EAP-TLS with TLS 1.3

Stefan Winter stefan.winter at restena.lu
Wed Mar 14 14:57:58 CET 2018


> Sorry, wasn’t clear.  The SSL_CTX configuration code is common for both TLS servers and TLS clients, and is used for both EAP and RADSEC. In this case FreeRADIUS would be acting as a TLS client for RADSEC.

Ah. Well the cert length considerations are really about EAP as the data
channel is so narrow and peculiar.

In a RadSec connection, length of the cert is a NOOP consideration.

Of course if you really want to have two distinct certs for actual
security reasons(?), then yes, multiple client certs would be useful there.


Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-devel/attachments/20180314/a1115bf3/attachment.sig>

More information about the Freeradius-Devel mailing list