Freeradius and unexpected TLS version ->Access-Reject

[irina.ilina-sidorova at ulb.ac.be]

   Thanks Alan!
   Yup, I will continue with OpenSSL then
   Have a great day!

   -------- Original message --------
   From: Alan DeKok <aland at deployingradius.com>
   Date: Mon, 24 Feb 2020, 12:30
   To: FreeRadius users mailing list
   <freeradius-users at lists.freeradius.org>
   Subject: Re: Freeradius and unexpected TLS version ->Access-Reject

     On Feb 24, 2020, at 5:09 AM, iilinasi
     <Irina.Ilina-Sidorova at ulb.ac.be> wrote:
     > TLS library for 2 packets would be an overkill... I construct
     packets in my python script (can share it - but it's really very
     ugly at the moment). That's why I can tell you the version I send
     exactly - I fill it in as "0x0301", as per specification. Is there
     anything I miss?
       Well, if you're creating your own TLS implementation, there isn't
     much we can do to help.
       FreeRADIUS uses OpenSSL for its TLS implementation.  We rely on
     OpenSSL to do all TLS work, including reporting to us the TLS
     version.
     > You can see 0x0301 in EAP message part of debug (and TLS 1.3 would
     correspond to 0x0304). Again, I understand that wireshark is not the
     ultimate source of truth, but it does not complain on anything and
     correctly dissects the packet as EAP-TLS 1.0.
       Ask the OpenSSL people how they implement TLS.
       Further, this really isn't a FreeRADIUS issue.  If you're writing
     your own TLS implementation (even if it's 2 packets), then you need
     to debug your code.  Or, debug Wireshark / OpenSSL to see what they
     do.
       Alan DeKok.
     -
     List info/subscribe/unsubscribe? See
     http://www.freeradius.org/list/users.html