Use Mozilla's intermediate cipher suites set by default.
Phil Mayers
p.mayers at imperial.ac.uk
Tue Nov 18 17:51:41 CET 2014
On 18/11/14 16:03, Nick Lowe wrote:
> Alan and Arran,
>
> Please may I suggest that you consider changing the default cipher
Can I make a suggestion? Don't embed a suite list at all. Instead,
comment the eap module with a link to a place, which should contain a
*current* best-practice list.
TLS is getting a lot of attention now. I think it's safe to assume one
or more ciphers will become insecure, and any list you put into default
configs, out of date.
I realise giving no default leaves you dependent on OpenSSL, and that's
not ideal - but solving the problem of stale OpenSSL defaults by
introducing FreeRADIUS defaults which then go stale is not great.
(Also, that enormous cipher list is eye-bleedingly bad; hard to read,
therefore hard to audit and manage; damn you straight to hades, OpenSSL)
More information about the Freeradius-Users
mailing list