Use Mozilla's intermediate cipher suites set by default.
Alan DeKok
aland at deployingradius.com
Tue Nov 18 17:22:30 CET 2014
Nick Lowe wrote:
> Alan and Arran,
>
> Please may I suggest that you consider changing the default cipher
> suites configuration in FreeRADIUS 2.x and 3.x to use Mozilla's
> intermediate compatibility (default) set to encourage the use of better
> cipher suites that use ECDHE, GCM and PFS?
>
> See https://wiki.mozilla.org/Security/Server_Side_TLS
Except that also disables the PSK cipher suites, which we absolutely
require.
And we want to disable all SSLv3 cipher suites, because EAP uses TLSv1
or later.
I am VERY wary of changing the list of cipher suites. I'd be happier
with forbidding certain ones.
Alan DeKok.
More information about the Freeradius-Users
mailing list