TLS 1.1 and TLS 1.2 Support - use SSLv23_method() not TLSv1_method()

Nick Lowe nick.lowe at lugatech.com
Wed Nov 5 08:30:33 EST 2014


Please can tls_openssl.c be corrected so that it calls SSLv23_method()
and not TLSv1_method() allowing TLS 1.1 and TLS 1.2 to be used?

TLSv1_method() enforces that TLS 1.0 is always used so it is the
incorrect method to call.

See: https://www.openssl.org/docs/ssl/SSL_CTX_new.html

It should just be as simple as:

@@ -810,7 +810,7 @@
     }
     tls_openssl_ref_count++;

-    ssl = SSL_CTX_new(TLSv1_method());
+    ssl = SSL_CTX_new(SSLv23_method());
     if (ssl == NULL) {
         tls_openssl_ref_count--;
 #ifdef OPENSSL_SUPPORTS_CTX_APP_DATA

The upcoming FreeRADIUS 2.x and 3.x releases will allow TLS 1.1 and
TLS 1.2 to be used by EAP clients, and by default:
(FreeRADIUS is the most widely deployed and used RADIUS server in the world.)

2.x:
https://github.com/FreeRADIUS/freeradius-server/commit/7d6344df30097df946010b2eac011cb9a480bec8

3.x:
https://github.com/FreeRADIUS/freeradius-server/commit/d9a285ca285148a2fb122b18f73ab0cbffbc12f0

Microsoft now support TLS 1.1 and TLS 1.2 with Network Policy Server
(NPS) when configured through a TlsVersion bit flags-based DWORD in
the Registry.

See "More Information" towards the end of
https://support.microsoft.com/kb/2977292

Regards,

Nick


More information about the HostAP mailing list