aland at deployingradius.com
Mon Jun 29 17:26:01 CEST 2020
On Jun 29, 2020, at 11:01 AM, Vieri via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> Unfortunately, I can't grab a packet trace just yet until I locate one of those devices (custom external firmware). I'll have a look at it asap.
Ah... custom firmware. :(
> In the meantime, maybe setting cipher_list = "ALL" can be more permissive than "DEFAULT", but I'm guessing I won't have much luck because the most reasonable set that might be excluded is LOW, but "As of OpenSSL 1.0.2g, these are disabled in default builds".
> These devices have started to fail when I upgraded my FreeRADIUS server (openssl, etc.). So I'm guessing I'm missing some old insecure ciphers in openssl. Now convince the vendor to upgrade their client systems...
That sounds like the issue.
More information about the Freeradius-Users