Alan DeKok wrote:
Jason Wittlin-Cohen <[EMAIL PROTECTED]> wrote:
I noticed that the default DH keysize in FreeRadius 1.1.3 is 512 bits.
If you're talking about the key length in the EAP-TLS module, it
looks like those aren't being used for anything. See the source.
It does look like the EAP-TLS code is setting a 512-bit ephemeral
RSA key, but my reading of the OpenSSL docs indicates it won't be
used, because SSL_OP_EPHEMERAL_RSA isn't being set. So that code
could be deleted entirely.
I originally thought that the DH
keysize would be determined by the DH parameter file and only realized
that it was still using 512 bit keys when I ran freeradius in debug
mode.
Which prints out configuration entries that aren't being used.
$ cd src/modules/rlm_eap
$ grep -r key_length .
./libeap/mppe_keys.c: PRF(s->session->master_key, s->session->master_key_length,
./libeap/mppe_keys.c: PRF(s->session->master_key, s->session->master_key_length,
./types/rlm_eap_tls/rlm_eap_tls.c: { "rsa_key_length", PW_TYPE_INTEGER,
./types/rlm_eap_tls/rlm_eap_tls.c: offsetof(EAP_TLS_CONF, rsa_key_length), NULL, "512" },
./types/rlm_eap_tls/rlm_eap_tls.c: { "dh_key_length", PW_TYPE_INTEGER,
./types/rlm_eap_tls/rlm_eap_tls.c: offsetof(EAP_TLS_CONF, dh_key_length), NULL, "512" },
./types/rlm_eap_tls/rlm_eap_tls.h: int rsa_key_length;
./types/rlm_eap_tls/rlm_eap_tls.h: int dh_key_length;
See? They're config options that aren't used. They should be deleted.
So, if dh_key_length is being ignored, how is the DH key size
determined? By the DH parameter file?
Jason
|
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
