When we increased the size of our key Google had found a reference to putting
this line in EAP.conf.
dh_key_length = 2048
I have not tested without the line but the presence of the line does not
prevent freeradius from running and the device that was complaining about the
size of the key now works.
On Sep 15, 2015, at 8:34 AM, Walter Reynolds <wa...@umich.edu> wrote:
> On freeradius does it use the size of the key or do you have to specify
> somewhere?
>
> When I put in a dh key that is 2048 and run in debug mode I see the following
>
> Tue Sep 15 09:30:18 2015 : Debug: Module: Instantiating eap-tls
> Tue Sep 15 09:30:18 2015 : Debug: tls {
> Tue Sep 15 09:30:18 2015 : Debug: rsa_key_exchange = no
> Tue Sep 15 09:30:18 2015 : Debug: dh_key_exchange = yes
> Tue Sep 15 09:30:18 2015 : Debug: rsa_key_length = 512
> Tue Sep 15 09:30:18 2015 : Debug: dh_key_length = 512
>
> But I verified the file itself.
>
> [root@aaa-maccvm-05 certs]# openssl dhparam -in dh -text -noout
> PKCS#3 DH Parameters: (2048 bit)
>
>
>
> ------------------------
> Walter Reynolds
> Principal Systems Security Development Engineer
> Information and Technology Services
> University of Michigan
> (734) 615-9438
>
> On Mon, Sep 14, 2015 at 8:43 AM, Christopher Michael Allison
> <chris.m.alli...@siu.edu> wrote:
> Actually, We Upgraded to FreeRadius 2.2.8 to solve some issues with iOS9. We
> have been using a 2048 bit Diffie-Hellman. And it is a must do ASAP as when
> it rolls out official you will have issues with clients connecting. Also if
> you aren't on FreeRadius 2.2.7 or higher you will run into the same issues
> that we did. Radius will answer the iOS9 clients TLS v1.2 Hello but can't
> transmit anything back to it so the client will never authenticate.
>
> Thanks,
>
> CHRISTOPHER ALLISON
> Network Engineer I
>
> Information Technology
> Mail Code 4622
> 625 Wham Drive
> Carbondale, Illinois 62901
>
> chris.m.alli...@siu.edu
> P: 618 / 453 - 8415
> F: 618 / 453 - 5261
> INFOTECH.SIU.EDU
>
>
>
> "Choose a job you love, and you will never have to work a day in your life."
> Confucius
>
> ________________________________________
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv
> <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Bruce Curtis
> <bruce.cur...@ndsu.edu>
> Sent: Sunday, September 13, 2015 6:14 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] FreeRADIUS Diffie-Hellman Keys and iOS9
>
> We just upgraded to 2048 bit Diffie-Helman won September 3. We had a
> person come to the help desk with a Chromebook that stopped connecting to the
> wireless on September 1, after an OS update. We had been using a 512 bit
> Diffie Helman key.
>
>
>
> 2015-09-03T18:01:36.709399+00:00 NOTICE wpa_supplicant[472]: OpenSSL:
> openssl_handshake - SSL_connect error:14082174:SSL
> routines:ssl3_check_cert_and_algorithm:dh key too small
>
> On Sep 11, 2015, at 4:55 PM, Curtis K. Larsen <curtis.k.lar...@utah.edu>
> wrote:
>
> > Hello,
> >
> > Are any other FreeRADIUS users planning to upgrade to 2048 bit
> > Diffie-Hellman keys before the iOS9 release? Just came across these and
> > thinking it's a must do ASAP:
> >
> > https://support.apple.com/en-us/HT204932
> > https://community.jisc.ac.uk/blogs/8021x-clients-and-radius-server-supporting-bigger-diffie-hellman-dh-keys
> >
> >
> > Thanks,
> >
> > Curtis Larsen
> > University IT/CIS
> > Sr. Network Engineer
> >
> >
> >
> > **********
> > Participation and subscription information for this EDUCAUSE Constituent
> > Group discussion list can be found at http://www.educause.edu/groups/.
>
> ---
> Bruce Curtis bruce.cur...@ndsu.edu
> Certified NetAnalyst II 701-231-8527
> North Dakota State University
>
> **********
> Participation and subscription information for this EDUCAUSE Constituent
> Group discussion list can be found at http://www.educause.edu/groups/.
>
> **********
> Participation and subscription information for this EDUCAUSE Constituent
> Group discussion list can be found at http://www.educause.edu/groups/.
>
> ********** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/groups/.
>
---
Bruce Curtis bruce.cur...@ndsu.edu
Certified NetAnalyst II 701-231-8527
North Dakota State University
**********
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
