Use Mozilla's intermediate cipher suites set by default.
Alan DeKok
aland at deployingradius.com
Tue Nov 18 19:24:55 CET 2014
Phil Mayers wrote:
> Can I make a suggestion? Don't embed a suite list at all. Instead,
> comment the eap module with a link to a place, which should contain a
> *current* best-practice list.
Asking people to read docs is a bit much...
> TLS is getting a lot of attention now. I think it's safe to assume one
> or more ciphers will become insecure, and any list you put into default
> configs, out of date.
Well, we can update then. The default should be secure as of the date
the server ships.
> (Also, that enormous cipher list is eye-bleedingly bad; hard to read,
> therefore hard to audit and manage; damn you straight to hades, OpenSSL)
For many, many, reasons.
Alan DeKok.
More information about the Freeradius-Users
mailing list