[RADIATOR] Certificate updates in Radiator 4.13 patches

Sami Keski-Kasari samikk at open.com.au
Fri Sep 26 03:50:12 CDT 2014


Hello all,

we have now added RSA2048/SHA256 and ECDSA(curve secp256r1)/SHA256 test
certificates to Radiator 4.13 patches.

RSA2048/SHA256 certificates requires OpenSSL that includes SHA2 in
SSL_library_init() or [1]. Please note that certificates are now longer
which means when using them, for example, with PEAP there will be more
EAP fragments. Some access points might have problems with them, so if
you have not yet adjusted EAPTLS_MaxFragmentSize you may need to do so.

ECDSA(curve secp256r1)/SHA256 certificates require OpenSSL 1.0.0 or
newer. For ephemeral EC keying Radiator patch dated 2014-09-25 and
Net-SSLeay 1.58 or newer is required. This may be interesting for long
lived sessions, such as RadSec links.

We have tested that Radiator supports ECDSA certificates in all SSL/TLS
related operations including RadSec, Diameter, PEAP, EAP-TTLS, EAP-TLS, etc.

Client support for ECDSA certificates seems to be widely available.
Mobile platforms such as Android version starting 4.1.2, iOS7/8 and WP8
support ECDSA certificates according to our tests. Windows 7 and modern
Linux based distributions seem to be working also.

If you are encountering fragmentation problems with RSA2048/SHA256
certificates, ECDSA certificates might be a worth trying as they are
significantly shorter.

Configuration examples for EAPs, RadSec, Diameter, etc. will be updated
today.

[1] SHA-256 support can be made to work with Net-SSLeay 1.46 which
supports OpenSSL_add_all_algorithms() and a one line addition to
Radiator to call this function.

Best Regards,
 Sami

-- 
Sami Keski-Kasari <samikk at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.


More information about the radiator mailing list