Authentication problems with some devices: TLS version too low
lars at tuxplace.nl
Sat Sep 9 22:52:42 CEST 2017
On 09/09/2017 21:39, Alan DeKok wrote:
> On Sep 9, 2017, at 2:59 PM, Lars Veldscholte <lars at tuxplace.nl> wrote:
>> I tried it using packages from sid, but that wouldn't compile on my system (with dpkg-buildpackage). So initially I gave up, but currently Buster is on the same OpenSSL version as Sid (1.1.0f-5), so I did the same thing with the packages downloaded from apt source.
>> They built fine and I think my change in OpenSSL worked. I can successfully connect using TLS1.0 (tested with openssl s_client -connect google.com:443 -tls1). I should note that I haven't tested this *before* (with the 'unmodded' OpenSSL) though, but I assume that the above test would have failed.
>> However it did not have any effect on FreeRADIUS, I'm getting the same error as before. Of course I did restart my FreeRADIUS service.
>> How can I check what libssl FreeRADIUS is using?
> $ freeradius -XxC | grep ssl
> And you'll see the OpenSSL version.
>> I noticed that there are two libssl versions installed on my system: libssl1.0.2 and libssl1.1. I only made the change in libssl1.1. Could it be that FreeRADIUS is using the former instead?
> It's really not a good idea to install multiple versions of OpenSSL.
> Alan DeKok.
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I never did that manually; both versions are installed as a consequence
of packages that depend on them. (if I try to remove libssl1.0.2, apt
wants to remove a whole bunch of (rather essential) packages, including
Thanks to Kamil's hint I know for sure that FreeRADIUS is using
libssl1.1. "freeradius -XxC | grep ssl" also confirms that.
I can also confirm that installing openssl 1.1.0f-3 works!
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 488 bytes
Desc: OpenPGP digital signature
More information about the Freeradius-Users