On 3 Apr 2016, at 15:10, Arran Cudbard-Bell <a.cudbardb@freeradius.org> wrote:
On 2 Apr 2016, at 21:39, Arran Cudbard-Bell <a.cudbardb@freeradius.org> wrote:
On 1 Apr 2016, at 14:01, Matthew Newton <mcn4@leicester.ac.uk> wrote:
On Fri, Apr 01, 2016 at 10:34:51AM -0600, Arran Cudbard-Bell wrote:
There's now support for OpenSSL 1.1.0-pre4 in v3.1.x.
Nice.
Our basic EAP test suite passes, but it would be useful if those who rely heavily on TLS could test this out in their lab environment.
I'll try and check it out here in the next couple of weeks if I get a spare 10 minutes.
Thanks Alan B/Matthew!
Whilst I was digging through the 1.1.0 I found some undocumented callbacks added for EAP-FAST that allow you to construct custom session tickets.
This may allow us to serialize &session-state:[*] in the session ticket, and have the supplicant hand back any authorizational info required when they resume their session :)
I'm sure there's a reason why this is a terrible idea from a security (or other) perspective, but i've not figured it out yet. If anyone else has any views on it, i'd appreciate the feedback.
Not sure of what the limit on serialised data would be, extension length is 2^24, guessing the record layer can fragment extensions, else that size wouldn't make sense. The real limit would probably be the number of roundtrips :)
Ah in both TLS 1.3 and RFC 5077 struct { uint32 ticket_lifetime_hint; opaque ticket<0..2^16-1>; } NewSessionTicket; 16K is still useful! :) Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2