[RADIATOR] Radiator Version 4.15 released - security fixes and enhancements

Heikki Vatiainen hvn at open.com.au
Fri Jul 17 05:55:47 CDT 2015


On 16.7.2015 17.04, Nick Lowe wrote:

> In conjunction with https://tools.ietf.org/html/rfc7465 , it is
> probably time for RADIUS servers to comply with this by default unless
> explicitly configured otherwise:

Thanks for the RC4 reminder Nick.

This configuration is now possible with Radiator. It's hard to say how 
the EAP clients use crypto, so the default settings still allow RC4. 
However, the Radiator default settings do not allow export and weak 
ciphers, which are still part of the default ciphersuite set in many 
currently used OSes.

The configuration examples in goodies and reference manual have this as 
an example of cipher spec: DEFAULT:!EXPORT:!LOW:!RC4

I'd say this would comply with RFC 7465 requirements.

> "o TLS servers MUST NOT select an RC4 cipher suite when a TLS client
> sends such a cipher suite in the ClientHello message.
>   o If the TLS client only offers RC4 cipher suites, the TLS server
> MUST terminate the handshake.  The TLS server MAY send the
> insufficient_security fatal alert in this case."

There are also other sources with valuable information, one of which is 
Mozilla's guide:
https://wiki.mozilla.org/Security/Server_Side_TLS

The list members may want to take a look at this document if they plan 
to experiment with TLS versions and ciphersuites.

Thanks,
Heikki

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, 
NetWare etc.


More information about the radiator mailing list