#
cipher_list = "DEFAULT"
+ # If enabled, OpenSSL will use server cipher list
+ # (possibly defined by cipher_list option above)
+ # for choosing right cipher suite rather than
+ # using client-specified list which is OpenSSl default
+ # behavior. Having it set to yes is a current best practice
+ # for TLS
+ cipher_server_preference = no
+
# Work-arounds for OpenSSL nonsense
# OpenSSL 1.0.1f and 1.0.1g do not calculate
# the EAP keys correctly. The fix is to upgrade
# Enable it. The default is "no". Deleting the entire "cache"
# subsection also disables caching.
#
+ # As of version 3.0.14, the session cache requires the use
+ # of the "name" and "persist_dir" configuration items, below.
+ #
+ # The internal OpenSSL session cache has been permanently
+ # disabled.
+ #
# You can disallow resumption for a particular user by adding the
# following attribute to the control item list:
#
# If "enable = no" below, you CANNOT enable resumption for just one
# user by setting the above attribute to "yes".
#
- enable = yes
+ enable = no
#
# Lifetime of the cached entries, in hours. The sessions will be
lifetime = 24 # hours
#
- # The maximum number of entries in the
- # cache. Set to "0" for "infinite".
- #
- # This could be set to the number of users
- # who are logged in... which can be a LOT.
- #
- max_entries = 255
-
- #
# Internal "name" of the session cache. Used to
# distinguish which TLS context sessions belong to.
#
# state and the cached VPs. This will persist session
# across server restarts.
#
+ # The default directory is ${logdir}, for historical
+ # reasons. You should ${db_dir} instead. And check
+ # the value of db_dir in the main radiusd.conf file.
+ # It should not point to ${raddb}
+ #
# The server will need write perms, and the directory
# should be secured from anyone else. You might want
# a script to remove old files from here periodically: