Use Mozilla's intermediate cipher suites set by default.

Alan DeKok aland at deployingradius.com
Tue Nov 18 17:22:30 CET 2014


Nick Lowe wrote:
> Alan and Arran,
> 
> Please may I suggest that you consider changing the default cipher
> suites configuration in FreeRADIUS 2.x and 3.x to use Mozilla's
> intermediate compatibility (default) set to encourage the use of better
> cipher suites that use ECDHE, GCM and PFS?
>
> See https://wiki.mozilla.org/Security/Server_Side_TLS

  Except that also disables the PSK cipher suites, which we absolutely
require.

  And we want to disable all SSLv3 cipher suites, because EAP uses TLSv1
or later.

  I am VERY wary of changing the list of cipher suites.  I'd be happier
with forbidding certain ones.

  Alan DeKok.


More information about the Freeradius-Users mailing list