Poodle and EAP?
Alan DeKok
aland at deployingradius.com
Mon Oct 20 13:42:56 CEST 2014
Stefan Winter wrote:
> catching up after being out of office when "Poodle" arrived.
>
> I'm wondering if FreeRADIUS is strictly enforcing TLS 1.0+ when
> negotiating a PEAP/TTLS tunnel. And if not, how to make it so :-)
From src/main/tls.c:
/*
* Set ctx_options
*/
ctx_options |= SSL_OP_NO_SSLv2;
ctx_options |= SSL_OP_NO_SSLv3;
This goes back to at least 1.x.
The poodle attack requires SSLv3. SSLv3 has been disabled for a very
long time.
Even if SSLv3 wasn't disabled, I think administrators would notice one
user having 1000's of failed logins.
Alan DeKok.
More information about the Freeradius-Users
mailing list