TLS_RSA_WITH_CAMELLIA_128_CBC_SHA 04[TLS] TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 04[TLS] TLS_RSA_WITH_CAMELLIA_256_CBC_SHA 04[TLS] TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 04[TLS] TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA 04[TLS] TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA 04[TLS] TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS Connection Setup¶
03[TNC] entering PT-TLS negotiation phase 03[TLS] processing TLS Handshake record (124 bytes) 03[TLS] received TLS ClientHello handshake (120 bytes) 03[TLS] received TLS 'signature algorithms' extension 03[TLS] received TLS 'elliptic curves' extension 03[TLS] received TLS 'ec point formats' extension 03[TLS] received TLS 'server name' extension 03[TLS] received 2 TLS cipher suites: 03[TLS] TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 03[TLS] TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 03[TLS] negotiated TLS 1.2 using suite TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
The strongSwan TLS stack supports the high-performance TLS 1.2 AES-GCM cipher suites via the openssl plugin. The AEAD crypto operations are automatically laccelerated if the Intel AES-NI instruction set is available on the target processor.
03[TLS] sending TLS ServerHello handshake (54 bytes) 03[TLS] sending TLS server certificate 'C=CH, O=Linux strongSwan, CN=aaa.strongswan.org' 03[TLS] sending TLS Certificate handshake (1066 bytes) 03[TLS] selected ECDH group SECP256R1 03[TLS] created signature with SHA256/RSA 03[TLS] sending TLS ServerKeyExchange handshake (329 bytes) 03[TLS] sending TLS cert request for 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' 03[TLS] sending TLS CertificateRequest handshake (102 bytes) 03[TLS] sending TLS ServerHelloDone handshake (0 bytes) 03[TLS] sending TLS Handshake record (1571 bytes) 03[TLS] processing TLS Handshake record (77 bytes) 03[TLS] received TLS Certificate handshake (3 bytes) 03[TLS] received TLS ClientKeyExchange handshake (66 bytes) 03[TLS] processing TLS ChangeCipherSpec record (1 bytes) 03[TLS] processing TLS Handshake record (40 bytes) 03[TLS] received TLS Finished handshake (12 bytes) 03[TLS] sending TLS ChangeCipherSpec record (1 bytes) 03[TLS] sending TLS Finished handshake (12 bytes) 03[TLS] sending TLS Handshake record (40 bytes)
PT-TLS Negotiation¶
03[TLS] processing TLS ApplicationData record (44 bytes) 03[TNC] received PT-TLS message #0 of type 'Version Request' (20 bytes) 03[TNC] sending PT-TLS message #0 of type 'Version Response' (20 bytes) 03[TLS] sending TLS ApplicationData record (44 bytes) 03[TNC] negotiated PT-TLS version 1
SASL Password-based Client Authentication¶
03[TNC] doing SASL client authentication 03[TNC] offering SASL PLAIN 03[TNC] sending PT-TLS message #1 of type 'SASL Mechanisms' (22 bytes) 03[TLS] sending TLS ApplicationData record (46 bytes) 03[TLS] processing TLS ApplicationData record (61 bytes) 03[TNC] received PT-TLS message #1 of type 'SASL Mechanism Selection' (37 bytes) 03[TNC] client starts SASL PLAIN authentication 03[TNC] SASL PLAIN authentication successful 03[TNC] SASL client identity is 'carol' 03[TNC] sending PT-TLS message #2 of type 'SASL Result' (17 bytes) 03[TLS] sending TLS ApplicationData record (41 bytes) 03[TNC] sending PT-TLS message #3 of type 'SASL Mechanisms' (16 bytes) 03[TLS] sending TLS ApplicationData record (40 bytes)
PT-TLS Transport Phase¶
03[TNC] entering PT-TLS data transport phase
IF-IMV 1.4 AR Identity¶
11[TLS] processing TLS ApplicationData record (299 bytes) 11[TNC] received PT-TLS message #2 of type 'PB-TNC Batch' (275 bytes) 11[TNC] assigned TNCCS Connection ID 1 11[IMV] IMV 1 "OS" created a state for IF-TNCCS 2.0 Connection ID 1: +long +excl -soh 11[IMV] over IF-T for TLS 2.0 with maximum PA-TNC message size of 131024 bytes 11[IMV] user AR identity 'carol' authenticated by password 11[IMV] IMV 2 "SWID" created a state for IF-TNCCS 2.0 Connection ID 1: +long +excl -soh 11[IMV] over IF-T for TLS 2.0 with maximum PA-TNC message size of 131024 bytes 11[IMV] user AR identity 'carol' authenticated by password 11[IMV] IMV 1 "OS" changed state of Connection ID 1 to 'Handshake' 11[IMV] IMV 2 "SWID" changed state of Connection ID 1 to 'Handshake'
11[TNC] received TNCCS batch (259 bytes) for Connection ID 1 11[TNC] PB-TNC state transition from 'Init' to 'Server Working' 11[TNC] processing PB-TNC CDATA batch 11[TNC] processing IETF/PB-Language-Preference message (31 bytes) 11[TNC] processing IETF/PB-PA message (220 bytes) 11[TNC] setting language preference to 'en'
11[TNC] handling PB-PA message type 'IETF/Operating System' 0x000000/0x00000001 11[IMV] IMV 1 "OS" received message for Connection ID 1 from IMC 1 11[IMV] => 196 bytes @ 0x6f09d0 11[IMV] 0: 01 00 00 00 B4 0C 4B 59 00 00 00 00 00 00 00 02 ......KY........ 11[IMV] 16: 00 00 00 17 00 25 72 00 00 44 65 62 69 61 6E 00 .....%r..Debian. 11[IMV] 32: 00 00 00 00 00 00 04 00 00 00 19 0A 37 2E 34 20 ............7.4 11[IMV] 48: 78 38 36 5F 36 34 00 00 00 00 00 00 00 00 00 03 x86_64.......... 11[IMV] 64: 00 00 00 1C 00 00 00 07 00 00 00 04 00 00 00 00 ................ 11[IMV] 80: 00 00 00 00 00 00 00 00 00 00 00 05 00 00 00 24 ...............$ 11[IMV] 96: 03 01 00 00 32 30 31 34 2D 30 34 2D 31 30 54 30 ....2014-04-10T0 11[IMV] 112: 38 3A 31 32 3A 31 33 5A 00 00 00 00 00 00 00 0B 8:12:13Z........ 11[IMV] 128: 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 0C ................ 11[IMV] 144: 00 00 00 10 00 00 00 00 00 00 90 2A 00 00 00 08 ...........*.... 11[IMV] 160: 00 00 00 2C 65 64 33 32 64 63 37 63 31 65 62 33 ...,ed32dc7c1eb3 11[IMV] 176: 32 38 65 66 30 61 63 63 30 65 34 63 35 33 34 35 28ef0acc0e4c5345 11[IMV] 192: 62 38 65 34 b8e4 11[TNC] processing PA-TNC message with ID 0xb40c4b59 11[TNC] processing PA-TNC attribute type 'IETF/Product Information' 0x000000/0x00000002 11[TNC] processing PA-TNC attribute type 'IETF/String Version' 0x000000/0x00000004 11[TNC] processing PA-TNC attribute type 'IETF/Numeric Version' 0x000000/0x00000003 11[TNC] processing PA-TNC attribute type 'IETF/Operational Status' 0x000000/0x00000005 11[TNC] processing PA-TNC attribute type 'IETF/Forwarding Enabled' 0x000000/0x0000000b 11[TNC] processing PA-TNC attribute type 'IETF/Factory Default Password Enabled' 0x000000/0x0000000c 11[TNC] processing PA-TNC attribute type 'ITA-HSR/Device ID' 0x00902a/0x00000008
Operating System Information¶
11[IMV] operating system name is 'Debian' from vendor Debian Project 11[IMV] operating system version is '7.4 x86_64' 11[IMV] operating system numeric version is 7.4 11[IMV] operational status: operational, result: successful 11[IMV] last boot: Apr 10 08:12:13 UTC 2014 11[IMV] IPv4 forwarding is disabled 11[IMV] factory default password is disabled
Device Identity¶
11[IMV] device ID is ed32dc7c1eb328ef0acc0e4c5345b8e4
Policy Manager generating Workitem List¶
This is strongSwan's proprietary Configuration Management Database (CMDB) interface. Based on historical client measurement data and a set of group policies the start script generates a list of measurement workitems. In our scenario only IPv4 forwarding and SWID tags are checked.
11[IMV] assigned session ID 2 to Connection ID 1 11[IMV] running policy script: 2>&1 TNC_SESSION_ID='2' ipsec imv_policy_manager start 11[IMV] policy: imv_policy_manager start successful 11[IMV] policy: No leaks detected, 11 suppressed by whitelist
Available workitems generated by the Policy Manager
11[IMV] FMEAS workitem 1 11[IMV] FMEAS workitem 2 11[IMV] FWDEN workitem 3 11[IMV] FMEAS workitem 4 11[IMV] FMETA workitem 5 11[IMV] SWIDT workitem 6 11[IMV] TCPOP workitem 7 11[IMV] UDPOP workitem 8
Assessment Result generated by the OS IMV
11[IMV] IMV 1 handles FWDEN workitem 3 11[IMV] IMV 1 handled FWDEN workitem 3: allow - forwarding not enabled 11[TNC] creating PA-TNC message with ID 0x4abaf071 11[TNC] creating PA-TNC attribute type 'IETF/Assessment Result' 0x000000/0x00000009 11[IMV] created PA-TNC message: => 24 bytes @ 0x729180 11[IMV] 0: 01 00 00 00 4A BA F0 71 00 00 00 00 00 00 00 09 ....J..q........ 11[IMV] 16: 00 00 00 10 00 00 00 00 ........ 11[TNC] creating PB-PA message type 'IETF/Operating System' 0x000000/0x00000001 11[TNC] IMV 1 provides recommendation 'allow' and evaluation 'compliant'
Sending SWID Request¶
11[IMV] IMV 2 handles SWIDT workitem 6 11[IMV] IMV 2 issues SWID request 6 11[TNC] creating PA-TNC message with ID 0x551f2e1f 11[TNC] creating PA-TNC attribute type 'TCG/SWID Request' 0x005597/0x00000011 11[IMV] created PA-TNC message: => 32 bytes @ 0x6efce0 11[IMV] 0: 01 00 00 00 55 1F 2E 1F 00 00 55 97 00 00 00 11 ....U.....U..... 11[IMV] 16: 00 00 00 18 01 00 00 00 00 00 00 06 00 00 00 00 ................ 11[TNC] creating PB-PA message type 'TCG/SWID' 0x005597/0x00000003 11[TNC] PB-TNC state transition from 'Server Working' to 'Client Working' 11[TNC] creating PB-TNC SDATA batch 11[TNC] adding IETF/PB-PA message 11[TNC] adding IETF/PB-PA message 11[TNC] sending PB-TNC SDATA batch (112 bytes) for Connection ID 1 11[TNC] sending PT-TLS message #4 of type 'PB-TNC Batch' (128 bytes) 11[TLS] sending TLS ApplicationData record (152 bytes)
Receiving SWID Tag Identifier Inventory¶
12[TLS] processing buffered TLS ApplicationData record (16408 bytes) 12[TNC] received PT-TLS message #3 of type 'PB-TNC Batch' (27320 bytes) 12[TLS] processing buffered TLS ApplicationData record (10960 bytes) 12[TNC] received TNCCS batch (27304 bytes) for Connection ID 1 12[TNC] PB-TNC state transition from 'Client Working' to 'Server Working' 12[TNC] processing PB-TNC CDATA batch 12[TNC] processing IETF/PB-PA message (27296 bytes)
12[TNC] handling PB-PA message type 'TCG/SWID' 0x005597/0x00000003 12[IMV] IMV 2 "SWID" received message for Connection ID 1 from IMC 2 to IMV 2 12[IMV] => 27272 bytes @ 0x753db0 12[IMV] 0: 01 00 00 00 4A AA D6 A9 00 00 55 97 00 00 00 12 ....J.....U..... 12[IMV] 16: 00 00 6A 80 00 00 01 6A 00 00 00 06 07 D2 01 F4 ..j....j........ 12[IMV] 32: 00 00 00 01 00 1C 72 65 67 69 64 2E 32 30 30 34 ......regid.2004 12[IMV] 48: 2D 30 33 2E 6F 72 67 2E 73 74 72 6F 6E 67 73 77 -03.org.strongsw 12[IMV] 64: 61 6E 00 2B 64 65 62 69 61 6E 5F 37 2E 34 2D 78 an.+debian_7.4-x 12[IMV] 80: 38 36 5F 36 34 2D 61 63 70 69 2D 73 75 70 70 6F 86_64-acpi-suppo 12[IMV] 96: 72 74 2D 62 61 73 65 2D 30 2E 31 34 30 2D 35 00 rt-base-0.140-5. 12[IMV] 112: 00 00 1C 72 65 67 69 64 2E 32 30 30 34 2D 30 33 ...regid.2004-03 12[IMV] 128: 2E 6F 72 67 2E 73 74 72 6F 6E 67 73 77 61 6E 00 .org.strongswan. 12[IMV] 144: 29 64 65 62 69 61 6E 5F 37 2E 34 2D 78 38 36 5F )debian_7.4-x86_ 12[IMV] 160: 36 34 2D 61 63 70 69 64 2D 31 3A 32 2E 30 2E 31 64-acpid-1:2.0.1 12[IMV] 176: 36 2D 31 2B 64 65 62 37 75 31 00 00 00 1C 72 65 6-1+deb7u1....re 12[IMV] 192: 67 69 64 2E 32 30 30 34 2D 30 33 2E 6F 72 67 2E gid.2004-03.org. 12[IMV] 208: 73 74 72 6F 6E 67 73 77 61 6E 00 24 64 65 62 69 strongswan.$debi 12[IMV] 224: 61 6E 5F 37 2E 34 2D 78 38 36 5F 36 34 2D 61 64 an_7.4-x86_64-ad 12[IMV] 240: 64 75 73 65 72 2D 33 2E 31 31 33 2B 6E 6D 75 33 duser-3.113+nmu3 12[IMV] 256: 00 00 00 1C 72 65 67 69 64 2E 32 30 30 34 2D 30 ....regid.2004-0 12[IMV] 272: 33 2E 6F 72 67 2E 73 74 72 6F 6E 67 73 77 61 6E 3.org.strongswan 12[IMV] 288: 00 2A 64 65 62 69 61 6E 5F 37 2E 34 2D 78 38 36 .*debian_7.4-x86 12[IMV] 304: 5F 36 34 2D 61 70 61 63 68 65 32 2D 32 2E 32 2E _64-apache2-2.2. 12[IMV] 320: 32 32 2D 31 33 2B 64 65 62 37 75 31 00 00 00 1C 22-13+deb7u1.... 12[IMV] 336: 72 65 67 69 64 2E 32 30 30 34 2D 30 33 2E 6F 72 regid.2004-03.or 12[IMV] 352: 67 2E 73 74 72 6F 6E 67 73 77 61 6E 00 35 64 65 g.strongswan.5de 12[IMV] 368: 62 69 61 6E 5F 37 2E 34 2D 78 38 36 5F 36 34 2D bian_7.4-x86_64- 12[IMV] 384: 61 70 61 63 68 65 32 2D 6D 70 6D 2D 77 6F 72 6B apache2-mpm-work 12[IMV] 400: 65 72 2D 32 2E 32 2E 32 32 2D 31 33 2B 64 65 62 er-2.2.22-13+deb 12[IMV] 416: 37 75 31 00 00 00 1C 72 65 67 69 64 2E 32 30 30 7u1....regid.200 12[IMV] 432: 34 2D 30 33 2E 6F 72 67 2E 73 74 72 6F 6E 67 73 4-03.org.strongs 12[IMV] 448: 77 61 6E 00 30 64 65 62 69 61 6E 5F 37 2E 34 2D wan.0debian_7.4- 12[IMV] 464: 78 38 36 5F 36 34 2D 61 70 61 63 68 65 32 2D 75 x86_64-apache2-u 12[IMV] 480: 74 69 6C 73 2D 32 2E 32 2E 32 32 2D 31 33 2B 64 tils-2.2.22-13+d 12[IMV] 496: 65 62 37 75 31 00 00 00 1C 72 65 67 69 64 2E 32 eb7u1....regid.2 12[IMV] 512: 30 30 34 2D 30 33 2E 6F 72 67 2E 73 74 72 6F 6E 004-03.org.stron 12[IMV] 528: 67 73 77 61 6E 00 30 64 65 62 69 61 6E 5F 37 2E gswan.0debian_7. 12[IMV] 544: 34 2D 78 38 36 5F 36 34 2D 61 70 61 63 68 65 32 4-x86_64-apache2 12[IMV] 560: 2E 32 2D 62 69 6E 2D 32 2E 32 2E 32 32 2D 31 33 .2-bin-2.2.22-13 12[IMV] 576: 2B 64 65 62 37 75 31 00 00 00 1C 72 65 67 69 64 +deb7u1....regid 12[IMV] 592: 2E 32 30 30 34 2D 30 33 2E 6F 72 67 2E 73 74 72 .2004-03.org.str 12[IMV] 608: 6F 6E 67 73 77 61 6E 00 33 64 65 62 69 61 6E 5F ongswan.3debian_ 12[IMV] 624: 37 2E 34 2D 78 38 36 5F 36 34 2D 61 70 61 63 68 7.4-x86_64-apach 12[IMV] 640: 65 32 2E 32 2D 63 6F 6D 6D 6F 6E 2D 32 2E 32 2E e2.2-common-2.2. 12[IMV] 656: 32 32 2D 31 33 2B 64 65 62 37 75 31 00 00 00 1C 22-13+deb7u1.... ... 12[IMV] 26736: 00 00 00 1C 72 65 67 69 64 2E 32 30 30 34 2D 30 ....regid.2004-0 12[IMV] 26752: 33 2E 6F 72 67 2E 73 74 72 6F 6E 67 73 77 61 6E 3.org.strongswan 12[IMV] 26768: 00 26 64 65 62 69 61 6E 5F 37 2E 34 2D 78 38 36 .&debian_7.4-x86 12[IMV] 26784: 5F 36 34 2D 77 67 65 74 2D 31 2E 31 33 2E 34 2D _64-wget-1.13.4- 12[IMV] 26800: 33 2B 64 65 62 37 75 31 00 00 00 1C 72 65 67 69 3+deb7u1....regi 12[IMV] 26816: 64 2E 32 30 30 34 2D 30 33 2E 6F 72 67 2E 73 74 d.2004-03.org.st 12[IMV] 26832: 72 6F 6E 67 73 77 61 6E 00 27 64 65 62 69 61 6E rongswan.'debian 12[IMV] 26848: 5F 37 2E 34 2D 78 38 36 5F 36 34 2D 77 68 69 70 _7.4-x86_64-whip 12[IMV] 26864: 74 61 69 6C 2D 30 2E 35 32 2E 31 34 2D 31 31 2E tail-0.52.14-11. 12[IMV] 26880: 31 00 00 00 1C 72 65 67 69 64 2E 32 30 30 34 2D 1....regid.2004- 12[IMV] 26896: 30 33 2E 6F 72 67 2E 73 74 72 6F 6E 67 73 77 61 03.org.strongswa 12[IMV] 26912: 6E 00 30 64 65 62 69 61 6E 5F 37 2E 34 2D 78 38 n.0debian_7.4-x8 12[IMV] 26928: 36 5F 36 34 2D 78 7A 2D 75 74 69 6C 73 2D 35 2E 6_64-xz-utils-5. 12[IMV] 26944: 31 2E 31 61 6C 70 68 61 2B 32 30 31 32 30 36 31 1.1alpha+2012061 12[IMV] 26960: 34 2D 32 00 00 00 1C 72 65 67 69 64 2E 32 30 30 4-2....regid.200 12[IMV] 26976: 34 2D 30 33 2E 6F 72 67 2E 73 74 72 6F 6E 67 73 4-03.org.strongs 12[IMV] 26992: 77 61 6E 00 28 64 65 62 69 61 6E 5F 37 2E 34 2D wan.(debian_7.4- 12[IMV] 27008: 78 38 36 5F 36 34 2D 7A 6C 69 62 31 67 2D 31 3A x86_64-zlib1g-1: 12[IMV] 27024: 31 2E 32 2E 37 2E 64 66 73 67 2D 31 33 00 00 00 1.2.7.dfsg-13... 12[IMV] 27040: 1C 72 65 67 69 64 2E 32 30 30 34 2D 30 33 2E 6F .regid.2004-03.o 12[IMV] 27056: 72 67 2E 73 74 72 6F 6E 67 73 77 61 6E 00 2C 64 rg.strongswan.,d 12[IMV] 27072: 65 62 69 61 6E 5F 37 2E 34 2D 78 38 36 5F 36 34 ebian_7.4-x86_64 12[IMV] 27088: 2D 7A 6C 69 62 31 67 2D 64 65 76 2D 31 3A 31 2E -zlib1g-dev-1:1. 12[IMV] 27104: 32 2E 37 2E 64 66 73 67 2D 31 33 00 00 00 1C 72 2.7.dfsg-13....r 12[IMV] 27120: 65 67 69 64 2E 32 30 30 34 2D 30 33 2E 6F 72 67 egid.2004-03.org 12[IMV] 27136: 2E 73 74 72 6F 6E 67 73 77 61 6E 00 13 73 74 72 .strongswan..str 12[IMV] 27152: 6F 6E 67 53 77 61 6E 2D 35 2D 32 2D 30 64 72 31 ongSwan-5-2-0dr1 12[IMV] 27168: 00 66 2F 75 73 72 2F 6C 6F 63 61 6C 2F 73 68 61 .f/usr/local/sha 12[IMV] 27184: 72 65 2F 72 65 67 69 64 2E 32 30 30 34 2D 30 33 re/regid.2004-03 12[IMV] 27200: 2E 6F 72 67 2E 73 74 72 6F 6E 67 73 77 61 6E 2F .org.strongswan/ 12[IMV] 27216: 72 65 67 69 64 2E 32 30 30 34 2D 30 33 2E 6F 72 regid.2004-03.or 12[IMV] 27232: 67 2E 73 74 72 6F 6E 67 73 77 61 6E 5F 73 74 72 g.strongswan_str 12[IMV] 27248: 6F 6E 67 53 77 61 6E 2D 35 2D 32 2D 30 64 72 31 ongSwan-5-2-0dr1 12[IMV] 27264: 2E 73 77 69 64 74 61 67 .swidtag 12[TNC] processing PA-TNC message with ID 0x4aaad6a9 12[TNC] processing PA-TNC attribute type 'TCG/SWID Tag Identifier Inventory' 0x005597/0x00000012
Human-Readable SWID Tag Identifiers¶
12[IMV] received SWID tag ID inventory for request 6 at eid 1 of epoch 0x07d201f4 12[IMV] regid.2004-03.org.strongswan_debian_7.4-x86_64-acpi-support-base-0.140-5 12[IMV] regid.2004-03.org.strongswan_debian_7.4-x86_64-acpid-1:2.0.16-1+deb7u1 12[IMV] regid.2004-03.org.strongswan_debian_7.4-x86_64-adduser-3.113+nmu3 12[IMV] regid.2004-03.org.strongswan_debian_7.4-x86_64-apache2-2.2.22-13+deb7u1 12[IMV] regid.2004-03.org.strongswan_debian_7.4-x86_64-apache2-mpm-worker-2.2.22-13+deb7u1 12[IMV] regid.2004-03.org.strongswan_debian_7.4-x86_64-apache2-utils-2.2.22-13+deb7u1 12[IMV] regid.2004-03.org.strongswan_debian_7.4-x86_64-apache2.2-bin-2.2.22-13+deb7u1 12[IMV] regid.2004-03.org.strongswan_debian_7.4-x86_64-apache2.2-common-2.2.22-13+deb7u1 ... 12[IMV] regid.2004-03.org.strongswan_debian_7.4-x86_64-wget-1.13.4-3+deb7u1 12[IMV] regid.2004-03.org.strongswan_debian_7.4-x86_64-whiptail-0.52.14-11.1 12[IMV] regid.2004-03.org.strongswan_debian_7.4-x86_64-xz-utils-5.1.1alpha+20120614-2 12[IMV] regid.2004-03.org.strongswan_debian_7.4-x86_64-zlib1g-1:1.2.7.dfsg-13 12[IMV] regid.2004-03.org.strongswan_debian_7.4-x86_64-zlib1g-dev-1:1.2.7.dfsg-13 12[IMV] regid.2004-03.org.strongswan_strongSwan-5-2-0dr1
112[IMV] IMV 2 handled SWIDT workitem 6: allow - received inventory of 362 SWID tag IDs 12[TNC] creating PA-TNC message with ID 0x6dd65b3a 12[TNC] creating PA-TNC attribute type 'IETF/Assessment Result' 0x000000/0x00000009 12[IMV] created PA-TNC message: => 24 bytes @ 0x730390 12[IMV] 0: 01 00 00 00 6D D6 5B 3A 00 00 00 00 00 00 00 09 ....m.[:........ 12[IMV] 16: 00 00 00 10 00 00 00 00 ........ 12[TNC] creating PB-PA message type 'TCG/SWID' 0x005597/0x00000003 12[TNC] IMV 2 provides recommendation 'allow' and evaluation 'compliant'
Policy Manager integrating Measurement Results¶
12[IMV] running policy script: 2>&1 TNC_SESSION_ID='2' ipsec imv_policy_manager stop 12[IMV] policy: imv_policy_manager stop successful
12[IMV] IMV 1 "OS" changed state of Connection ID 1 to 'Allowed' 12[IMV] IMV 2 "SWID" changed state of Connection ID 1 to 'Allowed' 12[TNC] PB-TNC state transition from 'Server Working' to 'Decided' 12[TNC] creating PB-TNC RESULT batch 12[TNC] adding IETF/PB-PA message 12[TNC] adding IETF/PB-Assessment-Result message 12[TNC] adding IETF/PB-Access-Recommendation message 12[TNC] sending PB-TNC RESULT batch (88 bytes) for Connection ID 1 12[TNC] sending PT-TLS message #5 of type 'PB-TNC Batch' (104 bytes) 12[TLS] sending TLS ApplicationData record (128 bytes)
Closing PT-TLS Connection¶
13[TLS] processing TLS ApplicationData record (48 bytes) 13[TNC] received PT-TLS message #4 of type 'PB-TNC Batch' (24 bytes) 13[TNC] received TNCCS batch (8 bytes) for Connection ID 1 13[TNC] PB-TNC state transition from 'Decided' to 'End' 13[TNC] processing PB-TNC CLOSE batch 13[TNC] final recommendation is 'allow' and evaluation is 'compliant' 13[TNC] PT-TLS connection terminates 13[IMV] IMV 1 "OS" deleted the state of Connection ID 1 13[IMV] IMV 2 "SWID" deleted the state of Connection ID 1 13[TNC] removed TNCCS Connection ID 1 13[TLS] sending TLS close notify 13[TLS] sending TLS Alert record (26 bytes)
PT-TLS Connection by Access Requestor "dave"¶
14[TNC] accepting PT-TLS stream from 192.168.0.200
TLS Connection Setup¶
15[TNC] entering PT-TLS negotiation phase 15[TLS] processing TLS Handshake record (124 bytes) 15[TLS] received TLS ClientHello handshake (120 bytes) 15[TLS] received TLS 'signature algorithms' extension 15[TLS] received TLS 'elliptic curves' extension 15[TLS] received TLS 'ec point formats' extension 15[TLS] received TLS 'server name' extension 15[TLS] received 2 TLS cipher suites: 15[TLS] TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 15[TLS] TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 15[TLS] negotiated TLS 1.2 using suite TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 15[TLS] sending TLS ServerHello handshake (54 bytes) 15[TLS] sending TLS server certificate 'C=CH, O=Linux strongSwan, CN=aaa.strongswan.org' 15[TLS] sending TLS Certificate handshake (1066 bytes) 15[TLS] selected ECDH group SECP256R1 15[TLS] created signature with SHA256/RSA 15[TLS] sending TLS ServerKeyExchange handshake (329 bytes) 15[TLS] sending TLS cert request for 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' 15[TLS] sending TLS CertificateRequest handshake (102 bytes) 15[TLS] sending TLS ServerHelloDone handshake (0 bytes) 15[TLS] sending TLS Handshake record (1571 bytes) 15[TLS] processing TLS Handshake record (1406 bytes) 15[TLS] received TLS Certificate handshake (1068 bytes) 15[TLS] received TLS peer certificate 'C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org' 15[TLS] received TLS ClientKeyExchange handshake (66 bytes) 15[TLS] received TLS CertificateVerify handshake (260 bytes) 15[CFG] using certificate "C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org" 15[CFG] using trusted ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" 15[CFG] checking certificate status of "C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org" 15[CFG] fetching crl from 'http://crl.strongswan.org/strongswan.crl' ... 15[CFG] using trusted certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" 15[CFG] crl correctly signed by "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" 15[CFG] crl is valid: until May 10 08:11:39 2014 15[CFG] certificate status is good 15[CFG] reached self-signed root ca with a path length of 0 15[TLS] verified signature with SHA256/RSA 15[TLS] processing TLS ChangeCipherSpec record (1 bytes) 15[TLS] buffering 31 bytes, 31 bytes of 45 byte TLS record received 15[TLS] buffering 14 bytes, 45 bytes of 45 byte TLS record received 15[TLS] processing buffered TLS Handshake record (40 bytes) 15[TLS] received TLS Finished handshake (12 bytes) 15[TLS] sending TLS ChangeCipherSpec record (1 bytes) 15[TLS] sending TLS Finished handshake (12 bytes) 15[TLS] sending TLS Handshake record (40 bytes)
PT-TLS Negotiation¶
03[TLS] processing TLS ApplicationData record (64 bytes) 03[TNC] received PT-TLS message #0 of type 'Version Request' (20 bytes) 03[TNC] sending PT-TLS message #0 of type 'Version Response' (20 bytes) 03[TLS] sending TLS ApplicationData record (64 bytes) 03[TNC] negotiated PT-TLS version 1
TLS Certificate-based Client Authentication¶
15[TNC] doing SASL client authentication 15[TNC] skipping SASL, client already authenticated by TLS certificate 15[TNC] sending PT-TLS message #1 of type 'SASL Mechanisms' (16 bytes) 15[TLS] sending TLS ApplicationData record (40 bytes)
PT-TLS Transport Phase¶
15[TNC] entering PT-TLS data transport phase
IF-IMV 1.4 AR Identity¶
16[TLS] processing TLS ApplicationData record (79 bytes) 16[TNC] received PT-TLS message #1 of type 'PB-TNC Batch' (55 bytes) 16[TNC] assigned TNCCS Connection ID 2 16[IMV] IMV 1 "OS" created a state for IF-TNCCS 2.0 Connection ID 2: +long +excl -soh 16[IMV] over IF-T for TLS 2.0 with maximum PA-TNC message size of 131024 bytes 16[IMV] user AR identity 'C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org' authenticated by certificate 16[IMV] IMV 2 "SWID" created a state for IF-TNCCS 2.0 Connection ID 2: +long +excl -soh 16[IMV] over IF-T for TLS 2.0 with maximum PA-TNC message size of 131024 bytes 16[IMV] user AR identity 'C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org' authenticated by certificate 16[IMV] IMV 1 "OS" changed state of Connection ID 2 to 'Handshake' 16[IMV] IMV 2 "SWID" changed state of Connection ID 2 to 'Handshake'
16[TNC] received TNCCS batch (39 bytes) for Connection ID 2 16[TNC] PB-TNC state transition from 'Init' to 'Server Working' 16[TNC] processing PB-TNC CDATA batch 16[TNC] processing IETF/PB-Language-Preference message (31 bytes) 16[TNC] setting language preference to 'en'
16[TNC] creating PA-TNC message with ID 0x9c5c5488 16[TNC] creating PA-TNC attribute type 'IETF/Attribute Request' 0x000000/0x00000001 16[IMV] created PA-TNC message: => 76 bytes @ 0x73cbf0 16[IMV] 0: 01 00 00 00 9C 5C 54 88 00 00 00 00 00 00 00 01 .....\T......... 16[IMV] 16: 00 00 00 44 00 00 00 00 00 00 00 02 00 00 00 00 ...D............ 16[IMV] 32: 00 00 00 04 00 00 00 00 00 00 00 03 00 00 00 00 ................ 16[IMV] 48: 00 00 00 05 00 00 00 00 00 00 00 0B 00 00 00 00 ................ 16[IMV] 64: 00 00 00 0C 00 00 90 2A 00 00 00 08 .......*.... 16[TNC] creating PB-PA message type 'IETF/Operating System' 0x000000/0x00000001 16[TNC] PB-TNC state transition from 'Server Working' to 'Client Working' 16[TNC] creating PB-TNC SDATA batch 16[TNC] adding IETF/PB-PA message 16[TNC] sending PB-TNC SDATA batch (108 bytes) for Connection ID 2 16[TNC] sending PT-TLS message #2 of type 'PB-TNC Batch' (124 bytes) 16[TLS] sending TLS ApplicationData record (148 bytes)
02[TLS] processing TLS ApplicationData record (268 bytes) 02[TNC] received PT-TLS message #2 of type 'PB-TNC Batch' (244 bytes) 02[TNC] received TNCCS batch (228 bytes) for Connection ID 2 02[TNC] PB-TNC state transition from 'Client Working' to 'Server Working' 02[TNC] processing PB-TNC CDATA batch 02[TNC] processing IETF/PB-PA message (220 bytes) 02[TNC] handling PB-PA message type 'IETF/Operating System' 0x000000/0x00000001 02[IMV] IMV 1 "OS" received message for Connection ID 2 from IMC 1 to IMV 1 02[IMV] => 196 bytes @ 0x73bf90 02[IMV] 0: 01 00 00 00 AA 91 FC F0 00 00 00 00 00 00 00 02 ................ 02[IMV] 16: 00 00 00 17 00 25 72 00 00 44 65 62 69 61 6E 00 .....%r..Debian. 02[IMV] 32: 00 00 00 00 00 00 04 00 00 00 19 0A 37 2E 34 20 ............7.4 02[IMV] 48: 78 38 36 5F 36 34 00 00 00 00 00 00 00 00 00 03 x86_64.......... 02[IMV] 64: 00 00 00 1C 00 00 00 07 00 00 00 04 00 00 00 00 ................ 02[IMV] 80: 00 00 00 00 00 00 00 00 00 00 00 05 00 00 00 24 ...............$ 02[IMV] 96: 03 01 00 00 32 30 31 34 2D 30 34 2D 31 30 54 30 ....2014-04-10T0 02[IMV] 112: 38 3A 31 32 3A 31 34 5A 00 00 00 00 00 00 00 0B 8:12:14Z........ 02[IMV] 128: 00 00 00 10 00 00 00 01 00 00 00 00 00 00 00 0C ................ 02[IMV] 144: 00 00 00 10 00 00 00 00 00 00 90 2A 00 00 00 08 ...........*.... 02[IMV] 160: 00 00 00 2C 61 61 62 62 63 63 64 64 65 65 66 66 ...,aabbccddeeff 02[IMV] 176: 31 31 32 32 33 33 34 34 35 35 36 36 37 37 38 38 1122334455667788 02[IMV] 192: 39 39 30 30 9900 02[TNC] processing PA-TNC message with ID 0xaa91fcf0 02[TNC] processing PA-TNC attribute type 'IETF/Product Information' 0x000000/0x00000002 02[TNC] processing PA-TNC attribute type 'IETF/String Version' 0x000000/0x00000004 02[TNC] processing PA-TNC attribute type 'IETF/Numeric Version' 0x000000/0x00000003 02[TNC] processing PA-TNC attribute type 'IETF/Operational Status' 0x000000/0x00000005 02[TNC] processing PA-TNC attribute type 'IETF/Forwarding Enabled' 0x000000/0x0000000b 02[TNC] processing PA-TNC attribute type 'IETF/Factory Default Password Enabled' 0x000000/0x0000000c 02[TNC] processing PA-TNC attribute type 'ITA-HSR/Device ID' 0x00902a/0x00000008
Operating System Information¶
02[IMV] operating system name is 'Debian' from vendor Debian Project 02[IMV] operating system version is '7.4 x86_64' 02[IMV] operating system numeric version is 7.4 02[IMV] operational status: operational, result: successful 02[IMV] last boot: Apr 10 08:12:14 UTC 2014 02[IMV] IPv4 forwarding is enabled 02[IMV] factory default password is disabled
Device Identity¶
02[IMV] device ID is aabbccddeeff11223344556677889900
Policy Manager generating Workitem List¶
This is strongSwan's proprietary Configuration Management Database (CMDB) interface. Based on historical client measurement data and a set of group policies the start script generates a list of measurement workitems. In our scenario only IPv4 forwarding and SWID tags are checked.
02[IMV] assigned session ID 3 to Connection ID 2 02[IMV] running policy script: 2>&1 TNC_SESSION_ID='3' ipsec imv_policy_manager start 02[IMV] policy: imv_policy_manager start successful 02[IMV] policy: No leaks detected, 11 suppressed by whitelist 02[IMV] DREFM workitem 9 02[IMV] FWDEN workitem 10 02[IMV] SWIDT workitem 11
02[IMV] IMV 1 handles FWDEN workitem 10 02[IMV] IMV 1 handled FWDEN workitem 10: isolate - forwarding enabled 02[TNC] creating PA-TNC message with ID 0x98785488 02[TNC] creating PA-TNC attribute type 'IETF/Assessment Result' 0x000000/0x00000009 02[TNC] creating PA-TNC attribute type 'IETF/Remediation Instructions' 0x000000/0x0000000a 02[IMV] created PA-TNC message: => 117 bytes @ 0x728f50 02[IMV] 0: 01 00 00 00 98 78 54 88 00 00 00 00 00 00 00 09 .....xT......... 02[IMV] 16: 00 00 00 10 00 00 00 02 00 00 00 00 00 00 00 0A ................ 02[IMV] 32: 00 00 00 5D 00 00 00 00 00 00 00 02 00 00 00 42 ...]...........B 02[IMV] 48: 49 50 20 50 61 63 6B 65 74 20 46 6F 72 77 61 72 IP Packet Forwar 02[IMV] 64: 64 69 6E 67 0A 20 20 50 6C 65 61 73 65 20 64 69 ding. Please di 02[IMV] 80: 73 61 62 6C 65 20 74 68 65 20 66 6F 72 77 61 72 sable the forwar 02[IMV] 96: 64 69 6E 67 20 6F 66 20 49 50 20 70 61 63 6B 65 ding of IP packe 02[IMV] 112: 74 73 02 65 6E ts.en 02[TNC] creating PB-PA message type 'IETF/Operating System' 0x000000/0x00000001 02[TNC] IMV 1 is setting reason string to 'Improper OS settings were detected' 02[TNC] IMV 1 is setting reason language to 'en' 02[TNC] IMV 1 provides recommendation 'isolate' and evaluation 'non-compliant major'
Sending SWID Request¶
02[IMV] IMV 2 handles SWIDT workitem 11 02[IMV] IMV 2 issues SWID request 11 02[TNC] creating PA-TNC message with ID 0xb2c5708e 02[TNC] creating PA-TNC attribute type 'TCG/SWID Request' 0x005597/0x00000011 02[IMV] created PA-TNC message: => 32 bytes @ 0x737a60 02[IMV] 0: 01 00 00 00 B2 C5 70 8E 00 00 55 97 00 00 00 11 ......p...U..... 02[IMV] 16: 00 00 00 18 00 00 00 00 00 00 00 0B 00 00 00 00 ................ 02[TNC] creating PB-PA message type 'TCG/SWID' 0x005597/0x00000003
02[TNC] PB-TNC state transition from 'Server Working' to 'Client Working' 02[TNC] creating PB-TNC SDATA batch 02[TNC] adding PB-PA message 02[TNC] adding PB-PA message 02[TNC] sending PB-TNC SDATA batch (205 bytes) for Connection ID 2 02[TNC] => 205 bytes @ 0x6f8480 02[TNC] 0: 02 80 00 02 00 00 00 CD 80 00 00 00 00 00 00 01 ................ 02[TNC] 16: 00 00 00 8D 00 00 00 00 00 00 00 01 FF FF 00 01 ................ 02[TNC] 32: 01 00 00 00 E9 84 5D 2F 00 00 00 00 00 00 00 09 ......]/........ 02[TNC] 48: 00 00 00 10 00 00 00 02 00 00 00 00 00 00 00 0A ................ 02[TNC] 64: 00 00 00 5D 00 00 00 00 00 00 00 02 00 00 00 42 ...]...........B 02[TNC] 80: 49 50 20 50 61 63 6B 65 74 20 46 6F 72 77 61 72 IP Packet Forwar 02[TNC] 96: 64 69 6E 67 0A 20 20 50 6C 65 61 73 65 20 64 69 ding. Please di 02[TNC] 112: 73 61 62 6C 65 20 74 68 65 20 66 6F 72 77 61 72 sable the forwar 02[TNC] 128: 64 69 6E 67 20 6F 66 20 49 50 20 70 61 63 6B 65 ding of IP packe 02[TNC] 144: 74 73 02 65 6E 80 00 00 00 00 00 00 01 00 00 00 ts.en........... 02[TNC] 160: 38 00 00 55 97 00 00 00 03 FF FF 00 02 01 00 00 8..U............ 02[TNC] 176: 00 FF 7D 72 78 00 00 55 97 00 00 00 11 00 00 00 ..}rx..U........ 02[TNC] 192: 18 00 00 00 00 00 00 00 0B 00 00 00 00 ............. 02[TNC] sending PT-TLS message #3 of type 'PB-TNC Batch' (221 bytes) 02[TLS] sending TLS ApplicationData record (272 bytes)
01[TLS] processing buffered TLS ApplicationData record (16408 bytes) 01[TNC] received PT-TLS message #3 of type 'PB-TNC Batch' (127188 bytes) 01[TLS] processing buffered TLS ApplicationData record (16408 bytes) 01[TLS] processing buffered TLS ApplicationData record (16408 bytes) 01[TLS] processing buffered TLS ApplicationData record (16408 bytes) 01[TLS] processing buffered TLS ApplicationData record (16408 bytes) 01[TLS] processing buffered TLS ApplicationData record (16408 bytes) 01[TLS] processing buffered TLS ApplicationData record (16408 bytes) 01[TLS] processing buffered TLS ApplicationData record (12524 bytes) 01[TNC] received TNCCS batch (127172 bytes) for Connection ID 2 01[TNC] PB-TNC state transition from 'Client Working' to 'Server Working' 01[TNC] processing PB-TNC CDATA batch 01[TNC] processing IETF/PB-PA message (127164 bytes)
Receiving SWID Tag Inventory¶
01[TNC] handling PB-PA message type 'TCG/SWID' 0x005597/0x00000003 01[IMV] IMV 2 "SWID" received message for Connection ID 2 from IMC 2 to IMV 2 01[IMV] => 127140 bytes @ 0x7c75b0 01[IMV] 0: 01 00 00 00 B2 B6 85 7C 00 00 55 97 00 00 00 14 .......|..U..... 01[IMV] 16: 00 01 F0 9C 00 00 01 6A 00 00 00 0B 2A AE 20 7D .......j....*. } 01[IMV] 32: 00 00 00 01 00 00 00 00 01 5B 3C 3F 78 6D 6C 20 .........[<?xml 01[IMV] 48: 76 65 72 73 69 6F 6E 3D 27 31 2E 30 27 20 65 6E version='1.0' en 01[IMV] 64: 63 6F 64 69 6E 67 3D 27 55 54 46 2D 38 27 3F 3E coding='UTF-8'?> 01[IMV] 80: 3C 53 6F 66 74 77 61 72 65 49 64 65 6E 74 69 74 <SoftwareIdentit 01[IMV] 96: 79 20 6E 61 6D 65 3D 22 61 63 70 69 2D 73 75 70 y name="acpi-sup 01[IMV] 112: 70 6F 72 74 2D 62 61 73 65 22 20 75 6E 69 71 75 port-base" uniqu 01[IMV] 128: 65 49 64 3D 22 64 65 62 69 61 6E 5F 37 2E 34 2D eId="debian_7.4- 01[IMV] 144: 78 38 36 5F 36 34 2D 61 63 70 69 2D 73 75 70 70 x86_64-acpi-supp 01[IMV] 160: 6F 72 74 2D 62 61 73 65 2D 30 2E 31 34 30 2D 35 ort-base-0.140-5 01[IMV] 176: 22 20 76 65 72 73 69 6F 6E 3D 22 30 2E 31 34 30 " version="0.140 01[IMV] 192: 2D 35 22 20 76 65 72 73 69 6F 6E 53 63 68 65 6D -5" versionSchem 01[IMV] 208: 65 3D 22 61 6C 70 68 61 6E 75 6D 65 72 69 63 22 e="alphanumeric" 01[IMV] 224: 20 78 6D 6C 6E 73 3D 22 68 74 74 70 3A 2F 2F 73 xmlns="http://s 01[IMV] 240: 74 61 6E 64 61 72 64 73 2E 69 73 6F 2E 6F 72 67 tandards.iso.org 01[IMV] 256: 2F 69 73 6F 2F 31 39 37 37 30 2F 2D 32 2F 32 30 /iso/19770/-2/20 01[IMV] 272: 31 34 2F 73 63 68 65 6D 61 2E 78 73 64 22 3E 3C 14/schema.xsd">< 01[IMV] 288: 45 6E 74 69 74 79 20 6E 61 6D 65 3D 22 73 74 72 Entity name="str 01[IMV] 304: 6F 6E 67 53 77 61 6E 22 20 72 65 67 69 64 3D 22 ongSwan" regid=" 01[IMV] 320: 72 65 67 69 64 2E 32 30 30 34 2D 30 33 2E 6F 72 regid.2004-03.or 01[IMV] 336: 67 2E 73 74 72 6F 6E 67 73 77 61 6E 22 20 72 6F g.strongswan" ro 01[IMV] 352: 6C 65 3D 22 74 61 67 63 72 65 61 74 6F 72 22 20 le="tagcreator" 01[IMV] 368: 2F 3E 3C 2F 53 6F 66 74 77 61 72 65 49 64 65 6E /></SoftwareIden 01[IMV] 384: 74 69 74 79 3E 00 00 00 00 01 57 3C 3F 78 6D 6C tity>.....W<?xml 01[IMV] 400: 20 76 65 72 73 69 6F 6E 3D 27 31 2E 30 27 20 65 version='1.0' e 01[IMV] 416: 6E 63 6F 64 69 6E 67 3D 27 55 54 46 2D 38 27 3F ncoding='UTF-8'? 01[IMV] 432: 3E 3C 53 6F 66 74 77 61 72 65 49 64 65 6E 74 69 ><SoftwareIdenti 01[IMV] 448: 74 79 20 6E 61 6D 65 3D 22 61 63 70 69 64 22 20 ty name="acpid" 01[IMV] 464: 75 6E 69 71 75 65 49 64 3D 22 64 65 62 69 61 6E uniqueId="debian 01[IMV] 480: 5F 37 2E 34 2D 78 38 36 5F 36 34 2D 61 63 70 69 _7.4-x86_64-acpi 01[IMV] 496: 64 2D 31 3A 32 2E 30 2E 31 36 2D 31 2B 64 65 62 d-1:2.0.16-1+deb 01[IMV] 512: 37 75 31 22 20 76 65 72 73 69 6F 6E 3D 22 31 3A 7u1" version="1: 01[IMV] 528: 32 2E 30 2E 31 36 2D 31 2B 64 65 62 37 75 31 22 2.0.16-1+deb7u1" 01[IMV] 544: 20 76 65 72 73 69 6F 6E 53 63 68 65 6D 65 3D 22 versionScheme=" 01[IMV] 560: 61 6C 70 68 61 6E 75 6D 65 72 69 63 22 20 78 6D alphanumeric" xm 01[IMV] 576: 6C 6E 73 3D 22 68 74 74 70 3A 2F 2F 73 74 61 6E lns="http://stan 01[IMV] 592: 64 61 72 64 73 2E 69 73 6F 2E 6F 72 67 2F 69 73 dards.iso.org/is 01[IMV] 608: 6F 2F 31 39 37 37 30 2F 2D 32 2F 32 30 31 34 2F o/19770/-2/2014/ 01[IMV] 624: 73 63 68 65 6D 61 2E 78 73 64 22 3E 3C 45 6E 74 schema.xsd"><Ent 01[IMV] 640: 69 74 79 20 6E 61 6D 65 3D 22 73 74 72 6F 6E 67 ity name="strong 01[IMV] 656: 53 77 61 6E 22 20 72 65 67 69 64 3D 22 72 65 67 Swan" regid="reg 01[IMV] 672: 69 64 2E 32 30 30 34 2D 30 33 2E 6F 72 67 2E 73 id.2004-03.org.s 01[IMV] 688: 74 72 6F 6E 67 73 77 61 6E 22 20 72 6F 6C 65 3D trongswan" role= 01[IMV] 704: 22 74 61 67 63 72 65 61 74 6F 72 22 20 2F 3E 3C "tagcreator" />< 01[IMV] 720: 2F 53 6F 66 74 77 61 72 65 49 64 65 6E 74 69 74 /SoftwareIdentit 01[IMV] 736: 79 3E 00 00 00 00 01 4D 3C 3F 78 6D 6C 20 76 65 y>.....M<?xml ve ... 01[IMV] 125680: 79 3E 00 00 00 00 01 5D 3C 3F 78 6D 6C 20 76 65 y>.....]<?xml ve 01[IMV] 125696: 72 73 69 6F 6E 3D 27 31 2E 30 27 20 65 6E 63 6F rsion='1.0' enco 01[IMV] 125712: 64 69 6E 67 3D 27 55 54 46 2D 38 27 3F 3E 3C 53 ding='UTF-8'?><S 01[IMV] 125728: 6F 66 74 77 61 72 65 49 64 65 6E 74 69 74 79 20 oftwareIdentity 01[IMV] 125744: 6E 61 6D 65 3D 22 7A 6C 69 62 31 67 2D 64 65 76 name="zlib1g-dev 01[IMV] 125760: 22 20 75 6E 69 71 75 65 49 64 3D 22 64 65 62 69 " uniqueId="debi 01[IMV] 125776: 61 6E 5F 37 2E 34 2D 78 38 36 5F 36 34 2D 7A 6C an_7.4-x86_64-zl 01[IMV] 125792: 69 62 31 67 2D 64 65 76 2D 31 3A 31 2E 32 2E 37 ib1g-dev-1:1.2.7 01[IMV] 125808: 2E 64 66 73 67 2D 31 33 22 20 76 65 72 73 69 6F .dfsg-13" versio 01[IMV] 125824: 6E 3D 22 31 3A 31 2E 32 2E 37 2E 64 66 73 67 2D n="1:1.2.7.dfsg- 01[IMV] 125840: 31 33 22 20 76 65 72 73 69 6F 6E 53 63 68 65 6D 13" versionSchem 01[IMV] 125856: 65 3D 22 61 6C 70 68 61 6E 75 6D 65 72 69 63 22 e="alphanumeric" 01[IMV] 125872: 20 78 6D 6C 6E 73 3D 22 68 74 74 70 3A 2F 2F 73 xmlns="http://s 01[IMV] 125888: 74 61 6E 64 61 72 64 73 2E 69 73 6F 2E 6F 72 67 tandards.iso.org 01[IMV] 125904: 2F 69 73 6F 2F 31 39 37 37 30 2F 2D 32 2F 32 30 /iso/19770/-2/20 01[IMV] 125920: 31 34 2F 73 63 68 65 6D 61 2E 78 73 64 22 3E 3C 14/schema.xsd">< 01[IMV] 125936: 45 6E 74 69 74 79 20 6E 61 6D 65 3D 22 73 74 72 Entity name="str 01[IMV] 125952: 6F 6E 67 53 77 61 6E 22 20 72 65 67 69 64 3D 22 ongSwan" regid=" 01[IMV] 125968: 72 65 67 69 64 2E 32 30 30 34 2D 30 33 2E 6F 72 regid.2004-03.or 01[IMV] 125984: 67 2E 73 74 72 6F 6E 67 73 77 61 6E 22 20 72 6F g.strongswan" ro 01[IMV] 126000: 6C 65 3D 22 74 61 67 63 72 65 61 74 6F 72 22 20 le="tagcreator" 01[IMV] 126016: 2F 3E 3C 2F 53 6F 66 74 77 61 72 65 49 64 65 6E /></SoftwareIden 01[IMV] 126032: 74 69 74 79 3E 00 66 2F 75 73 72 2F 6C 6F 63 61 tity>.f/usr/loca 01[IMV] 126048: 6C 2F 73 68 61 72 65 2F 72 65 67 69 64 2E 32 30 l/share/regid.20 01[IMV] 126064: 30 34 2D 30 33 2E 6F 72 67 2E 73 74 72 6F 6E 67 04-03.org.strong 01[IMV] 126080: 73 77 61 6E 2F 72 65 67 69 64 2E 32 30 30 34 2D swan/regid.2004- 01[IMV] 126096: 30 33 2E 6F 72 67 2E 73 74 72 6F 6E 67 73 77 61 03.org.strongswa 01[IMV] 126112: 6E 5F 73 74 72 6F 6E 67 53 77 61 6E 2D 35 2D 32 n_strongSwan-5-2 01[IMV] 126128: 2D 30 64 72 31 2E 73 77 69 64 74 61 67 00 00 03 -0dr1.swidtag... 01[IMV] 126144: E3 3C 3F 78 6D 6C 20 76 65 72 73 69 6F 6E 3D 22 .<?xml version=" 01[IMV] 126160: 31 2E 30 22 20 65 6E 63 6F 64 69 6E 67 3D 22 75 1.0" encoding="u 01[IMV] 126176: 74 66 2D 38 22 3F 3E 0A 3C 73 6F 66 74 77 61 72 tf-8"?>.<softwar 01[IMV] 126192: 65 5F 69 64 65 6E 74 69 66 69 63 61 74 69 6F 6E e_identification 01[IMV] 126208: 5F 74 61 67 20 78 6D 6C 6E 73 3D 22 68 74 74 70 _tag xmlns="http 01[IMV] 126224: 3A 2F 2F 73 74 61 6E 64 61 72 64 73 2E 69 73 6F ://standards.iso 01[IMV] 126240: 2E 6F 72 67 2F 69 73 6F 2F 31 39 37 37 30 2F 2D .org/iso/19770/- 01[IMV] 126256: 32 2F 32 30 30 39 2F 73 63 68 65 6D 61 2E 78 73 2/2009/schema.xs 01[IMV] 126272: 64 22 3E 0A 20 20 3C 65 6E 74 69 74 6C 65 6D 65 d">. <entitleme 01[IMV] 126288: 6E 74 5F 72 65 71 75 69 72 65 64 5F 69 6E 64 69 nt_required_indi 01[IMV] 126304: 63 61 74 6F 72 3E 74 72 75 65 3C 2F 65 6E 74 69 cator>true</enti 01[IMV] 126320: 74 6C 65 6D 65 6E 74 5F 72 65 71 75 69 72 65 64 tlement_required 01[IMV] 126336: 5F 69 6E 64 69 63 61 74 6F 72 3E 0A 20 20 3C 70 _indicator>. <p 01[IMV] 126352: 72 6F 64 75 63 74 5F 74 69 74 6C 65 3E 73 74 72 roduct_title>str 01[IMV] 126368: 6F 6E 67 53 77 61 6E 3C 2F 70 72 6F 64 75 63 74 ongSwan</product 01[IMV] 126384: 5F 74 69 74 6C 65 3E 0A 20 20 3C 70 72 6F 64 75 _title>. <produ 01[IMV] 126400: 63 74 5F 76 65 72 73 69 6F 6E 3E 0A 20 20 20 20 ct_version>. 01[IMV] 126416: 3C 6E 61 6D 65 3E 35 2E 32 2E 30 64 72 31 3C 2F <name>5.2.0dr1</ 01[IMV] 126432: 6E 61 6D 65 3E 0A 20 20 20 20 3C 6E 75 6D 65 72 name>. <numer 01[IMV] 126448: 69 63 3E 0A 20 20 20 20 20 20 3C 6D 61 6A 6F 72 ic>. <major 01[IMV] 126464: 3E 35 3C 2F 6D 61 6A 6F 72 3E 0A 20 20 20 20 20 >5</major>. 01[IMV] 126480: 20 3C 6D 69 6E 6F 72 3E 32 3C 2F 6D 69 6E 6F 72 <minor>2</minor 01[IMV] 126496: 3E 0A 20 20 20 20 20 20 3C 62 75 69 6C 64 3E 30 >. <build>0 01[IMV] 126512: 3C 2F 62 75 69 6C 64 3E 0A 20 20 20 20 20 20 3C </build>. < 01[IMV] 126528: 72 65 76 69 65 77 3E 64 72 31 3C 2F 72 65 76 69 review>dr1</revi 01[IMV] 126544: 65 77 3E 0A 20 20 20 20 3C 2F 6E 75 6D 65 72 69 ew>. </numeri 01[IMV] 126560: 63 3E 0A 20 20 3C 2F 70 72 6F 64 75 63 74 5F 76 c>. </product_v 01[IMV] 126576: 65 72 73 69 6F 6E 3E 0A 20 20 3C 73 6F 66 74 77 ersion>. <softw 01[IMV] 126592: 61 72 65 5F 63 72 65 61 74 6F 72 3E 0A 20 20 20 are_creator>. 01[IMV] 126608: 20 3C 6E 61 6D 65 3E 73 74 72 6F 6E 67 53 77 61 <name>strongSwa 01[IMV] 126624: 6E 20 50 72 6F 6A 65 63 74 3C 2F 6E 61 6D 65 3E n Project</name> 01[IMV] 126640: 0A 20 20 20 20 3C 72 65 67 69 64 3E 72 65 67 69 . <regid>regi 01[IMV] 126656: 64 2E 32 30 30 34 2D 30 33 2E 6F 72 67 2E 73 74 d.2004-03.org.st 01[IMV] 126672: 72 6F 6E 67 73 77 61 6E 3C 2F 72 65 67 69 64 3E rongswan</regid> 01[IMV] 126688: 0A 20 20 3C 2F 73 6F 66 74 77 61 72 65 5F 63 72 . </software_cr 01[IMV] 126704: 65 61 74 6F 72 3E 0A 20 20 3C 73 6F 66 74 77 61 eator>. <softwa 01[IMV] 126720: 72 65 5F 6C 69 63 65 6E 73 6F 72 3E 0A 20 20 20 re_licensor>. 01[IMV] 126736: 20 3C 6E 61 6D 65 3E 73 74 72 6F 6E 67 53 77 61 <name>strongSwa 01[IMV] 126752: 6E 20 50 72 6F 6A 65 63 74 3C 2F 6E 61 6D 65 3E n Project</name> 01[IMV] 126768: 0A 20 20 20 20 3C 72 65 67 69 64 3E 72 65 67 69 . <regid>regi 01[IMV] 126784: 64 2E 32 30 30 34 2D 30 33 2E 6F 72 67 2E 73 74 d.2004-03.org.st 01[IMV] 126800: 72 6F 6E 67 73 77 61 6E 3C 2F 72 65 67 69 64 3E rongswan</regid> 01[IMV] 126816: 0A 20 20 3C 2F 73 6F 66 74 77 61 72 65 5F 6C 69 . </software_li 01[IMV] 126832: 63 65 6E 73 6F 72 3E 0A 20 20 3C 73 6F 66 74 77 censor>. <softw 01[IMV] 126848: 61 72 65 5F 69 64 3E 0A 20 20 20 20 3C 75 6E 69 are_id>. <uni 01[IMV] 126864: 71 75 65 5F 69 64 3E 73 74 72 6F 6E 67 53 77 61 que_id>strongSwa 01[IMV] 126880: 6E 2D 35 2D 32 2D 30 64 72 31 3C 2F 75 6E 69 71 n-5-2-0dr1</uniq 01[IMV] 126896: 75 65 5F 69 64 3E 0A 20 20 20 20 3C 74 61 67 5F ue_id>. <tag_ 01[IMV] 126912: 63 72 65 61 74 6F 72 5F 72 65 67 69 64 3E 72 65 creator_regid>re 01[IMV] 126928: 67 69 64 2E 32 30 30 34 2D 30 33 2E 6F 72 67 2E gid.2004-03.org. 01[IMV] 126944: 73 74 72 6F 6E 67 73 77 61 6E 3C 2F 74 61 67 5F strongswan</tag_ 01[IMV] 126960: 63 72 65 61 74 6F 72 5F 72 65 67 69 64 3E 0A 20 creator_regid>. 01[IMV] 126976: 20 3C 2F 73 6F 66 74 77 61 72 65 5F 69 64 3E 0A </software_id>. 01[IMV] 126992: 20 20 3C 74 61 67 5F 63 72 65 61 74 6F 72 3E 0A <tag_creator>. 01[IMV] 127008: 20 20 20 20 3C 6E 61 6D 65 3E 73 74 72 6F 6E 67 <name>strong 01[IMV] 127024: 53 77 61 6E 20 50 72 6F 6A 65 63 74 3C 2F 6E 61 Swan Project</na 01[IMV] 127040: 6D 65 3E 0A 20 20 20 20 3C 72 65 67 69 64 3E 72 me>. <regid>r 01[IMV] 127056: 65 67 69 64 2E 32 30 30 34 2D 30 33 2E 6F 72 67 egid.2004-03.org 01[IMV] 127072: 2E 73 74 72 6F 6E 67 73 77 61 6E 3C 2F 72 65 67 .strongswan</reg 01[IMV] 127088: 69 64 3E 0A 20 20 3C 2F 74 61 67 5F 63 72 65 61 id>. </tag_crea 01[IMV] 127104: 74 6F 72 3E 0A 3C 2F 73 6F 66 74 77 61 72 65 5F tor>.</software_ 01[IMV] 127120: 69 64 65 6E 74 69 66 69 63 61 74 69 6F 6E 5F 74 identification_t 01[IMV] 127136: 61 67 3E 0A ag>.
01[TNC] processing PA-TNC message with ID 0xb2b6857c 01[TNC] processing PA-TNC attribute type 'TCG/SWID Tag Inventory' 0x005597/0x00000014
Human-Readable SWID Tags¶
01[IMV] received SWID tag inventory for request 11 at eid 1 of epoch 0x2aae207d 01[IMV] <?xml version='1.0' encoding='UTF-8'?> 01[IMV] <SoftwareIdentity name="acpi-support-base" uniqueId="debian_7.4-x86_64-acpi-support-base-0.140-5" version="0.140-5" versionScheme="alphanumeric" xmlns="http://standards.iso.org/iso/19770/-2/2014/schema.xsd"> 01[IMV] <Entity name="strongSwan" regid="regid.2004-03.org.strongswan" role="tagcreator" /> 01[IMV]</SoftwareIdentity> 01[IMV] <?xml version='1.0' encoding='UTF-8'?> 01[IMV] <SoftwareIdentity name="acpid" uniqueId="debian_7.4-x86_64-acpid-1:2.0.16-1+deb7u1" version="1:2.0.16-1+deb7u1" versionScheme="alphanumeric" xmlns="http://standards.iso.org/iso/19770/-2/2014/schema.xsd"> 01[IMV] <Entity name="strongSwan" regid="regid.2004-03.org.strongswan" role="tagcreator" /> 01[IMV] </SoftwareIdentity> ... 01[IMV] <?xml version='1.0' encoding='UTF-8'?> 01[IMV] <SoftwareIdentity name="zlib1g-dev" uniqueId="debian_7.4-x86_64-zlib1g-dev-1:1.2.7.dfsg-13" version="1:1.2.7.dfsg-13" versionScheme="alphanumeric" xmlns="http://standards.iso.org/iso/19770/-2/2014/schema.xsd"> 01[IMV] <Entity name="strongSwan" regid="regid.2004-03.org.strongswan" role="tagcreator" /> 01[IMV] </SoftwareIdentity>
361 of the 362 received SWID tags were generated by the Debian dpkg package manager with the new ISO/IEC 19770-2:2014 format and since they are not stored in a file, have a zero Tag File Path field.
The last tag collected is the traditional ISO/IEC 19770-2:2009 encoded strongSwan tag
01[IMV] <?xml version="1.0" encoding="utf-8"?> 01[IMV] <software_identification_tag xmlns="http://standards.iso.org/iso/19770/-2/2009/schema.xsd"> 01[IMV] <entitlement_required_indicator>true</entitlement_required_indicator> 01[IMV] <product_title>strongSwan</product_title> 01[IMV] <product_version> 01[IMV] <name>5.2.0dr1</name> 01[IMV] <numeric> 01[IMV] <major>5</major> 01[IMV] <minor>2</minor> 01[IMV] <build>0</build> 01[IMV] <review>dr1</review> 01[IMV] </numeric> 01[IMV] </product_version> 01[IMV] <software_creator> 01[IMV] <name>strongSwan Project</name> 01[IMV] <regid>regid.2004-03.org.strongswan</regid> 01[IMV] </software_creator> 01[IMV] <software_licensor> 01[IMV] <name>strongSwan Project</name> 01[IMV] <regid>regid.2004-03.org.strongswan</regid> 01[IMV] </software_licensor> 01[IMV] <software_id> 01[IMV] <unique_id>strongSwan-5-2-0dr1</unique_id> 01[IMV] <tag_creator_regid>regid.2004-03.org.strongswan</tag_creator_regid> 01[IMV] </software_id> 01[IMV] <tag_creator> 01[IMV] <name>strongSwan Project</name> 01[IMV] <regid>regid.2004-03.org.strongswan</regid> 01[IMV] </tag_creator> 01[IMV] </software_identification_tag>
extracted from a swidtag file with the Tag File Path
/usr/local/share/regid.2004-03.org.strongswan/regid.2004-03.org.strongswan_strongSwan-5-2-0dr1.swidtag
01[IMV] IMV 2 handled SWIDT workitem 11: allow - received inventory of 362 SWID tags 01[TNC] creating PA-TNC message with ID 0xc928920a 01[TNC] creating PA-TNC attribute type 'IETF/Assessm> 01[IMV] 126128: 2D 30 64 72 31 2E 73 77 69 64 74 61 67 00 00 03 ent Result' 0x000000/0x00000009 01[IMV] created PA-TNC message: => 24 bytes @ 0x73a990 01[IMV] 0: 01 00 00 00 C9 28 92 0A 00 00 00 00 00 00 00 09 .....(.......... 01[IMV] 16: 00 00 00 10 00 00 00 00 ........ 01[TNC] creating PB-PA message type 'TCG/SWID' 0x005597/0x00000003 01[TNC] IMV 2 provides recommendation 'allow' and evaluation 'compliant'
Policy Manager integrating Measurement Results¶
01[IMV] running policy script: 2>&1 TNC_SESSION_ID='3' ipsec imv_policy_manager stop 01[IMV] policy: imv_policy_manager stop successful
01[IMV] IMV 1 "OS" changed state of Connection ID 2 to 'Isolated' 01[IMV] IMV 2 "SWID" changed state of Connection ID 2 to 'Isolated' 01[TNC] PB-TNC state transition from 'Server Working' to 'Decided' 01[TNC] creating PB-TNC RESULT batch 01[TNC] adding IETF/PB-PA message 01[TNC] adding IETF/PB-Assessment-Result message 01[TNC] adding IETF/PB-Access-Recommendation message 01[TNC] adding IETF/PB-Reason-String message 01[TNC] sending PB-TNC RESULT batch (141 bytes) for Connection ID 2 01[TNC] sending PT-TLS message #4 of type 'PB-TNC Batch' (157 bytes) 01[TLS] sending TLS ApplicationData record (181 bytes)
Closing PT-TLS Connection¶
10[TLS] processing TLS ApplicationData record (48 bytes) 10[TNC] received PT-TLS message #4 of type 'PB-TNC Batch' (24 bytes) 10[TNC] received TNCCS batch (8 bytes) for Connection ID 2 10[TNC] PB-TNC state transition from 'Decided' to 'End' 10[TNC] processing PB-TNC CLOSE batch 10[TNC] final recommendation is 'isolate' and evaluation is 'non-compliant major' 10[TNC] PT-TLS connection terminates 10[IMV] IMV 1 "OS" deleted the state of Connection ID 2 10[IMV] IMV 2 "SWID" deleted the state of Connection ID 2 10[TNC] removed TNCCS Connection ID 2 10[TLS] sending TLS close notify 10[TLS] sending TLS Alert record (26 bytes)
Terminating the strongSwan Policy Decision Point¶
00[DMN] signal of type SIGINT received. Shutting down 00[IMV] IMV 2 "SWID" terminated 00[TNC] removed TCG attributes 00[LIB] libpts terminated 00[IMV] IMV 1 "OS" terminated 00[TNC] removed IETF attributes 00[TNC] removed ITA-HSR attributes 00[LIB] libimcv terminated
PT-TLS Configuration Parameters¶
The complete configuration parameters for this example scenario can be found here.