TLS 1.3 for PEAP?

Doug Wussler doug.wussler at fsu.edu
Tue Jul 9 19:46:59 CEST 2019


    On Jul 9, 2019, at 3:57 PM, Doug Wussler <doug.wussler at fsu.edu> wrote:
    >> 
    >> The only case I know of where a client has attempted to negotiate TLS 1.3 (for peap) is an Ubuntu 18.04 client
    >> running OpenSSL 1.1.1 and it fails during TLS negotiation with our FreeRADIUS server which is v3.0.17 on RHEL
    >> 7.6 with OpenSSL 1.1.1c.
    >>
    >> Do we know with any certainty whether this is a problem with OpenSSL, FreeRADIUS or something else with
    >> the peers?  I can resolve the problem by setting “tls_max_version = ‘1.2’” but would like to see the negotiation
    >> for 1.3 succeed.

On Jul 9, 2019,  Alan DeKok <aland at deployingradius.com> replied:

      > No, you don't want that.
      > It's simple.  EAP-TLS hasn't been standardized for TLS 1.3.  PEAP hasn't been standardized for TLS 1.3.
      > You can't just say "1.3 is greater than 1.2, so we'll all upgrade to 1.3".  Using TLS 1.3 is a *lot* more complex than that.
      > It looks like the standards will be published "soon".  i.e. within a year.  The standards should be supported by both FreeRADIUS and wpa_supplicant.  It's likely that other operating systems will take much longer to support TLS 1.3 and EAP.
    
Got it.  I can see we are waiting on, for starters,  https://tools.ietf.org/html/draft-dekok-emu-tls-eap-types-00.
Thank you for your response.

Doug Wussler
Florida State University

    
    
    




More information about the Freeradius-Users mailing list