Hi Guy,
On 02.08.21, 11:43, "Guy Halse" guy@tenet.ac.za wrote: Post upgrade, it seems there's a hardcoded default minimum TLS version of TLS 1.1 even if the OS itself defaults to a lower minimum. The only way to restore the previous behaviour is to explicitly set a lower minimum TlsVersion/DtlsVersion in the config file.
We've fixed the problem. I'm really just mentioning it here so that others aren't caught by surprise/don't make the same mistake :-). I'll submit a pull request/issue updating the documentation too.
Thanks for spotting this. Indeed the code does unconditionally set the min version (and thus ignores the system config), and also the max version (to 'any' if not configured). Instead of just documenting this, I would rise the question if this is rather a bug that should be fixed? (i.e. use the system defaults if not set in the radsecproxy config, or from a code perspective, don’t call SSL_CTX_set_min_proto_version() if not configured in radsecproxy)
Regards, Fabian
-- SWITCH Fabian Mauchle, Network Engineer Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland Phone +41 44 268 15 30, direct +41 44 268 15 39