Alan DeKok wrote:
Jason Wittlin-Cohen <jasonwc@brandeis.edu> wrote:
I noticed that the default DH keysize in FreeRadius 1.1.3 is 512 bits.
If you're talking about the key length in the EAP-TLS module, it looks like those aren't being used for anything. See the source.
It does look like the EAP-TLS code is setting a 512-bit ephemeral RSA key, but my reading of the OpenSSL docs indicates it won't be used, because SSL_OP_EPHEMERAL_RSA isn't being set. So that code could be deleted entirely.
I originally thought that the DH keysize would be determined by the DH parameter file and only realized that it was still using 512 bit keys when I ran freeradius in debug mode.
Which prints out configuration entries that aren't being used.
$ cd src/modules/rlm_eap $ grep -r key_length . ./libeap/mppe_keys.c: PRF(s->session->master_key, s->session->master_key_length, ./libeap/mppe_keys.c: PRF(s->session->master_key, s->session->master_key_length, ./types/rlm_eap_tls/rlm_eap_tls.c: { "rsa_key_length", PW_TYPE_INTEGER, ./types/rlm_eap_tls/rlm_eap_tls.c: offsetof(EAP_TLS_CONF, rsa_key_length), NULL, "512" }, ./types/rlm_eap_tls/rlm_eap_tls.c: { "dh_key_length", PW_TYPE_INTEGER, ./types/rlm_eap_tls/rlm_eap_tls.c: offsetof(EAP_TLS_CONF, dh_key_length), NULL, "512" }, ./types/rlm_eap_tls/rlm_eap_tls.h: int rsa_key_length; ./types/rlm_eap_tls/rlm_eap_tls.h: int dh_key_length;
See? They're config options that aren't used. They should be deleted.
So, if dh_key_length is being ignored, how is the DH key size determined? By the DH parameter file? Jason