EAP-TLS with TLS 1.3
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Wed Mar 14 16:27:04 CET 2018
> On Mar 14, 2018, at 1:57 PM, Stefan Winter <stefan.winter at RESTENA.LU> wrote:
>
> Hi,
>
>> Sorry, wasn’t clear. The SSL_CTX configuration code is common for both TLS servers and TLS clients, and is used for both EAP and RADSEC. In this case FreeRADIUS would be acting as a TLS client for RADSEC.
>
> Ah. Well the cert length considerations are really about EAP as the data
> channel is so narrow and peculiar.
>
> In a RadSec connection, length of the cert is a NOOP consideration.
>
> Of course if you really want to have two distinct certs for actual
> security reasons(?), then yes, multiple client certs would be useful there.
OK, yes, that’s what I was querying.
I guess it’d also allow you to select different certificates depending on the CA list advertised by the server, as well as different certificates for crypto agility.
-Arran
More information about the Freeradius-Devel
mailing list