Interesting... because when I installed a DH2048 key without adding the dh_key_length parameter, users were not able to authenticate. When I added the length, things worked. I'm good with it just being magic, as long as it works...
John Rodkey Director of Servers and Networks Westmont College On Tue, Sep 15, 2015 at 9:10 AM, Walter Reynolds <wa...@umich.edu> wrote: > Based on the following link, it implies that flag does not do anything. > It is old, but did the same thing on code I am running (2.2.8) > > http://freeradius.1045715.n5.nabble.com/Why-is-the-default-DH-keysize-only-512-bits-td2754757.html > > > > > ------------------------ > Walter Reynolds > Principal Systems Security Development Engineer > Information and Technology Services > University of Michigan > (734) 615-9438 > > On Tue, Sep 15, 2015 at 11:04 AM, Bruce Curtis <bruce.cur...@ndsu.edu> > wrote: > >> When we increased the size of our key Google had found a reference to >> putting this line in EAP.conf. >> >> dh_key_length = 2048 >> >> I have not tested without the line but the presence of the line does not >> prevent freeradius from running and the device that was complaining about >> the size of the key now works. >> >> On Sep 15, 2015, at 8:34 AM, Walter Reynolds <wa...@umich.edu> wrote: >> >> > On freeradius does it use the size of the key or do you have to specify >> somewhere? >> > >> > When I put in a dh key that is 2048 and run in debug mode I see the >> following >> > >> > Tue Sep 15 09:30:18 2015 : Debug: Module: Instantiating eap-tls >> > Tue Sep 15 09:30:18 2015 : Debug: tls { >> > Tue Sep 15 09:30:18 2015 : Debug: rsa_key_exchange = no >> > Tue Sep 15 09:30:18 2015 : Debug: dh_key_exchange = yes >> > Tue Sep 15 09:30:18 2015 : Debug: rsa_key_length = 512 >> > Tue Sep 15 09:30:18 2015 : Debug: dh_key_length = 512 >> > >> > But I verified the file itself. >> > >> > [root@aaa-maccvm-05 certs]# openssl dhparam -in dh -text -noout >> > PKCS#3 DH Parameters: (2048 bit) >> > >> > >> > >> > ------------------------ >> > Walter Reynolds >> > Principal Systems Security Development Engineer >> > Information and Technology Services >> > University of Michigan >> > (734) 615-9438 >> > >> > On Mon, Sep 14, 2015 at 8:43 AM, Christopher Michael Allison < >> chris.m.alli...@siu.edu> wrote: >> > Actually, We Upgraded to FreeRadius 2.2.8 to solve some issues with >> iOS9. We have been using a 2048 bit Diffie-Hellman. And it is a must do >> ASAP as when it rolls out official you will have issues with clients >> connecting. Also if you aren't on FreeRadius 2.2.7 or higher you will run >> into the same issues that we did. Radius will answer the iOS9 clients TLS >> v1.2 Hello but can't transmit anything back to it so the client will never >> authenticate. >> > >> > Thanks, >> > >> > CHRISTOPHER ALLISON >> > Network Engineer I >> > >> > Information Technology >> > Mail Code 4622 >> > 625 Wham Drive >> > Carbondale, Illinois 62901 >> > >> > chris.m.alli...@siu.edu >> > P: 618 / 453 - 8415 >> > F: 618 / 453 - 5261 >> > INFOTECH.SIU.EDU >> > >> > >> > >> > "Choose a job you love, and you will never have to work a day in your >> life." >> > Confucius >> > >> > ________________________________________ >> > From: The EDUCAUSE Wireless Issues Constituent Group Listserv < >> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Bruce Curtis < >> bruce.cur...@ndsu.edu> >> > Sent: Sunday, September 13, 2015 6:14 AM >> > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU >> > Subject: Re: [WIRELESS-LAN] FreeRADIUS Diffie-Hellman Keys and iOS9 >> > >> > We just upgraded to 2048 bit Diffie-Helman won September 3. We had >> a person come to the help desk with a Chromebook that stopped connecting to >> the wireless on September 1, after an OS update. We had been using a 512 >> bit Diffie Helman key. >> > >> > >> > >> > 2015-09-03T18:01:36.709399+00:00 NOTICE wpa_supplicant[472]: OpenSSL: >> openssl_handshake - SSL_connect error:14082174:SSL >> routines:ssl3_check_cert_and_algorithm:dh key too small >> > >> > On Sep 11, 2015, at 4:55 PM, Curtis K. Larsen <curtis.k.lar...@utah.edu> >> wrote: >> > >> > > Hello, >> > > >> > > Are any other FreeRADIUS users planning to upgrade to 2048 bit >> Diffie-Hellman keys before the iOS9 release? Just came across these and >> thinking it's a must do ASAP: >> > > >> > > https://support.apple.com/en-us/HT204932 >> > > >> https://community.jisc.ac.uk/blogs/8021x-clients-and-radius-server-supporting-bigger-diffie-hellman-dh-keys >> > > >> > > >> > > Thanks, >> > > >> > > Curtis Larsen >> > > University IT/CIS >> > > Sr. Network Engineer >> > > >> > > >> > > >> > > ********** >> > > Participation and subscription information for this EDUCAUSE >> Constituent Group discussion list can be found at >> http://www.educause.edu/groups/. >> > >> > --- >> > Bruce Curtis bruce.cur...@ndsu.edu >> > Certified NetAnalyst II 701-231-8527 >> > North Dakota State University >> > >> > ********** >> > Participation and subscription information for this EDUCAUSE >> Constituent Group discussion list can be found at >> http://www.educause.edu/groups/. >> > >> > ********** >> > Participation and subscription information for this EDUCAUSE >> Constituent Group discussion list can be found at >> http://www.educause.edu/groups/. >> > >> > ********** Participation and subscription information for this EDUCAUSE >> Constituent Group discussion list can be found at >> http://www.educause.edu/groups/. >> > >> >> --- >> Bruce Curtis bruce.cur...@ndsu.edu >> Certified NetAnalyst II 701-231-8527 >> North Dakota State University >> >> ********** >> Participation and subscription information for this EDUCAUSE Constituent >> Group discussion list can be found at http://www.educause.edu/groups/. >> > > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > > ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
