Some problems with TLS 1.3 and PSK
aland at deployingradius.com
Mon Jan 14 14:47:32 CET 2019
On Jan 14, 2019, at 7:48 AM, Alex Perez-Mendez <Alex.Perez-Mendez at jisc.ac.uk> wrote:
> as you know, Moonshot and the Trust Router use dynamically established
> TLS PSK for allowing communication between RADIUS servers.
> This has been working nicely so far, but I've started testing with
> Debian Buster, which ships OpenSSL 1.1 which defaults to TLS 1.3 and
> I've found some issues with both, 3.0.17 and 3.0.18.
The 3.0.17 issue was due to a typo in a macro. See commit fd803c9d35592
The 3.0.18 issue is due to trying to fix other issues. :( And, OpenSSL seems to change its behaviour rather a lot. Things which work in one version don't work in another.
> In this case, the issue seems to have been caused by this commit
> as reverting it reverts to the previous issue with 3.0.17.
That commit should still be done, as it fixes other issues...
I've pushed a fix to the v3.0.x branch which turns that check into a soft fail. I think that should fix it, while also initializing the ssl_session variable.
More information about the Freeradius-Devel