Authentication problems with some devices: TLS version too low

Alan DeKok aland at deployingradius.com
Sat Sep 9 21:39:25 CEST 2017


On Sep 9, 2017, at 2:59 PM, Lars Veldscholte <lars at tuxplace.nl> wrote:
> 
> I tried it using packages from sid, but that wouldn't compile on my system (with dpkg-buildpackage). So initially I gave up, but currently Buster is on the same OpenSSL version as Sid (1.1.0f-5), so I did the same thing with the packages downloaded from apt source.
> 
> They built fine and I think my change in OpenSSL worked. I can successfully connect using TLS1.0 (tested with openssl s_client -connect google.com:443 -tls1). I should note that I haven't tested this *before* (with the 'unmodded' OpenSSL) though, but I assume that the above test would have failed.
> 
> However it did not have any effect on FreeRADIUS, I'm getting the same error as before. Of course I did restart my FreeRADIUS service.
> 
> How can I check what libssl FreeRADIUS is using?

$ freeradius -XxC | grep ssl

  And you'll see the OpenSSL version.

> I noticed that there are two libssl versions installed on my system: libssl1.0.2 and libssl1.1. I only made the change in libssl1.1. Could it be that FreeRADIUS is using the former instead?

  Yes.

  It's really not a good idea to install multiple versions of OpenSSL.

  Alan DeKok.




More information about the Freeradius-Users mailing list