[RADIATOR] ServerRADSEC: TLSv1.1 and TLSv1.2 are by default disabled even if all software supports them
Heikki Vatiainen
hvn at open.com.au
Fri Sep 23 03:05:04 CDT 2016
On 22.9.2016 11.45, Stefan Winter wrote:
> The default that "UseTLS" should trigger is: all TLS versions that are
> supported in the system.
Agreed. The current UseTLS behaviour is to do what it has done since it
was first implemented: enable TLS 1.0.
We could, for example, enable all TLS protocols when UseTLS is set and
log a message that TLS_Protocols should be used instead for better
control of supported versions.
Now when some TLS versions are showing their age and TLS 1.3 is
upcoming, it's good to have a way to tell what exactly is wanted.
> Silently pinning 1.0 is an invitation to continue use of old and weak
> crypto protocols.
>
> Maybe this default could be changed in later versions...
Yes, I'll see that this gets attention.
--
Heikki Vatiainen <hvn at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
More information about the radiator
mailing list