EAP-TLS with TLS 1.3

Arran Cudbard-Bell a.cudbardb at freeradius.org
Wed Mar 14 09:23:34 CET 2018



> On Mar 14, 2018, at 7:23 AM, Stefan Winter <stefan.winter at RESTENA.LU> wrote:
> 
> Hi,
> 
>> One thing that i’m slightly unsure of is whether we should allow multiple key pairs on the client side too (I did for completeness), presumably crypto agility can be utilised by both TLS peers?
> 
> I don't think that's necessary: for client cert validation, you don't
> need private keys and can already use the _dir option if you have more
> than one CA.

Sorry, wasn’t clear.  The SSL_CTX configuration code is common for both TLS servers and TLS clients, and is used for both EAP and RADSEC. In this case FreeRADIUS would be acting as a TLS client for RADSEC.

-Arran


More information about the Freeradius-Devel mailing list