EAP-TLS with TLS 1.3
Adam.Bishop at jisc.ac.uk
Mon Mar 12 11:47:17 CET 2018
On 12 Mar 2018, at 10:40, Stefan Winter <stefan.winter at restena.lu> wrote:
> Is that kind of stuff doable?
It is - a few things support key agility, most notable example off the top of my head is nginx and apache.
It requires a recent version of openssl, but for apache at least, in the configuration you just specify two cert/key statements.
I don't think EAP would be any different - the actual sequence of messages exchanged between client and server is the same as in HTTPS right?
As long as TLS1.3 doesn't push whatever heuristic is used to later in the exchange, I don't see that it would be any more difficult to support both ECDSA and RSA simultaneously.
As far as I know, the process is transparent to the client.
gpg: E75B 1F92 6407 DFDF 9F1C BF10 C993 2504 6609 D460
Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.
More information about the Freeradius-Devel