Thank you. That steered me in the right direction. Here are the entries to make in the TLS section of eap: disable_tlsv1_0 = no disable_tlsv1_1 = yes disable_tlsv1_2 = yes Verified with trace like this: TLSv1 Record Layer: Handshake Protocol: Server Hello Content Type: Handshake (22) Version: TLS 1.0 (0x0301) Length: 81 Handshake Protocol: Server Hello Handshake Type: Server Hello (2) Length: 77 Version: TLS 1.0 (0x0301) -David -----Original Message----- From: Freeradius-Users [mailto:freeradius-users-bounces+daward=brocade.com@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Thursday, November 17, 2016 5:23 PM To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: No TLS 1.2 On Nov 17, 2016, at 5:08 PM, David Ward <daward@Brocade.COM> wrote:
We are looking into how to change TLS behavior on radiusd. This is for testing purpose, so I want to intentionally only allow TLS 1.0. Currently running: FreeRADIUS Version 3.0.12.
Is there a way to make this version only accept TLS 1.0, right now we are using older 2.x version to test this.
In version 3, see "disable_tls" in raddb/mods-available/eap. There are flags for each TLS version. Alan DeKok. - List info/subscribe/unsubscribe? See https://urldefense.proofpoint.com/v2/url?u=http-3A__www.freeradius.org_list_...