20 Oct
2014
20 Oct
'14
7:42 a.m.
Stefan Winter wrote:
catching up after being out of office when "Poodle" arrived.
I'm wondering if FreeRADIUS is strictly enforcing TLS 1.0+ when negotiating a PEAP/TTLS tunnel. And if not, how to make it so :-)
From src/main/tls.c: /* * Set ctx_options */ ctx_options |= SSL_OP_NO_SSLv2; ctx_options |= SSL_OP_NO_SSLv3; This goes back to at least 1.x. The poodle attack requires SSLv3. SSLv3 has been disabled for a very long time. Even if SSLv3 wasn't disabled, I think administrators would notice one user having 1000's of failed logins. Alan DeKok.