Ready for 2.2.7?

Arran Cudbard-Bell a.cudbardb at freeradius.org
Tue Mar 31 02:17:03 CEST 2015


> On 30 Mar 2015, at 20:09, Matthew Newton <mcn4 at leicester.ac.uk> wrote:
> 
> On Mon, Mar 30, 2015 at 07:05:06PM -0400, Arran Cudbard-Bell wrote:
>> 
>>> On Mon, Mar 30, 2015 at 01:38:01PM -0400, Alan DeKok wrote:
>>>> Any objections?  I think we're pretty much OK.
>> 
>> Maybe disable TLS v1.2 for compatibility...
> 
> Compatibility with what?

eapol_test, booo.

Noticed today that with TLS 1.2 FR and eapol_test 2.4 (and so presumably wpa_supplicant)
disagreed on the MPPE keys. Not sure where the fault lies there. Both were running on the
same machine, linked against the same version of OpenSSL.

Only allowing TLS 1.0 and 1.1 fixed the problem.

eapol_test also doesn't send the RFC 5077 session ticket extension in the client hello.
Stupid eapol_test *grumble*.


> If there's a compelling security reason to get rid of it then by
> all means. Otherwise I would freeze v2 as-is. If there is
> something in v2 that currently breaks stuff, all the more reason to
> leave it there :)

This is true, and it is fixable in the config using some hidden config items :)

-Arran

Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS development team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 872 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20150330/324fa540/attachment.sig>


More information about the Freeradius-Users mailing list