[RADIATOR] Apple iOS 9 and OS X El Capitan
Nick Lowe
nick.lowe at lugatech.com
Fri Jul 31 09:16:10 CDT 2015
Isn't $Net::SSLeay::VERSION available, from which you could refuse to
start Radiator if Net:SSLeay <= 1.46 is detected and you can't disable
TLS 1.2?
On Fri, Jul 31, 2015 at 2:57 PM, Heikki Vatiainen <hvn at open.com.au> wrote:
> On 07/31/2015 12:11 PM, Nick Lowe wrote:
>> Surely, the best solution is to check for the availability of the
>> SSL_export_keying_material. If it is not available, disable TLS 1.2.
>
> This is certainly the best solution, provided Net::SSLeay version is at
> least 1.46. This is the first version that allows disabling TLS 1.2 (and
> TLS 1.1).
>
> The OpenSSL API allows creating SSL_CTX for one TLS/SSL version only, or
> for all supported versions which means the undesired versions need to be
> disabled separately. This is why Net:SSLeay 1.46 or more recent would be
> needed.
>
> http://www.openssl.org/docs/ssl/SSL_CTX_new.html
>
>> I definitely do not think that it is a great idea to disable support
>> for TLS 1.2 by default.
>
> We'll check what can be done. Unfortunately it looks like RHEL/CentOS 6
> won't work with TLS 1.2 out of the box because of the old Net:SSLeay.
> Fortunately it appears that for more recent Net::SSLeay and OpenSSL
> combinations TLS 1.1 and 1.2 can be left enabled.
>
> Thanks,
> Heikki
>
> --
> Heikki Vatiainen <hvn at open.com.au>
>
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
> NetWare etc.
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
More information about the radiator
mailing list