On 11/06/2014 02:36 PM, Nick Lowe wrote: > A quick question: Does Radiator support TLS 1.1 and TLS 1.2 with the > TLS-based EAP types that it implements when paired with a > feature-capable version of OpenSSL?
Yes, provided a one-line patch similar to what you have described below is applied first. Now it uses TLSv1_method() directly. > The FreeRADIUS maintainers found that the code was calling > TLSv1_method() rather than the very poorly named SSLv23_method(), > inadvertently prohibiting the use of the newer TLS versions. The similar change for Radiator is to use Net::SSLeay::CTX_new(); instead. This is an alias for SSLv23_method() but looks less confusing. Since the options are already set to include SSL_OP_NO_SSLv2 and SSL_OP_NO_SSLv3, a one line change is enough. > When SSLv23_method() is called, SSL_OP_NO_SSLv2 and SSL_OP_NO_SSLv3 > are specified to prohibit the use of these old protocols. > > This is documented at https://www.openssl.org/docs/ssl/SSL_CTX_new.html The respective documentation for Perl/Net-SSLeay can be found here: https://metacpan.org/pod/Net::SSLeay#Low-level-API:-SSL_CTX_-related-functions > The upcoming FreeRADIUS 2.2.6 and 3.0.5 releases will allow TLS 1.1 > and TLS 1.2 to be used by EAP clients, and by default: > > https://github.com/FreeRADIUS/freeradius-server/commit/d56fb1b5fa81ec25fddb9216ce1cf46eb2d99de9 Similar patch with similar description will be in Radiator patches today and part of the next Radiator 4.14 release. I did quick testing with PEAP and EAP-TTLS. For testing I used eapol_test from wpa_supplicant that was compiled to use TLS 1.1 or TLS 1.2 to see if it can authenticate against Radiator. I did additional monitoring with Wireshark. With a recent OpenSSL eapol_test authenticated successfully with TLS 1.1 and TLS 1.2. I test against Centos 5 to see how it behaves with older OpenSSL. There I was able to use only TLS 1.0. The other TLS versions failed with 'tlsv1 alert protocol version'. The results with PEAP and EAP-TTLS provided similar results, which was expected. > Microsoft also now support TLS 1.1 and TLS 1.2 with their TLS-based > EAP implementations when configured through a TlsVersion bit > flags-based DWORD in the Registry. > [This covers Network Policy Server (NPS) therefore...] > > See "More Information" towards the end of > https://support.microsoft.com/kb/2977292 Here's one additional document: Microsoft's own documentation for PEAP. It seems they still say only TLS 1.0 must be used. http://msdn.microsoft.com/en-us/library/cc238354.aspx Hopefully this will not cause any confusion when migrating to more recent TLS versions. > As somebody who is not yet familiar with Radiator, I am therefore > curious what the state of play is. I hope I was able to help. Thanks for letting us know about this. Heikki -- Heikki Vatiainen <[email protected]> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list [email protected] http://www.open.com.au/mailman/listinfo/radiator
