On 22.9.2016 11.45, Stefan Winter wrote: > The default that "UseTLS" should trigger is: all TLS versions that are > supported in the system.
Agreed. The current UseTLS behaviour is to do what it has done since it was first implemented: enable TLS 1.0. We could, for example, enable all TLS protocols when UseTLS is set and log a message that TLS_Protocols should be used instead for better control of supported versions. Now when some TLS versions are showing their age and TLS 1.3 is upcoming, it's good to have a way to tell what exactly is wanted. > Silently pinning 1.0 is an invitation to continue use of old and weak > crypto protocols. > > Maybe this default could be changed in later versions... Yes, I'll see that this gets attention. -- Heikki Vatiainen <h...@open.com.au> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
