TLS 1.3

classic Classic list List threaded Threaded
2 messages Options
| Threaded
Open this post in threaded view
|

TLS 1.3

Users mailing list
Unfortunately, I can't grab a packet trace just yet until I locate one of those devices (custom external firmware). I'll have a look at it asap.

In the meantime, maybe setting cipher_list = "ALL" can be more permissive than "DEFAULT", but I'm guessing I won't have much luck because the most reasonable set that might be excluded is LOW, but "As of OpenSSL 1.0.2g, these are disabled in default builds".

On the freeradius server I have:

# openssl ciphers -s -tls1
ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA:AES128-SHA

# openssl ciphers -s -tls1_1
ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA:AES128-SHA

# openssl ciphers -s -tls1_2
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA

# openssl ciphers -s -tls1_3
TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256

These devices have started to fail when I upgraded my FreeRADIUS server (openssl, etc.). So I'm guessing I'm missing some old insecure ciphers in openssl. Now convince the vendor to upgrade their client systems...

Thanks,

Vieri
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: TLS 1.3

Alan DeKok-2
On Jun 29, 2020, at 11:01 AM, Vieri via Freeradius-Users <[hidden email]> wrote:
>
> Unfortunately, I can't grab a packet trace just yet until I locate one of those devices (custom external firmware). I'll have a look at it asap.

  Ah... custom firmware.  :(

> In the meantime, maybe setting cipher_list = "ALL" can be more permissive than "DEFAULT", but I'm guessing I won't have much luck because the most reasonable set that might be excluded is LOW, but "As of OpenSSL 1.0.2g, these are disabled in default builds".

  Yeah.

> These devices have started to fail when I upgraded my FreeRADIUS server (openssl, etc.). So I'm guessing I'm missing some old insecure ciphers in openssl. Now convince the vendor to upgrade their client systems...

  That sounds like the issue.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html