EAP-TLS with TLS 1.3

Arran Cudbard-Bell a.cudbardb at freeradius.org
Wed Mar 14 16:27:04 CET 2018



> On Mar 14, 2018, at 1:57 PM, Stefan Winter <stefan.winter at RESTENA.LU> wrote:
> 
> Hi,
> 
>> Sorry, wasn’t clear.  The SSL_CTX configuration code is common for both TLS servers and TLS clients, and is used for both EAP and RADSEC. In this case FreeRADIUS would be acting as a TLS client for RADSEC.
> 
> Ah. Well the cert length considerations are really about EAP as the data
> channel is so narrow and peculiar.
> 
> In a RadSec connection, length of the cert is a NOOP consideration.
> 
> Of course if you really want to have two distinct certs for actual
> security reasons(?), then yes, multiple client certs would be useful there.

OK, yes, that’s what I was querying.

I guess it’d also allow you to select different certificates depending on the CA list advertised by the server, as well as different certificates for crypto agility.

-Arran


More information about the Freeradius-Devel mailing list