The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Mischa Diehm <mischa.diehm AT unibas.ch>]

Hi Stefan,

what is the status of this? 

Do you think it would also make sense to describe how to configure the server side to be ready for this change plus all the implications for older devices that might need DH < 1024?

Thx,

Mischa

--

Mischa Diehm | Network Operations Center (NOC)

UniBasel | UniRechenZentrum (URZ)

Klingebergstr. 70 | CH-4056 Basel

Tel. +41 61 267 2273 | http://urz.unibas.ch

From: Stefan Winter <stefan.winter AT restena.lu>
Date: Donnerstag, 16. Juli 2015 10:47
To: "cat-users AT geant.net" <cat-users AT geant.net>
Subject: Re: [cat-users] eduroam not working with El Capitan 10.11 Beta

Hi,

Ah, another round of a vendor obsoleting a crypto parameter. I guess

it's reasonable to "do something" as this will help against logjam; only

a bit too drastic to make it a DoS IMHO.

FWIW, I just discovered that Chrome will also get harsh on TLS servers

with <1024 DH soon. Chrome 45 is the target for deprecation of small DH

groups:

https://groups.google.com/a/chromium.org/forum/#!topic/security-dev/WyGIpevBV1s

So in IEEE 802.1X we are certainly not the only ones impacted by this.

I haven't found an easy way to determine DH group length in eapol_test

yet. If someone knows more, I'll be very happy to listen :-)

Greetings,

Stefan Winter

--

Stefan WINTER

Ingenieur de Recherche

Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et

de la Recherche

6, rue Richard Coudenhove-Kalergi

L-1359 Luxembourg

Tel: +352 424409 1

Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the

recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66