Re: [RADIATOR] Radiator Version 4.15 released - security fixes and enhancements

2015-07-17 Thread Heikki Vatiainen 
On 16.7.2015 18.10, Hartmaier Alexander wrote:
> On 2015-07-16 15:07, Heikki Vatiainen wrote:

>> There's also an example of how to use a custom module, possibly modified
>> from Radius/LogFormat.pm, to change the formatting or add new formats.
> I know because I was the one who requested the feature and wrote the Log
> module before you added the hook ;)

Yes, this was more for the other list members :)

> Yes I know. What I'd like to have is a way to *log* the actual chosen
> cipher per EAP-TLS connection, ideally in the AuthLog file.

That's probably fairly simple to log. Not sure how to get it authlog, 
though. I'll see what can be done for this and get back to you when I 
know more. Maybe the TLS version should be available too and visible in 
the debug logs.

Thanks for the suggestion.
Heikki

-- 
Heikki Vatiainen 

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, 
NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Radiator Version 4.15 released - security fixes and enhancements

2015-07-17 Thread Heikki Vatiainen 
On 16.7.2015 17.04, Nick Lowe wrote:

> In conjunction with https://tools.ietf.org/html/rfc7465 , it is
> probably time for RADIUS servers to comply with this by default unless
> explicitly configured otherwise:

Thanks for the RC4 reminder Nick.

This configuration is now possible with Radiator. It's hard to say how 
the EAP clients use crypto, so the default settings still allow RC4. 
However, the Radiator default settings do not allow export and weak 
ciphers, which are still part of the default ciphersuite set in many 
currently used OSes.

The configuration examples in goodies and reference manual have this as 
an example of cipher spec: DEFAULT:!EXPORT:!LOW:!RC4

I'd say this would comply with RFC 7465 requirements.

> "o TLS servers MUST NOT select an RC4 cipher suite when a TLS client
> sends such a cipher suite in the ClientHello message.
>   o If the TLS client only offers RC4 cipher suites, the TLS server
> MUST terminate the handshake.  The TLS server MAY send the
> insufficient_security fatal alert in this case."

There are also other sources with valuable information, one of which is 
Mozilla's guide:
https://wiki.mozilla.org/Security/Server_Side_TLS

The list members may want to take a look at this document if they plan 
to experiment with TLS versions and ciphersuites.

Thanks,
Heikki

-- 
Heikki Vatiainen 

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, 
NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator