On 16.02.2015 16:43, Alan DeKok wrote:
On Feb 16, 2015, at 8:41 AM, Iliya Peregoudov <iperegudov@cboss.ru> wrote:
Recently browsers start to refuse SSL 3.0 cipher suites. Maybe your supplicants do join the trend?
SSL 3.0 has always been forbidden for EAP-TLS, PEAP, etc.
I think you talk about the protocol. I talk about cipher suites. FreeRADIUS disables SSLv2 and SSLv3 *protocols* using SSL_OP_NO_SSLv2 and SSL_OP_NO_SSLv3 OpenSSL context options. But it does not disable SSLv2 and SSLv3 cipher suites. cipher suites are set in eap module configuration as cipher_list = "DEFAULT". This will result in all cipher suites, SSLv2, SSLv3, TLSv1, TLSv1.2, etc. I think Clement can try to set it to cipher_list = "DEFAULT:!SSLv2:!SSLv3". Maybe that helps him, I don't know.