Based on the following link, it implies that flag does not do anything. It
is old, but did the same thing on code I am running (2.2.8)
http://freeradius.1045715.n5.nabble.com/Why-is-the-default-DH-keysize-only-512-bits-td2754757.html
------------------------
Walter Reynolds
Principal Systems Security Development Engineer
Information and Technology Services
University of Michigan
(734) 615-9438
On Tue, Sep 15, 2015 at 11:04 AM, Bruce Curtis <bruce.cur...@ndsu.edu>
wrote:
> When we increased the size of our key Google had found a reference to
> putting this line in EAP.conf.
>
> dh_key_length = 2048
>
> I have not tested without the line but the presence of the line does not
> prevent freeradius from running and the device that was complaining about
> the size of the key now works.
>
> On Sep 15, 2015, at 8:34 AM, Walter Reynolds <wa...@umich.edu> wrote:
>
> > On freeradius does it use the size of the key or do you have to specify
> somewhere?
> >
> > When I put in a dh key that is 2048 and run in debug mode I see the
> following
> >
> > Tue Sep 15 09:30:18 2015 : Debug: Module: Instantiating eap-tls
> > Tue Sep 15 09:30:18 2015 : Debug: tls {
> > Tue Sep 15 09:30:18 2015 : Debug: rsa_key_exchange = no
> > Tue Sep 15 09:30:18 2015 : Debug: dh_key_exchange = yes
> > Tue Sep 15 09:30:18 2015 : Debug: rsa_key_length = 512
> > Tue Sep 15 09:30:18 2015 : Debug: dh_key_length = 512
> >
> > But I verified the file itself.
> >
> > [root@aaa-maccvm-05 certs]# openssl dhparam -in dh -text -noout
> > PKCS#3 DH Parameters: (2048 bit)
> >
> >
> >
> > ------------------------
> > Walter Reynolds
> > Principal Systems Security Development Engineer
> > Information and Technology Services
> > University of Michigan
> > (734) 615-9438
> >
> > On Mon, Sep 14, 2015 at 8:43 AM, Christopher Michael Allison <
> chris.m.alli...@siu.edu> wrote:
> > Actually, We Upgraded to FreeRadius 2.2.8 to solve some issues with
> iOS9. We have been using a 2048 bit Diffie-Hellman. And it is a must do
> ASAP as when it rolls out official you will have issues with clients
> connecting. Also if you aren't on FreeRadius 2.2.7 or higher you will run
> into the same issues that we did. Radius will answer the iOS9 clients TLS
> v1.2 Hello but can't transmit anything back to it so the client will never
> authenticate.
> >
> > Thanks,
> >
> > CHRISTOPHER ALLISON
> > Network Engineer I
> >
> > Information Technology
> > Mail Code 4622
> > 625 Wham Drive
> > Carbondale, Illinois 62901
> >
> > chris.m.alli...@siu.edu
> > P: 618 / 453 - 8415
> > F: 618 / 453 - 5261
> > INFOTECH.SIU.EDU
> >
> >
> >
> > "Choose a job you love, and you will never have to work a day in your
> life."
> > Confucius
> >
> > ________________________________________
> > From: The EDUCAUSE Wireless Issues Constituent Group Listserv <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Bruce Curtis <
> bruce.cur...@ndsu.edu>
> > Sent: Sunday, September 13, 2015 6:14 AM
> > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> > Subject: Re: [WIRELESS-LAN] FreeRADIUS Diffie-Hellman Keys and iOS9
> >
> > We just upgraded to 2048 bit Diffie-Helman won September 3. We had a
> person come to the help desk with a Chromebook that stopped connecting to
> the wireless on September 1, after an OS update. We had been using a 512
> bit Diffie Helman key.
> >
> >
> >
> > 2015-09-03T18:01:36.709399+00:00 NOTICE wpa_supplicant[472]: OpenSSL:
> openssl_handshake - SSL_connect error:14082174:SSL
> routines:ssl3_check_cert_and_algorithm:dh key too small
> >
> > On Sep 11, 2015, at 4:55 PM, Curtis K. Larsen <curtis.k.lar...@utah.edu>
> wrote:
> >
> > > Hello,
> > >
> > > Are any other FreeRADIUS users planning to upgrade to 2048 bit
> Diffie-Hellman keys before the iOS9 release? Just came across these and
> thinking it's a must do ASAP:
> > >
> > > https://support.apple.com/en-us/HT204932
> > >
> https://community.jisc.ac.uk/blogs/8021x-clients-and-radius-server-supporting-bigger-diffie-hellman-dh-keys
> > >
> > >
> > > Thanks,
> > >
> > > Curtis Larsen
> > > University IT/CIS
> > > Sr. Network Engineer
> > >
> > >
> > >
> > > **********
> > > Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/groups/.
> >
> > ---
> > Bruce Curtis bruce.cur...@ndsu.edu
> > Certified NetAnalyst II 701-231-8527
> > North Dakota State University
> >
> > **********
> > Participation and subscription information for this EDUCAUSE Constituent
> Group discussion list can be found at http://www.educause.edu/groups/.
> >
> > **********
> > Participation and subscription information for this EDUCAUSE Constituent
> Group discussion list can be found at http://www.educause.edu/groups/.
> >
> > ********** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/groups/.
> >
>
> ---
> Bruce Curtis bruce.cur...@ndsu.edu
> Certified NetAnalyst II 701-231-8527
> North Dakota State University
>
> **********
> Participation and subscription information for this EDUCAUSE Constituent
> Group discussion list can be found at http://www.educause.edu/groups/.
>
**********
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
