Jason Wittlin-Cohen <jasonwc@brandeis.edu> wrote:
I noticed that the default DH keysize in FreeRadius 1.1.3 is 512 bits.
If you're talking about the key length in the EAP-TLS module, it looks like those aren't being used for anything. See the source. It does look like the EAP-TLS code is setting a 512-bit ephemeral RSA key, but my reading of the OpenSSL docs indicates it won't be used, because SSL_OP_EPHEMERAL_RSA isn't being set. So that code could be deleted entirely.
I originally thought that the DH keysize would be determined by the DH parameter file and only realized that it was still using 512 bit keys when I ran freeradius in debug mode.
Which prints out configuration entries that aren't being used. $ cd src/modules/rlm_eap $ grep -r key_length . ./libeap/mppe_keys.c: PRF(s->session->master_key, s->session->master_key_length, ./libeap/mppe_keys.c: PRF(s->session->master_key, s->session->master_key_length, ./types/rlm_eap_tls/rlm_eap_tls.c: { "rsa_key_length", PW_TYPE_INTEGER, ./types/rlm_eap_tls/rlm_eap_tls.c: offsetof(EAP_TLS_CONF, rsa_key_length), NULL, "512" }, ./types/rlm_eap_tls/rlm_eap_tls.c: { "dh_key_length", PW_TYPE_INTEGER, ./types/rlm_eap_tls/rlm_eap_tls.c: offsetof(EAP_TLS_CONF, dh_key_length), NULL, "512" }, ./types/rlm_eap_tls/rlm_eap_tls.h: int rsa_key_length; ./types/rlm_eap_tls/rlm_eap_tls.h: int dh_key_length; See? They're config options that aren't used. They should be deleted.
Also, it might be a good idea to put a comment in the TLS cipher suite comment section that the Microsoft Windows supplicant in Windows XP SP2 uses RC4-MD5 by default (TLS_RSA_WITH_RC4_128_MD5).
OK... the "cipher_list" configuration entry can be edited to force particular methods, if you so desire.
OpenSSL's 'HIGH' setting is probably the best for a Windows XP user as it uses EDH-RSA-DES-CBC3-SHA (TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA), so SHA1 is used for integrity, and DH is used for key exchange.
OK. That's good to note in the comments.
Windows XP SP2 and earlier versions of Windows do not support AES for use in any of the EAP modes. Apparently, if you want to use AES you need to upgrade to Vista (See Security in Vista
OK... Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog