The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Stefan Winter <stefan.winter AT restena.lu>]

Hi,

>>    When negotiating a TLS/SSL connection with Diffie-Hellman key exchange, 
>> OS
>>    X El Capitan requires a 1024-bit group or larger. OS X El Capitan will 
>> not
>>    connect to a server that allows negotiation with a 512-bit or smaller
>>    group.
> yep. we're getting ready an advisory for our UK admins about this
> I noticed same behaviour a few weeks back with wpa_supplicant authentication
> through a RADIATOR proxy to a FreeRADIUS end server.... FreeRADIUS
> GIT repo updated to its 2048bit DH...

Ah, another round of a vendor obsoleting a crypto parameter. I guess
it's reasonable to "do something" as this will help against logjam; only
a bit too drastic to make it a DoS IMHO.

Anyway - this means the realm checks should get a new check: if ciphers
using DH are negotiated, is the DH group >=1024 Bit? I guess it'll take
a bit of head-scratching on my side to actually find out how to diagnose
this out of eapol_test, but it's probably worth it.

If we could roll this out before El Capitan starts to sail on the
world's Wi-Fi waves, it would serve as a helper to prepare admins for
the change. According to various rumour sites, we have a countdown clock
ending some time in October or so...

Greetings,

Stefan Winter

Attachment: signature.asc
Description: OpenPGP digital signature