Sudden User Authentication Rejection as a result Compatibility - error

Iliya Peregoudov iperegudov at cboss.ru
Mon Feb 16 15:09:54 CET 2015


On 16.02.2015 16:43, Alan DeKok wrote:
> On Feb 16, 2015, at 8:41 AM, Iliya Peregoudov <iperegudov at cboss.ru> wrote:
>> Recently browsers start to refuse SSL 3.0 cipher suites. Maybe your supplicants do join the trend?
>
>    SSL 3.0 has always been forbidden for EAP-TLS, PEAP, etc.

I think you talk about the protocol. I talk about cipher suites. 
FreeRADIUS disables SSLv2 and SSLv3 *protocols* using SSL_OP_NO_SSLv2 
and SSL_OP_NO_SSLv3 OpenSSL context options. But it does not disable 
SSLv2 and SSLv3 cipher suites. cipher suites are set in eap module 
configuration as cipher_list = "DEFAULT". This will result in all cipher 
suites, SSLv2, SSLv3, TLSv1, TLSv1.2, etc. I think Clement can try to 
set it to cipher_list = "DEFAULT:!SSLv2:!SSLv3". Maybe that helps him, I 
don't know.



More information about the Freeradius-Users mailing list