On Mon, Mar 30, 2015 at 08:17:03PM -0400, Arran Cudbard-Bell wrote:
Maybe disable TLS v1.2 for compatibility...
Compatibility with what?
eapol_test, booo.
Hmmm, booo indeed.
Noticed today that with TLS 1.2 FR and eapol_test 2.4 (and so presumably wpa_supplicant) disagreed on the MPPE keys. Not sure where the fault lies there. Both were running on the same machine, linked against the same version of OpenSSL.
Only allowing TLS 1.0 and 1.1 fixed the problem.
That seems like the wrong fix :(
eapol_test also doesn't send the RFC 5077 session ticket extension in the client hello. Stupid eapol_test *grumble*.
Looks like it would be best to try and find what the actual cause is - if it's eapol_test then that should be fixed, rather than removing TLS 1.2 from FreeRADIUS. A config option in FR would IMHO be the best way for this, like the allow broken openssl one. And something that touches as little code as possible in the stable release.
This is true, and it is fixable in the config using some hidden config items :)
I'd document them and leave it as-is :) I guess the only reason to do otherwise is to stop timewasting questions being posted to this list... Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>