AES-GCM

[Phil Mayers]

On 24/05/13 12:47, Pieter Hulshoff wrote:
> I guess that if we want to use AEAD cyphers we'll need to find another TLS
> library or adapt/contribute to OpenSSL?

I think they're supported as of OpenSSL 1.0.1, so merely compiling 
against that should be sufficient, but both ends then need to use TLS 
v1.2 and, as I say, most do not.

(I'm also not sure if FreeRADIUS explicitly forces a specific TLS 
version - it might, check the source code)

> The EAP-TLS Finished (type=20) are secured/signed with this negotiated cipher
> though, correct?

Off the top of my head, everything after the change cipher spec is 
encrypted with the negotiated symmetric cipher, yes.