Ready for 2.2.7?
Matthew Newton
mcn4 at leicester.ac.uk
Tue Mar 31 11:49:22 CEST 2015
On Mon, Mar 30, 2015 at 08:17:03PM -0400, Arran Cudbard-Bell wrote:
> >> Maybe disable TLS v1.2 for compatibility...
> >
> > Compatibility with what?
>
> eapol_test, booo.
Hmmm, booo indeed.
> Noticed today that with TLS 1.2 FR and eapol_test 2.4 (and so presumably wpa_supplicant)
> disagreed on the MPPE keys. Not sure where the fault lies there. Both were running on the
> same machine, linked against the same version of OpenSSL.
>
> Only allowing TLS 1.0 and 1.1 fixed the problem.
That seems like the wrong fix :(
> eapol_test also doesn't send the RFC 5077 session ticket extension in the client hello.
> Stupid eapol_test *grumble*.
Looks like it would be best to try and find what the actual cause
is - if it's eapol_test then that should be fixed, rather than
removing TLS 1.2 from FreeRADIUS.
A config option in FR would IMHO be the best way for this, like
the allow broken openssl one. And something that touches as little
code as possible in the stable release.
> This is true, and it is fixable in the config using some hidden config items :)
I'd document them and leave it as-is :)
I guess the only reason to do otherwise is to stop timewasting
questions being posted to this list...
Matthew
--
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>
Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
More information about the Freeradius-Users
mailing list