[RADIATOR] Radiator Version 4.15 released - security fixes and enhancements
Heikki Vatiainen
hvn at open.com.au
Fri Jul 17 05:55:47 CDT 2015
On 16.7.2015 17.04, Nick Lowe wrote:
> In conjunction with https://tools.ietf.org/html/rfc7465 , it is
> probably time for RADIUS servers to comply with this by default unless
> explicitly configured otherwise:
Thanks for the RC4 reminder Nick.
This configuration is now possible with Radiator. It's hard to say how
the EAP clients use crypto, so the default settings still allow RC4.
However, the Radiator default settings do not allow export and weak
ciphers, which are still part of the default ciphersuite set in many
currently used OSes.
The configuration examples in goodies and reference manual have this as
an example of cipher spec: DEFAULT:!EXPORT:!LOW:!RC4
I'd say this would comply with RFC 7465 requirements.
> "o TLS servers MUST NOT select an RC4 cipher suite when a TLS client
> sends such a cipher suite in the ClientHello message.
> o If the TLS client only offers RC4 cipher suites, the TLS server
> MUST terminate the handshake. The TLS server MAY send the
> insufficient_security fatal alert in this case."
There are also other sources with valuable information, one of which is
Mozilla's guide:
https://wiki.mozilla.org/Security/Server_Side_TLS
The list members may want to take a look at this document if they plan
to experiment with TLS versions and ciphersuites.
Thanks,
Heikki
--
Heikki Vatiainen <hvn at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
More information about the radiator
mailing list