The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Stefan Winter <stefan.winter AT restena.lu>]

Hello,

I have not found a way to get the required amount of debug output from
wpa_supplicant - so there is currently no way for me to diagnose this
configuration with our server-side toolset.

It may make sense to write documentation about this; it would probably
be much in line with the precautions for a typical webserver. I.e. use
the "openssl dhparam" tool to generate 2048 bits of "dh" file; then
point FreeRADIUS config to the new DH file.

It's not much to do - but it's also not a CAT topic.

If you had text for inclusion into the eduroam Wiki for example - please
let me know.

Note that I have no insight into the implications of a longer DH file.
All I can say is that my own FreeRADIUS has an exactly 1024 bit sized DH
file since Jan 2014, and I had no customer complaints yet.

Are you aware of any such implications?

Greetings,

Stefan Winter

Am 07.09.2015 um 11:35 schrieb Mischa Diehm:
> Hi Stefan,
> 
> what is the status of this? 
> 
> Do you think it would also make sense to describe how to configure the
> server side to be ready for this change plus all the implications for
> older devices that might need DH < 1024?
> 
> Thx,
> Mischa
> 
> --
> Mischa Diehm | Network Operations Center (NOC)
> UniBasel | UniRechenZentrum (URZ)
> Klingebergstr. 70 | CH-4056 Basel
> Tel. +41 61 267 2273 | http://urz.unibas.ch
> 
> From: Stefan Winter 
> <stefan.winter AT restena.lu
> <mailto:stefan.winter AT restena.lu>>
> Date: Donnerstag, 16. Juli 2015 10:47
> To: 
> "cat-users AT geant.net
>  
> <mailto:cat-users AT geant.net>"
> <cat-users AT geant.net
>  
> <mailto:cat-users AT geant.net>>
> Subject: Re: [cat-users] eduroam not working with El Capitan 10.11 Beta
> 
>     Hi,
> 
>         Ah, another round of a vendor obsoleting a crypto parameter. I guess
>         it's reasonable to "do something" as this will help against
>         logjam; only
>         a bit too drastic to make it a DoS IMHO.
> 
> 
>     FWIW, I just discovered that Chrome will also get harsh on TLS servers
>     with <1024 DH soon. Chrome 45 is the target for deprecation of small DH
>     groups:
> 
>     
> https://groups.google.com/a/chromium.org/forum/#!topic/security-dev/WyGIpevBV1s
> 
>     So in IEEE 802.1X we are certainly not the only ones impacted by this.
> 
>     I haven't found an easy way to determine DH group length in eapol_test
>     yet. If someone knows more, I'll be very happy to listen :-)
> 
>     Greetings,
> 
>     Stefan Winter
> 
>     -- 
>     Stefan WINTER
>     Ingenieur de Recherche
>     Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
>     de la Recherche
>     6, rue Richard Coudenhove-Kalergi
>     L-1359 Luxembourg
> 
>     Tel: +352 424409 1
>     Fax: +352 422473
> 
>     PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
>     recipient's key is known to me
> 
>     http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
> 


-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

Attachment: 0x8A39DC66.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature