Use Mozilla's intermediate cipher suites set by default.

Nick Lowe nick.lowe at gmail.com
Tue Nov 18 17:03:15 CET 2014


Alan and Arran,

Please may I suggest that you consider changing the default cipher suites
configuration in FreeRADIUS 2.x and 3.x to use Mozilla's intermediate
compatibility (default) set to encourage the use of better cipher suites
that use ECDHE, GCM and PFS?

See https://wiki.mozilla.org/Security/Server_Side_TLS

This is:

ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

This is fully compatible all the way back to Windows XP where 3DES will be
used.

It also brings FreeRADIUS in to compliance with the very likely upcoming:

https://datatracker.ietf.org/doc/draft-ietf-tls-prohibiting-rc4/

Cheers,

Nick
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20141118/c6eb6bee/attachment.html>


More information about the Freeradius-Users mailing list