mirror of
https://gitlab2.federez.net/re2o/re2o
synced 2024-11-23 11:53:12 +00:00
Prevent crash with tls 1.3 and ubuntu (see https://github.com/FreeRADIUS/freeradius-server/issues/2385 )
This commit is contained in:
parent
31fdb644a2
commit
1385e8f458
1 changed files with 81 additions and 28 deletions
|
@ -2,7 +2,7 @@
|
|||
##
|
||||
## eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.)
|
||||
##
|
||||
## $Id: 0e8d5caef5ad09dfa6acb14c5d475bae55cf4b27 $
|
||||
## $Id: f67cbdbff9b6560cec9f68da1adb82b59723d2ef $
|
||||
|
||||
#######################################################################
|
||||
#
|
||||
|
@ -285,6 +285,10 @@ eap {
|
|||
|
||||
ca_path = ${cadir}
|
||||
|
||||
# Accept an expired Certificate Revocation List
|
||||
#
|
||||
# allow_expired_crl = no
|
||||
|
||||
#
|
||||
# If check_cert_issuer is set, the value will
|
||||
# be checked against the DN of the issuer in
|
||||
|
@ -292,10 +296,10 @@ eap {
|
|||
# match, the certificate verification will fail,
|
||||
# rejecting the user.
|
||||
#
|
||||
# In 2.1.10 and later, this check can be done
|
||||
# more generally by checking the value of the
|
||||
# TLS-Client-Cert-Issuer attribute. This check
|
||||
# can be done via any mechanism you choose.
|
||||
# This check can be done more generally by checking
|
||||
# the value of the TLS-Client-Cert-Issuer attribute.
|
||||
# This check can be done via any mechanism you
|
||||
# choose.
|
||||
#
|
||||
# check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
|
||||
|
||||
|
@ -325,16 +329,42 @@ eap {
|
|||
#
|
||||
cipher_list = "DEFAULT"
|
||||
|
||||
# Work-arounds for OpenSSL nonsense
|
||||
# OpenSSL 1.0.1f and 1.0.1g do not calculate
|
||||
# the EAP keys correctly. The fix is to upgrade
|
||||
# OpenSSL, or disable TLS 1.2 here.
|
||||
#
|
||||
# For EAP-FAST, this MUST be set to "yes".
|
||||
#
|
||||
# disable_tlsv1_2 = no
|
||||
# If enabled, OpenSSL will use server cipher list
|
||||
# (possibly defined by cipher_list option above)
|
||||
# for choosing right cipher suite rather than
|
||||
# using client-specified list which is OpenSSl default
|
||||
# behavior. Having it set to yes is a current best practice
|
||||
# for TLS
|
||||
cipher_server_preference = no
|
||||
|
||||
#
|
||||
# You can selectively disable TLS versions for
|
||||
# compatability with old client devices.
|
||||
#
|
||||
# If your system has OpenSSL 1.1.0 or greater, do NOT
|
||||
# use these. Instead, set tls_min_version and
|
||||
# tls_max_version.
|
||||
#
|
||||
# disable_tlsv1_2 = no
|
||||
# disable_tlsv1_1 = no
|
||||
# disable_tlsv1 = no
|
||||
|
||||
#
|
||||
# Set min / max TLS version. Mainly for Debian
|
||||
# "trusty", which disables older versions of TLS, and
|
||||
# requires the application to manually enable them.
|
||||
#
|
||||
# If you are running Debian trusty, you should set
|
||||
# these options, otherwise older clients will not be
|
||||
# able to connect.
|
||||
#
|
||||
# Allowed values are "1.0", "1.1", and "1.2".
|
||||
#
|
||||
# The values must be in quotes.
|
||||
#
|
||||
tls_min_version = "1.0"
|
||||
tls_max_version = "1.2"
|
||||
|
||||
|
||||
#
|
||||
# Elliptical cryptography configuration
|
||||
|
@ -374,6 +404,12 @@ eap {
|
|||
# Enable it. The default is "no". Deleting the entire "cache"
|
||||
# subsection also disables caching.
|
||||
#
|
||||
# As of version 3.0.14, the session cache requires the use
|
||||
# of the "name" and "persist_dir" configuration items, below.
|
||||
#
|
||||
# The internal OpenSSL session cache has been permanently
|
||||
# disabled.
|
||||
#
|
||||
# You can disallow resumption for a particular user by adding the
|
||||
# following attribute to the control item list:
|
||||
#
|
||||
|
@ -388,16 +424,7 @@ eap {
|
|||
# Lifetime of the cached entries, in hours. The sessions will be
|
||||
# deleted/invalidated after this time.
|
||||
#
|
||||
lifetime = 24 # hours
|
||||
|
||||
#
|
||||
# The maximum number of entries in the
|
||||
# cache. Set to "0" for "infinite".
|
||||
#
|
||||
# This could be set to the number of users
|
||||
# who are logged in... which can be a LOT.
|
||||
#
|
||||
max_entries = 255
|
||||
lifetime = 1 # hours
|
||||
|
||||
#
|
||||
# Internal "name" of the session cache. Used to
|
||||
|
@ -416,6 +443,11 @@ eap {
|
|||
# state and the cached VPs. This will persist session
|
||||
# across server restarts.
|
||||
#
|
||||
# The default directory is ${logdir}, for historical
|
||||
# reasons. You should ${db_dir} instead. And check
|
||||
# the value of db_dir in the main radiusd.conf file.
|
||||
# It should not point to ${raddb}
|
||||
#
|
||||
# The server will need write perms, and the directory
|
||||
# should be secured from anyone else. You might want
|
||||
# a script to remove old files from here periodically:
|
||||
|
@ -663,6 +695,10 @@ eap {
|
|||
#
|
||||
# in the control items for a request.
|
||||
#
|
||||
# Note that the majority of supplicants do not support using a
|
||||
# client certificate with EAP-TTLS, so this option is unlikely
|
||||
# to be usable for most people.
|
||||
#
|
||||
# require_client_cert = yes
|
||||
}
|
||||
|
||||
|
@ -789,6 +825,10 @@ eap {
|
|||
#
|
||||
# in the control items for a request.
|
||||
#
|
||||
# Note that the majority of supplicants do not support using a
|
||||
# client certificate with PEAP, so this option is unlikely to
|
||||
# be usable for most people.
|
||||
#
|
||||
# require_client_cert = yes
|
||||
}
|
||||
|
||||
|
@ -839,12 +879,25 @@ eap {
|
|||
# fast {
|
||||
# Point to the common TLS configuration
|
||||
#
|
||||
# tls = tls-common
|
||||
|
||||
#
|
||||
# If 'cipher_list' is set here, it will over-ride the
|
||||
# 'cipher_list' configuration from the 'tls-common'
|
||||
# configuration. The EAP-FAST module has it's own
|
||||
# over-ride for 'cipher_list' because the
|
||||
# specifications mandata a different set of ciphers
|
||||
# than are used by the other EAP methods.
|
||||
#
|
||||
# cipher_list though must include "ADH" for anonymous provisioning.
|
||||
# This is not as straight forward as appending "ADH" alongside
|
||||
# "DEFAULT" as "DEFAULT" contains "!aNULL" so instead it is
|
||||
# recommended "ALL:!EXPORT:!eNULL:!SSLv2" is used
|
||||
#
|
||||
# tls = tls-common
|
||||
# Note - for OpenSSL 1.1.0 and above you may need
|
||||
# to add ":@SECLEVEL=0"
|
||||
#
|
||||
# cipher_list = "ALL:!EXPORT:!eNULL:!SSLv2"
|
||||
|
||||
# PAC lifetime in seconds (default: seven days)
|
||||
#
|
||||
|
|
Loading…
Reference in a new issue