On Dec 9, 2020, at 1:53 AM, Robert Hentsch-Jesse <rhentsch-jesse@phoenixcontact.com> wrote:
Unfortunately freeradius seems to ignore the settings from within /etc/ssl/openssl.cnf for its LDAPS connections.
FreeRADIUS calls libldap, which in turn *may* call OpenSSL. And OpenSSL *should* read /etc/ssl/openssl.cnf So we're stuck with the limitations of the libraries we call. And the libldap API doesn't provide a way to say "require TLS 1.2"
Does freeradius always consider these settings or do I need to configure something in freeradius also?
See above. If you want to check if FreeRADIUS eventuality reads the file, use "strace", and look for where it calls "open" on /etc/ssl/openssl.cnf If that file isn't opened, there's still not much you can do to FreeRADIUS to fix it. The problem is buried deep inside other libraries. Alan DeKok.