[EMAIL PROTECTED] wrote: > thankyou Alan for your responsible reporting of this issue, > as anyone using FreeRADIUS with EAP-TLS etc will be using OpenSSL > anyone on any platform with a weak key method needs to know > this issue.
I've updated the main web page, too. > I note that various OpenSSL-using tools are being updated to detect > such weak keys - eg OpenVPN on ubuntu - and if they detect > them, they wont start (reporting a direct error about > such keys) - will FreeRADIUS also adopt this policy? Er... send a patch? A quick look at the documentation for "openssl-vulnkey" and friends isn't helpful. They check a key against a list of blacklisted keys... and don't give much more information about blacklisting keys. i.e. it's up to you to generate the list of blacklisted keys. The tool can then be used to check the key. For RADIUS purposes, I don't see much use in this. There's usually only one server key, and maybe a self-signed cert key. Once those are re-generated and deployed, you're done. There's not much need to check blacklists for keys. The blacklist is more useful for client software like a supplicant. And even there, it's likely easier just to replace the old RADIUS server key with the new one. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
