Choice of TLS ciphersuite
Hi all! I'd like to do some EAP method performance measurements with wpa_supplicant and freeradius. In the ClientHello, the supplicant sends a list of ciphersuites, with the most preferred on top, it begins with Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038) Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035) Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016) Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013) Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a) The freeradius Server, however, always selects 0x0035. Where can I modify on freeradius side the choice? Thanks Thomas
I had a patch to do this a while back but never got around to putting
it in... Its based on the pre-libeaptls stuff that Alan did, but
here's the diff if you want it. It will at least give you an idea of
what needs to be done. I'll see about adding it to the CVS head at
some point.
--Mike
--- rlm_eap_tls.c 2005-03-30 16:19:21.000000000 -0600
+++ rlm_eap_tls.c.new 2005-03-30 16:19:21.000000000 -0600
@@ -63,6 +63,8 @@
offsetof(EAP_TLS_CONF, check_crl), NULL, "no"},
{ "check_cert_cn", PW_TYPE_STRING_PTR,
offsetof(EAP_TLS_CONF, check_cert_cn), NULL, NULL},
+ { "cipher_list", PW_TYPE_STRING_PTR,
+ offsetof(EAP_TLS_CONF, cipher_list), NULL, NULL},
{ NULL, -1, 0, NULL, NULL } /* end the list */
};
@@ -155,6 +157,7 @@
return NULL;
}
SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(conf-
>ca_file));
+ }
/*
* Set the password to load private key
@@ -255,6 +258,15 @@
return NULL;
}
+ /*
+ * Set the cipher list if we were told to
+ */
+ if (conf->cipher_list) {
+ if (!SSL_CTX_set_cipher_list(ctx, conf->cipher_list)) {
+ radlog(L_ERR, "rlm_eap_tls: Error setting
cipher list");
+ return NULL;
+ }
+
return ctx;
}
On Mar 18, 2006, at 3:41 AM, Thomas Otto wrote:
> Hi all! I'd like to do some EAP method performance measurements
> with wpa_supplicant and freeradius.
>
> In the ClientHello, the supplicant sends a list of ciphersuites,
> with the most preferred on top, it begins with
>
> Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
> Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038)
> Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
> Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)
> Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)
> Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
>
> The freeradius Server, however, always selects 0x0035.
>
> Where can I modify on freeradius side the choice?
>
> Thanks
> Thomas
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/
> devel.html
Michael Griego <mgriego@utdallas.edu> wrote:
I had a patch to do this a while back but never got around to putting it in... Its based on the pre-libeaptls stuff that Alan did, but here's the diff if you want it. It will at least give you an idea of what needs to be done. I'll see about adding it to the CVS head at some point.
Cool. Let's add it to branch_1_1 & the CVS head. Are there docs for what format the cipher list should be in? Alan DeKok.
On Mar 30, 2006, at 8:56 PM, Alan DeKok wrote:
Cool. Let's add it to branch_1_1 & the CVS head.
Alright... It should be an easy add.
Are there docs for what format the cipher list should be in?
man 1 ciphers Comes in the man pages from the openssl package. Look at the section titled "CIPHER STRINGS". --Mike
On Mar 30, 2006, at 9:11 PM, Michael Griego wrote:
On Mar 30, 2006, at 8:56 PM, Alan DeKok wrote:
Cool. Let's add it to branch_1_1 & the CVS head.
Alright... It should be an easy add.
I've added it to the CVS head but its not tested. I assume it will work as it worked before and the other code hasn't changed enough to make it not work. Anyway, as it hasn't been actually fired up yet, I haven't added it to branch_1_1. --Mike
participants (3)
-
Alan DeKok -
Michael Griego -
Thomas Otto