OpenSSL 1.1.0 support
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Sun Apr 3 21:17:14 CEST 2016
> On 3 Apr 2016, at 15:10, Arran Cudbard-Bell <a.cudbardb at freeradius.org> wrote:
>
>>
>> On 2 Apr 2016, at 21:39, Arran Cudbard-Bell <a.cudbardb at freeradius.org> wrote:
>>
>>
>>> On 1 Apr 2016, at 14:01, Matthew Newton <mcn4 at leicester.ac.uk> wrote:
>>>
>>> On Fri, Apr 01, 2016 at 10:34:51AM -0600, Arran Cudbard-Bell wrote:
>>>> There's now support for OpenSSL 1.1.0-pre4 in v3.1.x.
>>>
>>> Nice.
>>>
>>>> Our basic EAP test suite passes, but it would be useful if those
>>>> who rely heavily on TLS could test this out in their lab
>>>> environment.
>>>
>>> I'll try and check it out here in the next couple of weeks if I
>>> get a spare 10 minutes.
>>
>> Thanks Alan B/Matthew!
>
> Whilst I was digging through the 1.1.0 I found some undocumented callbacks added for EAP-FAST that allow you to construct custom session tickets.
>
> This may allow us to serialize &session-state:[*] in the session ticket, and have the supplicant hand back any authorizational info required when they resume their session :)
>
> I'm sure there's a reason why this is a terrible idea from a security (or other) perspective, but i've not figured it out yet. If anyone else has any views on it, i'd appreciate the feedback.
>
> Not sure of what the limit on serialised data would be, extension length is 2^24, guessing the record layer can fragment extensions, else that size wouldn't make sense. The real limit would probably be the number of roundtrips :)
Ah in both TLS 1.3 and RFC 5077
struct {
uint32 ticket_lifetime_hint;
opaque ticket<0..2^16-1>;
} NewSessionTicket;
16K is still useful! :)
Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS Development Team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 872 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20160403/7b19b780/attachment.sig>
More information about the Freeradius-Users
mailing list