Ready for 2.2.7?
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Tue Mar 31 16:01:51 CEST 2015
> On 31 Mar 2015, at 07:15, Jouni Malinen <jkmalinen at gmail.com> wrote:
>
> On Tue, Mar 31, 2015 at 1:33 PM, Nick Lowe <nick.lowe at gmail.com> wrote:
>> Isn't it about time to, by default, include TLS extensions in the Client
>> Hello and have an option to switch it off for any broken servers?
>
> Are you talking of any specific TLS extension here? It does not look
> reasonable yet to enable session tickets by default. There is not much
> real benefit from them to EAP-TLS/PEAP/TTLS (and EAP-FAST uses session
> tickets in its own peculiar ways) and since there continue to be
> reports of failures to connect to various WPA2-Enterprise networks,
> the default behavior is unlikely to change any time soon. If there are
> real use cases that would benefit from session tickets, a configurable
> option to do so could be added.
It means that session resumption works against a cluster of RADIUS servers
with a front end load balancer, without the need for a common session data
store.
Granted, that's only strictly true for EAP-TLS and EAP-TTLS/PEAP (if
anonymous outer identities are disallowed), but it's still useful.
An option to allow it would be appreciated.
If OpenSSL presented a sane API or serialised ex_data, we could've embedded
the session-state list in the ticket, and stored the inner identity too.
That would have negated the need for a common database or store for anonymous
outer identities. Unfortunately OpenSSL doesn't do either of those things...
After commenting out SSL_OP_NO_TICKET in the wpa_supplicant I can see
sessions being resumed successfully.
I've tested the case where the client presents the session ticket extension
and support is not enabled on the server, it doesn't cause issues, at least
not with OpenSSL 1.0.1f. Other SSL implementations or versions might not be
so forgiving.
-Arran
Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS development team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 872 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20150331/2dbd0e75/attachment.sig>
More information about the Freeradius-Users
mailing list