EAP-TLS Signature Check Failure

Alan DeKok aland at deployingradius.com
Fri Jun 12 21:45:50 CEST 2020


On Jun 12, 2020, at 3:34 PM, Peter Bance <peter at peterbance.co.uk> wrote:
> A final update on this, in case anyone here's interested (or to "wrap up" for anyone stumbling across this thread online) - I fixed it, and Windows clients are now happily joining WiFi. It's a beautiful thing to behold :-)
> 
> In the end, I had to force OpenSSL on FreeRADIUS to stop offering TLS1.3 ciphers using the mods/eap config:
> 
> tls_max_version = "1.2"

  Good to hear.

> It seems there may be a bug in OpenSSL 1.1.1 such that even though the negotiation resulted in a TLS 1.2 session, the weird back-port of TLS 1.3 ciphers into TLS 1.2 confused things (a lot), and it tried checking for TLS 1.3 style signatures inappropriately.

  Weird, but OK.  It's OpenSSL :(

  Alan DeKok.




More information about the Freeradius-Users mailing list