Choice of TLS ciphersuite

Michael Griego mgriego at utdallas.edu
Sat Mar 18 21:00:15 CET 2006 

I had a patch to do this a while back but never got around to putting  
it in...  Its based on the pre-libeaptls stuff that Alan did, but  
here's the diff if you want it.  It will at least give you an idea of  
what needs to be done.  I'll see about adding it to the CVS head at  
some point.

--Mike

--- rlm_eap_tls.c       2005-03-30 16:19:21.000000000 -0600
+++ rlm_eap_tls.c.new   2005-03-30 16:19:21.000000000 -0600
@@ -63,6 +63,8 @@
           offsetof(EAP_TLS_CONF, check_crl), NULL, "no"},
         { "check_cert_cn", PW_TYPE_STRING_PTR,
           offsetof(EAP_TLS_CONF, check_cert_cn), NULL, NULL},
+       { "cipher_list", PW_TYPE_STRING_PTR,
+         offsetof(EAP_TLS_CONF, cipher_list), NULL, NULL},
         { NULL, -1, 0, NULL, NULL }           /* end the list */
};
@@ -155,6 +157,7 @@
                 return NULL;
         }
         SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(conf- 
 >ca_file));
+       }
         /*
          * Set the password to load private key
@@ -255,6 +258,15 @@
                 return NULL;
         }
+       /*
+        * Set the cipher list if we were told to
+        */
+       if (conf->cipher_list) {
+               if (!SSL_CTX_set_cipher_list(ctx, conf->cipher_list)) {
+                       radlog(L_ERR, "rlm_eap_tls: Error setting  
cipher list");
+                       return NULL;
+               }
+
         return ctx;
}



On Mar 18, 2006, at 3:41 AM, Thomas Otto wrote:

> Hi all! I'd like to do some EAP method performance measurements
> with wpa_supplicant and freeradius.
>
> In the ClientHello, the supplicant sends a list of ciphersuites,
> with the most preferred on top, it begins with
>
> Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
> Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038)
> Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
> Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)
> Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)
> Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
>
> The freeradius Server, however, always selects 0x0035.
>
> Where can I modify on freeradius side the choice?
>
> Thanks
> Thomas
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ 
> devel.html

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6184 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-devel/attachments/20060318/f1f3217b/attachment.bin>

More information about the Freeradius-Devel mailing list