Alan DeKok wrote: Jason Wittlin-Cohen <[EMAIL PROTECTED]> wrote:I noticed that the default DH keysize in FreeRadius 1.1.3 is 512 bits.If you're talking about the key length in the EAP-TLS module, it looks like those aren't being used for anything. See the source.It does look like the EAP-TLS code is setting a 512-bit ephemeral RSA key, but my reading of the OpenSSL docs indicates it won't be used, because SSL_OP_EPHEMERAL_RSA isn't being set. So that code could be deleted entirely. So, if dh_key_length is being ignored, how is the DH key size determined? By the DH parameter file?I originally thought that the DH keysize would be determined by the DH parameter file and only realized that it was still using 512 bit keys when I ran freeradius in debug mode.Which prints out configuration entries that aren't being used. $ cd src/modules/rlm_eap $ grep -r key_length . ./libeap/mppe_keys.c: PRF(s->session->master_key, s->session->master_key_length, ./libeap/mppe_keys.c: PRF(s->session->master_key, s->session->master_key_length, ./types/rlm_eap_tls/rlm_eap_tls.c: { "rsa_key_length", PW_TYPE_INTEGER, ./types/rlm_eap_tls/rlm_eap_tls.c: offsetof(EAP_TLS_CONF, rsa_key_length), NULL, "512" }, ./types/rlm_eap_tls/rlm_eap_tls.c: { "dh_key_length", PW_TYPE_INTEGER, ./types/rlm_eap_tls/rlm_eap_tls.c: offsetof(EAP_TLS_CONF, dh_key_length), NULL, "512" }, ./types/rlm_eap_tls/rlm_eap_tls.h: int rsa_key_length; ./types/rlm_eap_tls/rlm_eap_tls.h: int dh_key_length; See? They're config options that aren't used. They should be deleted. Jason |
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html