On 16.7.2015 17.04, Nick Lowe wrote: > In conjunction with https://tools.ietf.org/html/rfc7465 , it is > probably time for RADIUS servers to comply with this by default unless > explicitly configured otherwise:
Thanks for the RC4 reminder Nick. This configuration is now possible with Radiator. It's hard to say how the EAP clients use crypto, so the default settings still allow RC4. However, the Radiator default settings do not allow export and weak ciphers, which are still part of the default ciphersuite set in many currently used OSes. The configuration examples in goodies and reference manual have this as an example of cipher spec: DEFAULT:!EXPORT:!LOW:!RC4 I'd say this would comply with RFC 7465 requirements. > "o TLS servers MUST NOT select an RC4 cipher suite when a TLS client > sends such a cipher suite in the ClientHello message. > o If the TLS client only offers RC4 cipher suites, the TLS server > MUST terminate the handshake. The TLS server MAY send the > insufficient_security fatal alert in this case." There are also other sources with valuable information, one of which is Mozilla's guide: https://wiki.mozilla.org/Security/Server_Side_TLS The list members may want to take a look at this document if they plan to experiment with TLS versions and ciphersuites. Thanks, Heikki -- Heikki Vatiainen <h...@open.com.au> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator