Hello, I am just now setting up a new incarnation of our RadSEC enabled Radiator server:
Radiator 4.17 Net::SSLeay 1.78 OpenSSL 1.0.1e (newest CentOS 7.2 backports) All of which support TLS 1.2. I use a ServerRADSEC clause with UseTLS on but that only establishes TLS 1.0 connections. When poking the server from outside with openssl s_client -tls1_1 or -tls1_2 there is no connection with "SSL3_GET_RECORD:wrong version number". I was able to fix this by adding: TLS_Protocols TLSv1, TLSv1.1, TLSv1.2 and now all is fine on all three version levels. But: it is not exactly a "sane default" to pin all TLS to version 1.0 if newer versions are available on the system. The default that "UseTLS" should trigger is: all TLS versions that are supported in the system. Silently pinning 1.0 is an invitation to continue use of old and weak crypto protocols. Maybe this default could be changed in later versions... Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 2, avenue de l'Université L-4365 Esch-sur-Alzette Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
0x8A39DC66.asc
Description: application/pgp-keys
signature.asc
Description: OpenPGP digital signature
_______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
