Use Mozilla's intermediate cipher suites set by default.

Phil Mayers p.mayers at imperial.ac.uk
Tue Nov 18 17:51:41 CET 2014


On 18/11/14 16:03, Nick Lowe wrote:
> Alan and Arran,
>
> Please may I suggest that you consider changing the default cipher

Can I make a suggestion? Don't embed a suite list at all. Instead, 
comment the eap module with a link to a place, which should contain a 
*current* best-practice list.

TLS is getting a lot of attention now. I think it's safe to assume one 
or more ciphers will become insecure, and any list you put into default 
configs, out of date.

I realise giving no default leaves you dependent on OpenSSL, and that's 
not ideal - but solving the problem of stale OpenSSL defaults by 
introducing FreeRADIUS defaults which then go stale is not great.

(Also, that enormous cipher list is eye-bleedingly bad; hard to read, 
therefore hard to audit and manage; damn you straight to hades, OpenSSL)


More information about the Freeradius-Users mailing list