OpenSSL 1.1.0 support
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Sun Apr 3 21:10:41 CEST 2016
> On 2 Apr 2016, at 21:39, Arran Cudbard-Bell <a.cudbardb at freeradius.org> wrote:
>
>
>> On 1 Apr 2016, at 14:01, Matthew Newton <mcn4 at leicester.ac.uk> wrote:
>>
>> On Fri, Apr 01, 2016 at 10:34:51AM -0600, Arran Cudbard-Bell wrote:
>>> There's now support for OpenSSL 1.1.0-pre4 in v3.1.x.
>>
>> Nice.
>>
>>> Our basic EAP test suite passes, but it would be useful if those
>>> who rely heavily on TLS could test this out in their lab
>>> environment.
>>
>> I'll try and check it out here in the next couple of weeks if I
>> get a spare 10 minutes.
>
> Thanks Alan B/Matthew!
Whilst I was digging through the 1.1.0 I found some undocumented callbacks added for EAP-FAST that allow you to construct custom session tickets.
This may allow us to serialize &session-state:[*] in the session ticket, and have the supplicant hand back any authorizational info required when they resume their session :)
I'm sure there's a reason why this is a terrible idea from a security (or other) perspective, but i've not figured it out yet. If anyone else has any views on it, i'd appreciate the feedback.
Not sure of what the limit on serialised data would be, extension length is 2^24, guessing the record layer can fragment extensions, else that size wouldn't make sense. The real limit would probably be the number of roundtrips :)
Although Session-Tickets are 'obsoleted' in TLS 1.3 (or at least the latest draft), a very similar ticket based mechanism is provided.
0RTT and 1RTT modes in TLS 1.3 look very nice! Should be possible to get EAP-TLS/EAP-TTLS resumed in two rounds!
-Arran
Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS Development Team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 872 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20160403/04fcd335/attachment.sig>
More information about the Freeradius-Users
mailing list