<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>

<head>

  <meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">

  <title></title>

</head>

<body bgcolor="#ffffff" text="#000000">

<br>

<br>

Alan DeKok wrote:

<blockquote cite="mid20060929054423.764EB16CBC@mail.nitros9.org"

 type="cite">

  <pre wrap="">Jason Wittlin-Cohen <a class="moz-txt-link-rfc2396E" href="mailto:jasonwc@brandeis.edu"><jasonwc@brandeis.edu></a> wrote:

  </pre>

  <blockquote type="cite">

    <pre wrap="">I noticed that the default DH keysize in FreeRadius 1.1.3 is 512 bits.

    </pre>

  </blockquote>

  <pre wrap=""><!---->

  If you're talking about the key length in the EAP-TLS module, it

looks like those aren't being used for anything.  See the source.

  It does look like the EAP-TLS code is setting a 512-bit ephemeral

RSA key, but my reading of the OpenSSL docs indicates it won't be

used, because SSL_OP_EPHEMERAL_RSA isn't being set.  So that code

could be deleted entirely.

  </pre>

</blockquote>

<blockquote cite="mid20060929054423.764EB16CBC@mail.nitros9.org"

 type="cite">

  <pre wrap="">

  </pre>

  <blockquote type="cite">

    <pre wrap="">I originally thought that the DH

keysize would be determined by the DH parameter file and only realized

that it was still using 512 bit keys when I ran freeradius in debug

mode.

    </pre>

  </blockquote>

  <pre wrap=""><!---->

  Which prints out configuration entries that aren't being used.

$ cd src/modules/rlm_eap

$ grep -r key_length .

./libeap/mppe_keys.c:   PRF(s->session->master_key, s->session->master_key_length,

./libeap/mppe_keys.c:   PRF(s->session->master_key, s->session->master_key_length,

./types/rlm_eap_tls/rlm_eap_tls.c:      { "rsa_key_length", PW_TYPE_INTEGER,

./types/rlm_eap_tls/rlm_eap_tls.c:        offsetof(EAP_TLS_CONF, rsa_key_length), NULL, "512" },

./types/rlm_eap_tls/rlm_eap_tls.c:      { "dh_key_length", PW_TYPE_INTEGER,

./types/rlm_eap_tls/rlm_eap_tls.c:        offsetof(EAP_TLS_CONF, dh_key_length), NULL, "512" },

./types/rlm_eap_tls/rlm_eap_tls.h:      int             rsa_key_length;

./types/rlm_eap_tls/rlm_eap_tls.h:      int             dh_key_length;

  See?  They're config options that aren't used.  They should be deleted.

  </pre>

</blockquote>

So, if dh_key_length is being ignored, how is the DH key size

determined? By the DH parameter file?<br>

<br>

Jason<br>

<br>

</body>

</html>