SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS
Alan DeKok
aland at deployingradius.com
Fri Apr 15 17:08:04 CEST 2016
On Apr 14, 2016, at 9:56 PM, Arran Cudbard-Bell <a.cudbardb at freeradius.org> wrote:
>
> Anyone see an issue with disabling TLS renegotiation by default?
>
> As far as I can tell it's not explicitly required by any EAP flavour. Not mentioned in EAP-TLS RFC, which is what most methods base their TLS wrapper on.
>
> Would seem to protect against 3SHAKE.
That flag has been removed in other OpenSSL forks. They disable renegotiation by default.
It's probably OK to add it in, with an appropriate ifdef.
Alan DeKok.
More information about the Freeradius-Users
mailing list