Reduce TLS Handshake Certificate Request Types and Hash Algorithms?

Alan DeKok aland at
Thu Jun 10 21:21:01 CEST 2021

On Jun 10, 2021, at 3:15 PM, James Ko <jim.list at> wrote:
>> See "cipher_list" in mods-enabled/eap.  The string contents are passed directly to OpenSSL.  See the OpenSSL documentation for what names to use, and how to format them.
> I have cipher_list="ECDHE-ECDSA-AES128-CCM8" and it is the only Cipher Suites listed in the Server Hello portion of the message as captured below.  I would like to also reduce the supported Certificate Hash Algorithms reported in the Certificate Request portion of the TLS message.

  All of that is in the OpenSSL configuration.  FreeRADIUS doesn't create the data in the certificate request.  OpenSSL does.

  So if there's a huge list there, you'll have to ask OpenSSL why the list for the certificate request is huge.  From what I can tell, there isn't an obvious way to control that from the OpenSSL API.  Which means it's difficult to control.

 Alan DeKok.

More information about the Freeradius-Users mailing list