The fixes for TLS based EAP methods for clients supporting TLSv1.2 that were discussed on this list are now in Radiator 4.15 patches.
The patches add better logging during radiusd startup. The Net::SSLeay version and SSL/TLS library version, if Net::SSLeay is recent enough, are now logged during the startup. The log messages will also tell if TLSv1.2 can not be enabled for TLS based EAP methods, which TLS versions are available in general (if not all) and other related information. If the SSL/TLS library and Net::SSLeay are recent enough, there is just a log message that simply announces the versions that are in use. The EAP TLS fixes change TLS initialisation to enable only those TLS versions that are known to work. The best situation is when Net::SSLeay is 1.53 or later and SSL/TLS library is OpenSSL 1.0.1 or later. In this case Net::SSLeay will calculate the MPPE keys correctly for TLS v1.2 and all TLS versions are available. For other combinations, TLSv1.0 and TLSv1.1 may be available, or possibly just TLSv1.0. Some examples: CentOS 5: Based on OpenSSL 0.9.8 series: TLSv1.0 only CentOS 6: Based on OpenSSL 1.0.1 series, Net:SSLeay 1.35: only TLSv1.0 is enabled for EAP based TLS methods CentOS 7: Based on OpenSSL 1.0.1 series, Net::SSLeay 1.55: TLSv1.0, TLSv1.1 and TLSv1.2 available for EAP based TLS methods Ubuntu 12.04: Based on OpenSSL 1.0.1 series, Net::SSLeay 1.42: only TLSv1.0 available for EAP based TLS methods Since CentOS 6 and Ubuntu 12.04 come with OpenSSL 1.0.1 series, a locally installed Net::SSLeay 1.53 or later (try the latest first) should work to enable all TLS versions for EAP based TLS methods. These changes do not affect stream based classes and protocols such as RadSec. What is addressed is the compatibility with TLS based EAP clients that support TLS v1.2 such as Apple iOS 9, OS X 10.11 El Capitan and Android 6 Marshmallow. Thanks, Heikki -- Heikki Vatiainen <h...@open.com.au> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
