EAP-TLS Signature Check Failure
aland at deployingradius.com
Fri Jun 12 21:45:50 CEST 2020
On Jun 12, 2020, at 3:34 PM, Peter Bance <peter at peterbance.co.uk> wrote:
> A final update on this, in case anyone here's interested (or to "wrap up" for anyone stumbling across this thread online) - I fixed it, and Windows clients are now happily joining WiFi. It's a beautiful thing to behold :-)
> In the end, I had to force OpenSSL on FreeRADIUS to stop offering TLS1.3 ciphers using the mods/eap config:
> tls_max_version = "1.2"
Good to hear.
> It seems there may be a bug in OpenSSL 1.1.1 such that even though the negotiation resulted in a TLS 1.2 session, the weird back-port of TLS 1.3 ciphers into TLS 1.2 confused things (a lot), and it tried checking for TLS 1.3 style signatures inappropriately.
Weird, but OK. It's OpenSSL :(
More information about the Freeradius-Users