Disabled session caching in raddb/mods-available/eap in response to CVE-2017-9148.

[freeradius.git] / raddb / mods-available / eap

diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap
index f77aa90..5cc4ac5 100644 (file)
--- a/raddb/mods-available/eap
+++ b/raddb/mods-available/eap
@@ -325,6 +325,14 @@ eap {
                #
                cipher_list = "DEFAULT"
 
+               # If enabled, OpenSSL will use server cipher list
+               # (possibly defined by cipher_list option above)
+               # for choosing right cipher suite rather than
+               # using client-specified list which is OpenSSl default
+               # behavior. Having it set to yes is a current best practice
+               # for TLS
+               cipher_server_preference = no
+
                # Work-arounds for OpenSSL nonsense
                # OpenSSL 1.0.1f and 1.0.1g do not calculate
                # the EAP keys correctly.  The fix is to upgrade
@@ -382,7 +390,7 @@ eap {
                        #  If "enable = no" below, you CANNOT enable resumption for just one
                        #  user by setting the above attribute to "yes".
                        #
-                       enable = yes
+                       enable = no
 
                        #
                        #  Lifetime of the cached entries, in hours. The sessions will be
@@ -437,7 +445,10 @@ eap {
                #  the correct paths below to enable it.
                #
                #  If OCSP checking is enabled, and the OCSP checks fail,
-               #  the verify section is skipped.
+               #  the verify section is not run.
+               #
+               #  If OCSP checking is disabled, the verify section is
+               #  run on successful certificate validation.
                #
                verify {
                        #  If the OCSP checks succeed, the verify section