Dear all, A quick question: Does Radiator support TLS 1.1 and TLS 1.2 with the TLS-based EAP types that it implements when paired with a feature-capable version of OpenSSL?
The FreeRADIUS maintainers found that the code was calling TLSv1_method() rather than the very poorly named SSLv23_method(), inadvertently prohibiting the use of the newer TLS versions. When SSLv23_method() is called, SSL_OP_NO_SSLv2 and SSL_OP_NO_SSLv3 are specified to prohibit the use of these old protocols. This is documented at https://www.openssl.org/docs/ssl/SSL_CTX_new.html The upcoming FreeRADIUS 2.2.6 and 3.0.5 releases will allow TLS 1.1 and TLS 1.2 to be used by EAP clients, and by default: https://github.com/FreeRADIUS/freeradius-server/commit/d56fb1b5fa81ec25fddb9216ce1cf46eb2d99de9 2.x: https://github.com/FreeRADIUS/freeradius-server/commit/7d6344df30097df946010b2eac011cb9a480bec8 3.x: https://github.com/FreeRADIUS/freeradius-server/commit/d9a285ca285148a2fb122b18f73ab0cbffbc12f0 Microsoft also now support TLS 1.1 and TLS 1.2 with their TLS-based EAP implementations when configured through a TlsVersion bit flags-based DWORD in the Registry. [This covers Network Policy Server (NPS) therefore...] See "More Information" towards the end of https://support.microsoft.com/kb/2977292 As somebody who is not yet familiar with Radiator, I am therefore curious what the state of play is. Thanks! Nick _______________________________________________ radiator mailing list [email protected] http://www.open.com.au/mailman/listinfo/radiator
