On 18/11/14 16:03, Nick Lowe wrote:
Alan and Arran,
Please may I suggest that you consider changing the default cipher
Can I make a suggestion? Don't embed a suite list at all. Instead, comment the eap module with a link to a place, which should contain a *current* best-practice list. TLS is getting a lot of attention now. I think it's safe to assume one or more ciphers will become insecure, and any list you put into default configs, out of date. I realise giving no default leaves you dependent on OpenSSL, and that's not ideal - but solving the problem of stale OpenSSL defaults by introducing FreeRADIUS defaults which then go stale is not great. (Also, that enormous cipher list is eye-bleedingly bad; hard to read, therefore hard to audit and manage; damn you straight to hades, OpenSSL)