Freeradius-Users Digest, Vol 195, Issue 41

Jochem Sparla J.Sparla at iolan.com
Tue Jul 27 12:31:32 CEST 2021


>From the github link Matthew mentioned:

#  We also STRONGLY RECOMMEND to set
#
#tls_max_version = "1.2"
#
#  While the server will accept "1.3" as a value,
#  most EAP supplicants WILL NOT DO TLS 1.3 PROPERLY.
#
#  i.e. they WILL NOT WORK, SO DO NOT ASK QUESTIONS ON
#  THE LIST ABOUT WHY IT DOES NOT WORK.
#



IOLAN B.V. • Mon Plaisir 26 • 4879 AN Etten-Leur • The Netherlands
T +31 (0)76 50 26 100 • F +31 (0)76 50 26 199
E iolan at iolan.com • I http://www.iolan.com/

De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is uitsluitend
bestemd voor de geadresseerde. Indien u dit bericht onterecht ontvangt, wordt u
verzocht de inhoud niet te gebruiken en de afzender direct te informeren door
het bericht te retourneren.
The information contained in this message may be confidential and is
intended to be exclusively for the addressee. Should you receive this message
unintentionally, please do not use the contents here in and notify the sender
immediately by return e-mail.

-----Oorspronkelijk bericht-----
Van: Freeradius-Users [mailto:freeradius-users-bounces+j.sparla=iolan.com at lists.freeradius.org] Namens mohamed almeshal
Verzonden: dinsdag 27 juli 2021 12:22
Aan: freeradius-users at lists.freeradius.org
Onderwerp: Re: Freeradius-Users Digest, Vol 195, Issue 41

Waking up in 0.1 seconds.
 ... new connection request on TCP socket Listening on auth+acct from client (105.196.196.165, 48321) -> (*, 2083, virtual-server=default)
(0) (TLS) Initiating new session
(0) (TLS) Setting verify mode to require certificate from client
(0) (TLS) Handshake state - before SSL initialization
(0) (TLS) Handshake state - Server before SSL initialization
(0) (TLS) Handshake state - Server before SSL initialization
(0) (TLS) recv TLS 1.3 Handshake, ClientHello
(0) (TLS) Handshake state - Server SSLv3/TLS read client hello
(0) (TLS) send TLS 1.2 Handshake, ServerHello
(0) (TLS) Handshake state - Server SSLv3/TLS write server hello
(0) (TLS) send TLS 1.2 Handshake, Certificate
(0) (TLS) Handshake state - Server SSLv3/TLS write certificate
(0) (TLS) send TLS 1.2 Handshake, ServerKeyExchange
(0) (TLS) Handshake state - Server SSLv3/TLS write key exchange
(0) (TLS) send TLS 1.2 Handshake, CertificateRequest
(0) (TLS) Handshake state - Server SSLv3/TLS write certificate request
(0) (TLS) send TLS 1.2 Handshake, ServerHelloDone
(0) (TLS) Handshake state - Server SSLv3/TLS write server done
(0) (TLS) Server : Need to read more data: SSLv3/TLS write server done
(0) (TLS) In Handshake Phase
(5) Cleaning up request packet ID 1 with timestamp +2
(6) Cleaning up request packet ID 2 with timestamp +2 Waking up in 0.8 seconds.
(0) (TLS) Server : Need to read more data: SSLv3/TLS write server done
(0) (TLS) In Handshake Phase
(0) (TLS) Application data.
(0) FAILED in TLS handshake receive
Closing TLS socket from client port 48321 Client has closed connection  ... shutting down socket auth+acct from client (105.196.196.165, 48321) -> (*, 2083, virtual-server=default) Waking up in 0.6 seconds.
detail (/var/log/freeradius/radacct/decoupled-accounting/detail-*:*): Polling for detail file detail (/var/log/freeradius/radacct/decoupled-accounting/detail-*:*): Detail listener state unopened waiting 0.905778 sec ... cleaning up socket auth+acct from client (105.196.196.165, 40317) -> (*, 2083, virtual-server=default) Waking up in 1.7 seconds.
 ... new connection request on TCP socket Listening on auth+acct from client (105.196.196.165, 53800) -> (*, 2083, virtual-server=default) Waking up in 0.8 seconds.

here is the debug for the situation

these are TLS in default file

listen {
type = auth+acct
ipaddr = *
port = 2083
proto = tcp
limit {
max_connections = 500
lifetime = 0
idle_timeout = 30
}
tls {
private_key_file = ${certdir}/server.pem certificate_file = ${certdir}/server.pem ca_file = ${cadir}/ca.pem dh_file = ${certdir}/dh

fragment_size = 8192

cipher_list = "DEFAULT"
cipher_server_preference = yes
tls_min_version = "1.2"
tls_max_version = "1.3"

cache {
     enable = yes
     lifetime = 24 # hours
}

require_client_cert = yes
}
clients = radsec
}

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



More information about the Freeradius-Users mailing list