Use Mozilla's intermediate cipher suites set by default.
Nick Lowe
nick.lowe at gmail.com
Tue Nov 18 17:03:15 CET 2014
Alan and Arran,
Please may I suggest that you consider changing the default cipher suites
configuration in FreeRADIUS 2.x and 3.x to use Mozilla's intermediate
compatibility (default) set to encourage the use of better cipher suites
that use ECDHE, GCM and PFS?
See https://wiki.mozilla.org/Security/Server_Side_TLS
This is:
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
This is fully compatible all the way back to Windows XP where 3DES will be
used.
It also brings FreeRADIUS in to compliance with the very likely upcoming:
https://datatracker.ietf.org/doc/draft-ietf-tls-prohibiting-rc4/
Cheers,
Nick
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20141118/c6eb6bee/attachment.html>
More information about the Freeradius-Users
mailing list