On 07/31/2015 12:11 PM, Nick Lowe wrote: > Surely, the best solution is to check for the availability of the > SSL_export_keying_material. If it is not available, disable TLS 1.2.
This is certainly the best solution, provided Net::SSLeay version is at least 1.46. This is the first version that allows disabling TLS 1.2 (and TLS 1.1). The OpenSSL API allows creating SSL_CTX for one TLS/SSL version only, or for all supported versions which means the undesired versions need to be disabled separately. This is why Net:SSLeay 1.46 or more recent would be needed. http://www.openssl.org/docs/ssl/SSL_CTX_new.html > I definitely do not think that it is a great idea to disable support > for TLS 1.2 by default. We'll check what can be done. Unfortunately it looks like RHEL/CentOS 6 won't work with TLS 1.2 out of the box because of the old Net:SSLeay. Fortunately it appears that for more recent Net::SSLeay and OpenSSL combinations TLS 1.1 and 1.2 can be left enabled. Thanks, Heikki -- Heikki Vatiainen <h...@open.com.au> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
