No TLS 1.2 [Solved]

David Ward daward at Brocade.COM
Tue Nov 29 01:17:10 CET 2016


Thank you. That steered me in the right direction. Here are the entries to 
make in the TLS section of eap:

disable_tlsv1_0 = no
disable_tlsv1_1 = yes
disable_tlsv1_2 = yes


Verified with trace like this:
TLSv1 Record Layer: Handshake Protocol: Server Hello
                        Content Type: Handshake (22)
                        Version: TLS 1.0 (0x0301)
                        Length: 81
                        Handshake Protocol: Server Hello
                            Handshake Type: Server Hello (2)
                            Length: 77
                            Version: TLS 1.0 (0x0301)

-David


-----Original Message-----
From: Freeradius-Users 
[mailto:freeradius-users-bounces+daward=brocade.com at lists.freeradius.org] On 
Behalf Of Alan DeKok
Sent: Thursday, November 17, 2016 5:23 PM
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Subject: Re: No TLS 1.2

On Nov 17, 2016, at 5:08 PM, David Ward <daward at Brocade.COM> wrote:
>
> We are looking into how to change TLS behavior on radiusd. This is for
> testing purpose, so I want to intentionally only allow TLS 1.0.
> Currently
> running: FreeRADIUS Version 3.0.12.
>
> Is there a way to make this version only accept TLS 1.0, right now we
> are using older 2.x version to test this.

  In version 3, see "disable_tls" in raddb/mods-available/eap.  There are 
flags for each TLS version.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See 
https://urldefense.proofpoint.com/v2/url?u=http-3A__www.freeradius.org_list_users.html&d=DgIGaQ&c=IL_XqQWOjubgfqINi2jTzg&r=puVQPEL4OAOfXPfBV9pguYCDqWBdNNSewb8Sk_RDtcw&m=v6CbvOZxMO7HEp4rwjsDtkHq-AWEFaoqfKWM7XOSv_Q&s=B988QxDySN-o36eWRzZggHYVDGsymb45wvjUUNZkrjA&e=
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5913 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20161129/7f89e951/attachment.bin>


More information about the Freeradius-Users mailing list