Re: [RADIATOR] Certificate updates in Radiator 4.13 patches
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* --- Begin Message --- You guys rock! Your fast actions to user feature requests and general IT trends are amazing! Cheers, Alex On 2014-09-26 10:50, Sami Keski-Kasari wrote: > Hello all, > > we have now added RSA2048/SHA256 and ECDSA(curve secp256r1)/SHA256 test > certificates to Radiator 4.13 patches. > > RSA2048/SHA256 certificates requires OpenSSL that includes SHA2 in > SSL_library_init() or [1]. Please note that certificates are now longer > which means when using them, for example, with PEAP there will be more > EAP fragments. Some access points might have problems with them, so if > you have not yet adjusted EAPTLS_MaxFragmentSize you may need to do so. > > ECDSA(curve secp256r1)/SHA256 certificates require OpenSSL 1.0.0 or > newer. For ephemeral EC keying Radiator patch dated 2014-09-25 and > Net-SSLeay 1.58 or newer is required. This may be interesting for long > lived sessions, such as RadSec links. > > We have tested that Radiator supports ECDSA certificates in all SSL/TLS > related operations including RadSec, Diameter, PEAP, EAP-TTLS, EAP-TLS, etc. > > Client support for ECDSA certificates seems to be widely available. > Mobile platforms such as Android version starting 4.1.2, iOS7/8 and WP8 > support ECDSA certificates according to our tests. Windows 7 and modern > Linux based distributions seem to be working also. > > If you are encountering fragmentation problems with RSA2048/SHA256 > certificates, ECDSA certificates might be a worth trying as they are > significantly shorter. > > Configuration examples for EAPs, RadSec, Diameter, etc. will be updated > today. > > [1] SHA-256 support can be made to work with Net-SSLeay 1.46 which > supports OpenSSL_add_all_algorithms() and a one line addition to > Radiator to call this function. > > Best Regards, > Sami > 0x4533A0A1.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature --- End Message --- ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] Certificate updates in Radiator 4.13 patches
Hello all, we have now added RSA2048/SHA256 and ECDSA(curve secp256r1)/SHA256 test certificates to Radiator 4.13 patches. RSA2048/SHA256 certificates requires OpenSSL that includes SHA2 in SSL_library_init() or [1]. Please note that certificates are now longer which means when using them, for example, with PEAP there will be more EAP fragments. Some access points might have problems with them, so if you have not yet adjusted EAPTLS_MaxFragmentSize you may need to do so. ECDSA(curve secp256r1)/SHA256 certificates require OpenSSL 1.0.0 or newer. For ephemeral EC keying Radiator patch dated 2014-09-25 and Net-SSLeay 1.58 or newer is required. This may be interesting for long lived sessions, such as RadSec links. We have tested that Radiator supports ECDSA certificates in all SSL/TLS related operations including RadSec, Diameter, PEAP, EAP-TTLS, EAP-TLS, etc. Client support for ECDSA certificates seems to be widely available. Mobile platforms such as Android version starting 4.1.2, iOS7/8 and WP8 support ECDSA certificates according to our tests. Windows 7 and modern Linux based distributions seem to be working also. If you are encountering fragmentation problems with RSA2048/SHA256 certificates, ECDSA certificates might be a worth trying as they are significantly shorter. Configuration examples for EAPs, RadSec, Diameter, etc. will be updated today. [1] SHA-256 support can be made to work with Net-SSLeay 1.46 which supports OpenSSL_add_all_algorithms() and a one line addition to Radiator to call this function. Best Regards, Sami -- Sami Keski-Kasari Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator