On 24/05/13 11:44, Pieter Hulshoff wrote:
Hello all,
Does FreeRADIUS support AES-GCM in EAP-TLS? I couldn't find the term in the
documentation, the wiki or the mailinglist archives, but perhaps I'm looking
in the wrong place?
Typically this is down the TLS libraries; it's not usually the case that
the application needs to do anything.
That said, EAP-TLS is typically TLS 1.0. AIUI, AEAD ciphers require TLS
1.2 - see section 4 of RFC 5288. But again, FreeRADIUS doesn't involve
itself in this level of detail - that's an aspect of the TLS library
(OpenSSL) we use, and whatever the EAP-TLS client is using.
Note also that EAP-TLS (unlike other TLS-based EAP methods, such as PEAP
or TTLS) never actually sends any data over the TLS session;
essentially, it consists solely of the handshake. In TLS terms, EAP-TLS
never sends any TLS records of type=23 (application data). So, the
negotiated cipher is not used for very much.
PEAP and TTLS have "inner" EAP exchanges, that are protected with the
TLS session, and sent as TLS type=23 records.
Slightly OT, there seems to be some degree of uncertainty about GCM in
general, and whether it's a sensible cipher mode - for example, see
http://www.imperialviolet.org/2013/01/13/rwc03.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
