[RADIATOR] ServerRADSEC: TLSv1.1 and TLSv1.2 are by default disabled even if all software supports them

Thu Sep 22 03:45:13 CDT 2016

Hello,

I am just now setting up a new incarnation of our RadSEC enabled
Radiator server:

Radiator 4.17
Net::SSLeay 1.78
OpenSSL 1.0.1e (newest CentOS 7.2 backports)

All of which support TLS 1.2.

I use a ServerRADSEC clause with

UseTLS on

but that only establishes TLS 1.0 connections. When poking the server
from outside with openssl s_client -tls1_1 or -tls1_2 there is no
connection with "SSL3_GET_RECORD:wrong version number".

I was able to fix this by adding:

TLS_Protocols       TLSv1, TLSv1.1, TLSv1.2

and now all is fine on all three version levels.

But: it is not exactly a "sane default" to pin all TLS to version 1.0 if
newer versions are available on the system.

The default that "UseTLS" should trigger is: all TLS versions that are
supported in the system.

Silently pinning 1.0 is an invitation to continue use of old and weak
crypto protocols.

Maybe this default could be changed in later versions...

Greetings,

Stefan Winter

-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x8A39DC66.asc
Type: application/pgp-keys
Size: 3226 bytes
Desc: not available
Url : http://www.open.com.au/pipermail/radiator/attachments/20160922/599cd7c1/attachment.bin 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
Url : http://www.open.com.au/pipermail/radiator/attachments/20160922/599cd7c1/attachment-0001.bin 