<div dir="ltr"><div><div>Alan and Arran,<br><br>Please may I suggest that you consider changing the default cipher suites configuration in FreeRADIUS 2.x and 3.x to use Mozilla's intermediate compatibility (default) set to encourage the use of better cipher suites that use ECDHE, GCM and PFS?<br><br>See <a href="https://wiki.mozilla.org/Security/Server_Side_TLS">https://wiki.mozilla.org/Security/Server_Side_TLS</a><br><br>This is:<br><br>ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA<br><br></div>This is fully compatible all the way back to Windows XP where 3DES will be used.<br><br></div><div>It also brings FreeRADIUS in to compliance with the very likely upcoming:<br><br><a href="https://datatracker.ietf.org/doc/draft-ietf-tls-prohibiting-rc4/">https://datatracker.ietf.org/doc/draft-ietf-tls-prohibiting-rc4/</a><br></div><div><br></div><div>Cheers,<br></div><div><br></div>Nick<br></div>