EAP-TLS with TLS 1.3

Stefan Winter stefan.winter at restena.lu
Wed Mar 14 14:57:58 CET 2018


Hi,

> Sorry, wasn’t clear.  The SSL_CTX configuration code is common for both TLS servers and TLS clients, and is used for both EAP and RADSEC. In this case FreeRADIUS would be acting as a TLS client for RADSEC.

Ah. Well the cert length considerations are really about EAP as the data
channel is so narrow and peculiar.

In a RadSec connection, length of the cert is a NOOP consideration.

Of course if you really want to have two distinct certs for actual
security reasons(?), then yes, multiple client certs would be useful there.

Stefan

-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-devel/attachments/20180314/a1115bf3/attachment.sig>


More information about the Freeradius-Devel mailing list