Re: Algorithm used by FreeRADIUS to choose cipher suite used with EAP-TLS/TTLS

Alan DeKok wrote:


Walter Goulet wrote:

How does FreeRADIUS's rlm_eap module choose the cipher suite used for
EAP-TLS/TTLS sessions?


 It relies on OpenSSL to do the negotiation.


RFC 2246 for TLS states that the client presents the list of
ciphersuites supported to the server and the server picks one that it
supports.

Is there a way to configure FreeRADIUS to only use a specific set of
ciphersuites? The goal is that in some cases it may be desireable to
restrict incoming clients to use a particular suite.


 Yes.  See "cipher_list" in eap.conf.  It's documented.

 Alan DeKok.
--
 http://deployingradius.com       - The web site of the book
 http://deployingradius.com/blog/ - The blog
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thanks much Alan; I was looking at my older FreeRADIUS install (1.1.1!) which didn't have this described in eap.conf. I see it in the latest version. 

Walter
This archive was generated by a fusion of Pipermail (Mailman edition) and MHonArc.