TLS 1.3

Alan DeKok aland at deployingradius.com
Mon Jun 29 14:33:26 CEST 2020


On Jun 29, 2020, at 8:29 AM, Vieri via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> 
> Hi,
> 
> What does this log snippet mean?
> 
> (2) eap_peap: Continuing EAP-TLS
> (2) eap_peap: Peer indicated complete TLS record size will be 71 bytes
> (2) eap_peap: Got complete TLS record (71 bytes)
> (2) eap_peap: [eaptls verify] = length included
> (2) eap_peap: (other): before SSL initialization
> (2) eap_peap: TLS_accept: before SSL initialization
> (2) eap_peap: TLS_accept: before SSL initialization
> (2) eap_peap: <<< recv TLS 1.3  [length 0042]
> (2) eap_peap: >>> send TLS 1.0 Alert [length 0002], fatal handshake_failure
> (2) eap_peap: ERROR: TLS Alert write:fatal:handshake failure
> tls: TLS_accept: Error in error
> (2) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher
> (2) eap_peap: ERROR: System call (I/O) error (-1)
> (2) eap_peap: ERROR: TLS receive handshake failed during operation
> (2) eap_peap: ERROR: [eaptls process] = fail
> (2) eap: ERROR: Failed continuing EAP PEAP (25) session.  EAP sub-module failed
> (2) eap: Sending EAP Failure (code 4) ID 101 length 4
> (2) eap: Failed in EAP select
> 
> Does it mean that the wifi client asked for TLS 1.3, but we replied with TLS 1.0?

  It means that the there is no shared cipher.

  TLS uses a variety of encryption methods.  The methods used by the client and server have to agree, otherwise they cannot communicate.

> I have this in freeradius:
> 
> tls_min_version = "1.0"
> tls_max_version = "1.2"
> 
> and I'm using openssl-1.1.1g.

  That should work.

  Perhaps the client has been configured to require TLS 1.3, *or* it has been configured to understand only a very limited set of ciphers.

  Alan DeKok.




More information about the Freeradius-Users mailing list