[RADIATOR] Forcing Radsec connections to use specific TLS version
Stefan Paetow
Stefan.Paetow at jisc.ac.uk
Thu Feb 20 12:55:35 UTC 2020
Hi,
Sorry to bother a second time... I'm trying to ensure that we only accept (and send) Radsec traffic using only specific TLS versions.
I've created a <ServerRADSEC> entry:
<ServerRADSEC>
Identifier RADSEC
Protocol tcp
UseTLS
TLS_Protocols TLSv1.2
Secret radsec
TLS_CAFile %D/lin/the-CA.crt
TLS_CertificateFile %D/lin/the-server.pem
TLS_CertificateType PEM
TLS_PrivateKeyFile %D/lin/the-server-key.pem
TLS_PolicyOID 1.3.6.1.4.1.25178.3.1.1
TLS_RequireClientCert
TLS_Ciphers HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
#TLS_CRLCheck
#TLS_CRLFile %D/lin/CRL/cacrl.pem
</ServerRADSEC>
I understand TLS_Protocols overrides UseTLS, but I then see these messages:
Thu Feb 20 12:46:41 2020: ERR: StreamTLS server error (<other server IP>:37206): -1, 1, 8720,
Thu Feb 20 12:46:41 2020: ERR: StreamTLS server error (<other server IP>:37204): -1, 1, 8720,
Thu Feb 20 12:46:41 2020: ERR: StreamTLS server error (<other server IP>:37200): -1, 1, 8720,
Is that the other server saying "Sorry, I don't understand", or is this an error on my side that my server can't create a TLS 1.2 connection?
When I disable TLS_Protocols (by commenting it out), all returns to normal.
Am I misunderstanding the documentation?
With Kind Regards
Stefan Paetow
Federated Roaming Technical Specialist
t: +44 (0)1235 822 125
gpg: 0x3FCE5142
xmpp: stefanp at jabber.dev.ja.net
skype: stefan.paetow.janet
jisc.ac.uk
Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
More information about the radiator
mailing list