[External]Fwd: Question regarding the direction of eap_tls: <<< recv and eap_tls: >>> send

Prayank Chandorkar Prayank.Chandorkar at ril.com
Wed Mar 17 09:40:17 CET 2021 

a


Regards

Prayank Chandorkar
M : +91 90829 61372
Teams : prayank.chandorkar at ril.com
JioMeet : prayank.chandorkar at ril.com

-----Original Message-----
From: Freeradius-Users <freeradius-users-bounces+prayank.chandorkar=ril.com at lists.freeradius.org> On Behalf Of Eric Nguyen
Sent: 15 November 2020 03:07
To: freeradius-users at lists.freeradius.org
Subject: [External]Fwd: Question regarding the direction of eap_tls: <<< recv and eap_tls: >>> send

The e-mail below is from an external source. Please do not open attachments or click links from an unknown or suspicious origin.

Hi,

I'd like to ask a question regarding the direction of the exchanges in the radius log  (radiusd -X).

I used eapol_test as a client/authenticator against FreeRADIUS 3.0.21.

- If I set the following parameters in the FreeRADIUS eap file, espol_test will results in a failure.
In this case, "eap_tls: <<< recv TLS 1.3" looks like an exchange from FreeRADIUS to eapol_test (SERVER -> CLIENT):

tls_min_version = "1.3"
tls_max_version = "1.3"

The FREERADIUS log shows:

(2) eap_tls: <<< recv TLS 1.3  [length 00b9]
(2) eap_tls: >>> send TLS 1.2  [length 0002]
(2) eap_tls: ERROR: TLS Alert write:fatal:protocol version


-  If I set the following parameters in the FreeRADIUS eap file, espol_test will results in a success.
In this case, "eap_tls: <<< recv TLS 1.2"  looks like an exchange from eapol_test to FreeRADIUS (CLIENT TO SERVER):

tls_min_version = "1.2"
tls_max_version = "1.3"

(6) eap_tls: <<< recv TLS 1.2  [length 08de]
(6) eap_tls: TLS - Creating attributes from certificate OIDs


Could you please clarify the meaning of these "eap_tls: <<< recv" log messages?

Thanks,
Eric


-------------------------------------------------------------------------------------------------------------------------------------------
FULL LOG

tls_min_version = "1.3"
tls_max_version = "1.3"

(2) eap: Calling submodule eap_tls to process data
(2) eap_tls: Continuing EAP-TLS
(2) eap_tls: [eaptls verify] = ok
(2) eap_tls: Done initial handshake
(2) eap_tls: (other): before SSL initialization
(2) eap_tls: TLS_accept: before SSL initialization
(2) eap_tls: TLS_accept: before SSL initialization
(2) eap_tls: <<< recv TLS 1.3  [length 00b9]
(2) eap_tls: >>> send TLS 1.2  [length 0002]
(2) eap_tls: ERROR: TLS Alert write:fatal:protocol version
tls: TLS_accept: Error in error
(2) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol
(2) eap_tls: ERROR: System call (I/O) error (-1)
(2) eap_tls: ERROR: TLS receive handshake failed during operation
(2) eap_tls: ERROR: [eaptls process] = fail
(2) eap: ERROR: Failed continuing EAP TLS (13) session.  EAP sub-module failed
(2) eap: Sending EAP Failure (code 4) ID 54 length 4
(2) eap: Failed in EAP select
(2)     [eap] = invalid
(2)   } # authenticate = invalid


-------------------------------------------------------------------------------------------------------------------------------------------
tls_min_version = "1.2"
tls_max_version = "1.3"

(6) eap: Calling submodule eap_tls to process data
(6) eap_tls: Continuing EAP-TLS
(6) eap_tls: Got final TLS record fragment (1272 bytes)
(6) eap_tls: [eaptls verify] = ok
(6) eap_tls: Done initial handshake
(6) eap_tls: TLS_accept: SSLv3/TLS write server done
(6) eap_tls: <<< recv TLS 1.2  [length 08de]
(6) eap_tls: TLS - Creating attributes from certificate OIDs
(6) eap_tls:   TLS-Cert-Serial :=
"315fa3c827cb5c44e13222c88ff80369d1a176f1"
(6) eap_tls:   TLS-Cert-Expiration := "210113170058Z"
(6) eap_tls:   TLS-Cert-Valid-Since := "201114170058Z"
(6) eap_tls:   TLS-Cert-Subject := "/C=FR/ST=Radius/L=Somewhere/O=Example
Inc./emailAddress=admin at example.org/CN=Example Certificate Authority"
(6) eap_tls:   TLS-Cert-Issuer := "/C=FR/ST=Radius/L=Somewhere/O=Example
Inc./emailAddress=admin at example.org/CN=Example Certificate Authority"
(6) eap_tls:   TLS-Cert-Common-Name := "Example Certificate Authority"
(6) eap_tls: TLS - Creating attributes from certificate OIDs
(6) eap_tls:   TLS-Client-Cert-Serial := "02"
(6) eap_tls:   TLS-Client-Cert-Expiration := "210113170058Z"
(6) eap_tls:   TLS-Client-Cert-Valid-Since := "201114170058Z"
(6) eap_tls:   TLS-Client-Cert-Subject := "/C=FR/ST=Radius/O=Example
Inc./CN=user at example.org/emailAddress=user at example.org"
(6) eap_tls:   TLS-Client-Cert-Issuer :=
"/C=FR/ST=Radius/L=Somewhere/O=Example Inc./emailAddress= admin at example.org/CN=Example Certificate Authority"
(6) eap_tls:   TLS-Client-Cert-Common-Name := "user at example.org"
(6) eap_tls:   TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Client
Authentication"
(6) eap_tls:   TLS-Client-Cert-X509v3-Extended-Key-Usage-OID +=
"1.3.6.1.5.5.7.3.2"
(6) eap_tls: TLS_accept: SSLv3/TLS read client certificate
(6) eap_tls: <<< recv TLS 1.2  [length 0046]
(6) eap_tls: TLS_accept: SSLv3/TLS read client key exchange
(6) eap_tls: <<< recv TLS 1.2  [length 0108]
(6) eap_tls: TLS_accept: SSLv3/TLS read certificate verify
(6) eap_tls: TLS_accept: SSLv3/TLS read change cipher spec
(6) eap_tls: <<< recv TLS 1.2  [length 0010]
(6) eap_tls: TLS_accept: SSLv3/TLS read finished
(6) eap_tls: >>> send TLS 1.2  [length 0001]
(6) eap_tls: TLS_accept: SSLv3/TLS write change cipher spec
(6) eap_tls: >>> send TLS 1.2  [length 0010]
(6) eap_tls: TLS_accept: SSLv3/TLS write finished
(6) eap_tls: (other): SSL negotiation finished successfully
(6) eap_tls: TLS - Connection Established
(6) eap_tls: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(6) eap_tls: TLS-Session-Version = "TLS 1.2"
(6) eap_tls: TLS - got 51 bytes of data
(6) eap_tls: [eaptls process] = handled
-
List info/subscribe/unsubscribe? See https://protect2.fireeye.com/v1/url?k=c2b07c9d-9d2b3c62-c2b1f662-00259087933a-f3b541b7c9d35e10&q=1&e=e5beceb9-87b2-4cf7-98f5-e78aeb4a7b92&u=http%3A%2F%2Fwww.freeradius.org%2Flist%2Fusers.html
"Confidentiality Warning: This message and any attachments are intended only for the use of the intended recipient(s). 
are confidential and may be privileged. If you are not the intended recipient. you are hereby notified that any 
review. re-transmission. conversion to hard copy. copying. circulation or other use of this message and any attachments is 
strictly prohibited. If you are not the intended recipient. please notify the sender immediately by return email. 
and delete this message and any attachments from your system.

Virus Warning: Although the company has taken reasonable precautions to ensure no viruses are present in this email. 
The company cannot accept responsibility for any loss or damage arising from the use of this email or attachment."

More information about the Freeradius-Users mailing list