Sudden User Authentication Rejection as a result Compatibility - error
Iliya Peregoudov
iperegudov at cboss.ru
Mon Feb 16 15:09:54 CET 2015
On 16.02.2015 16:43, Alan DeKok wrote:
> On Feb 16, 2015, at 8:41 AM, Iliya Peregoudov <iperegudov at cboss.ru> wrote:
>> Recently browsers start to refuse SSL 3.0 cipher suites. Maybe your supplicants do join the trend?
>
> SSL 3.0 has always been forbidden for EAP-TLS, PEAP, etc.
I think you talk about the protocol. I talk about cipher suites.
FreeRADIUS disables SSLv2 and SSLv3 *protocols* using SSL_OP_NO_SSLv2
and SSL_OP_NO_SSLv3 OpenSSL context options. But it does not disable
SSLv2 and SSLv3 cipher suites. cipher suites are set in eap module
configuration as cipher_list = "DEFAULT". This will result in all cipher
suites, SSLv2, SSLv3, TLSv1, TLSv1.2, etc. I think Clement can try to
set it to cipher_list = "DEFAULT:!SSLv2:!SSLv3". Maybe that helps him, I
don't know.
More information about the Freeradius-Users
mailing list