Based on the following link, it implies that flag does not do anything. It is old, but did the same thing on code I am running (2.2.8) http://freeradius.1045715.n5.nabble.com/Why-is-the-default-DH-keysize-only-512-bits-td2754757.html
------------------------ Walter Reynolds Principal Systems Security Development Engineer Information and Technology Services University of Michigan (734) 615-9438 On Tue, Sep 15, 2015 at 11:04 AM, Bruce Curtis <bruce.cur...@ndsu.edu> wrote: > When we increased the size of our key Google had found a reference to > putting this line in EAP.conf. > > dh_key_length = 2048 > > I have not tested without the line but the presence of the line does not > prevent freeradius from running and the device that was complaining about > the size of the key now works. > > On Sep 15, 2015, at 8:34 AM, Walter Reynolds <wa...@umich.edu> wrote: > > > On freeradius does it use the size of the key or do you have to specify > somewhere? > > > > When I put in a dh key that is 2048 and run in debug mode I see the > following > > > > Tue Sep 15 09:30:18 2015 : Debug: Module: Instantiating eap-tls > > Tue Sep 15 09:30:18 2015 : Debug: tls { > > Tue Sep 15 09:30:18 2015 : Debug: rsa_key_exchange = no > > Tue Sep 15 09:30:18 2015 : Debug: dh_key_exchange = yes > > Tue Sep 15 09:30:18 2015 : Debug: rsa_key_length = 512 > > Tue Sep 15 09:30:18 2015 : Debug: dh_key_length = 512 > > > > But I verified the file itself. > > > > [root@aaa-maccvm-05 certs]# openssl dhparam -in dh -text -noout > > PKCS#3 DH Parameters: (2048 bit) > > > > > > > > ------------------------ > > Walter Reynolds > > Principal Systems Security Development Engineer > > Information and Technology Services > > University of Michigan > > (734) 615-9438 > > > > On Mon, Sep 14, 2015 at 8:43 AM, Christopher Michael Allison < > chris.m.alli...@siu.edu> wrote: > > Actually, We Upgraded to FreeRadius 2.2.8 to solve some issues with > iOS9. We have been using a 2048 bit Diffie-Hellman. And it is a must do > ASAP as when it rolls out official you will have issues with clients > connecting. Also if you aren't on FreeRadius 2.2.7 or higher you will run > into the same issues that we did. Radius will answer the iOS9 clients TLS > v1.2 Hello but can't transmit anything back to it so the client will never > authenticate. > > > > Thanks, > > > > CHRISTOPHER ALLISON > > Network Engineer I > > > > Information Technology > > Mail Code 4622 > > 625 Wham Drive > > Carbondale, Illinois 62901 > > > > chris.m.alli...@siu.edu > > P: 618 / 453 - 8415 > > F: 618 / 453 - 5261 > > INFOTECH.SIU.EDU > > > > > > > > "Choose a job you love, and you will never have to work a day in your > life." > > Confucius > > > > ________________________________________ > > From: The EDUCAUSE Wireless Issues Constituent Group Listserv < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Bruce Curtis < > bruce.cur...@ndsu.edu> > > Sent: Sunday, September 13, 2015 6:14 AM > > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > > Subject: Re: [WIRELESS-LAN] FreeRADIUS Diffie-Hellman Keys and iOS9 > > > > We just upgraded to 2048 bit Diffie-Helman won September 3. We had a > person come to the help desk with a Chromebook that stopped connecting to > the wireless on September 1, after an OS update. We had been using a 512 > bit Diffie Helman key. > > > > > > > > 2015-09-03T18:01:36.709399+00:00 NOTICE wpa_supplicant[472]: OpenSSL: > openssl_handshake - SSL_connect error:14082174:SSL > routines:ssl3_check_cert_and_algorithm:dh key too small > > > > On Sep 11, 2015, at 4:55 PM, Curtis K. Larsen <curtis.k.lar...@utah.edu> > wrote: > > > > > Hello, > > > > > > Are any other FreeRADIUS users planning to upgrade to 2048 bit > Diffie-Hellman keys before the iOS9 release? Just came across these and > thinking it's a must do ASAP: > > > > > > https://support.apple.com/en-us/HT204932 > > > > https://community.jisc.ac.uk/blogs/8021x-clients-and-radius-server-supporting-bigger-diffie-hellman-dh-keys > > > > > > > > > Thanks, > > > > > > Curtis Larsen > > > University IT/CIS > > > Sr. Network Engineer > > > > > > > > > > > > ********** > > > Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > > > > --- > > Bruce Curtis bruce.cur...@ndsu.edu > > Certified NetAnalyst II 701-231-8527 > > North Dakota State University > > > > ********** > > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/groups/. > > > > ********** > > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/groups/. > > > > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > > > > --- > Bruce Curtis bruce.cur...@ndsu.edu > Certified NetAnalyst II 701-231-8527 > North Dakota State University > > ********** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/groups/. > ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.