[RADIATOR] Apple iOS 9 and OS X El Capitan
Heikki Vatiainen
hvn at open.com.au
Fri Jul 31 08:57:10 CDT 2015
On 07/31/2015 12:11 PM, Nick Lowe wrote:
> Surely, the best solution is to check for the availability of the
> SSL_export_keying_material. If it is not available, disable TLS 1.2.
This is certainly the best solution, provided Net::SSLeay version is at
least 1.46. This is the first version that allows disabling TLS 1.2 (and
TLS 1.1).
The OpenSSL API allows creating SSL_CTX for one TLS/SSL version only, or
for all supported versions which means the undesired versions need to be
disabled separately. This is why Net:SSLeay 1.46 or more recent would be
needed.
http://www.openssl.org/docs/ssl/SSL_CTX_new.html
> I definitely do not think that it is a great idea to disable support
> for TLS 1.2 by default.
We'll check what can be done. Unfortunately it looks like RHEL/CentOS 6
won't work with TLS 1.2 out of the box because of the old Net:SSLeay.
Fortunately it appears that for more recent Net::SSLeay and OpenSSL
combinations TLS 1.1 and 1.2 can be left enabled.
Thanks,
Heikki
--
Heikki Vatiainen <hvn at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
More information about the radiator
mailing list