Alan DeKok wrote:
Walter Goulet wrote:
How does FreeRADIUS's rlm_eap module choose the cipher suite used for EAP-TLS/TTLS sessions?
It relies on OpenSSL to do the negotiation.
RFC 2246 for TLS states that the client presents the list of ciphersuites supported to the server and the server picks one that it supports.
Is there a way to configure FreeRADIUS to only use a specific set of ciphersuites? The goal is that in some cases it may be desireable to restrict incoming clients to use a particular suite.
Yes. See "cipher_list" in eap.conf. It's documented.
Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thanks much Alan; I was looking at my older FreeRADIUS install (1.1.1!) which didn't have this described in eap.conf. I see it in the latest version. Walter