TLS 1.3
HERCEK, Marián
marian.hercek at ucm.sk
Mon May 31 12:15:06 CEST 2021
Hello,
after upgrading to 3.0.22 I can see many authentication problems with old
devices (e.g. Android 4.4)
Using EAP + MSCHAPv2.
I configured tls_min_version to 1.0 and tls_max_version to 1.3.
Debug log:
(32) eap_peap: (TLS) EAP Got all data (198 bytes)
(32) eap_peap: (TLS) Handshake state - before SSL initialization (0)
(32) eap_peap: (TLS) Handshake state - Server before SSL initialization (0)
(32) eap_peap: (TLS) Handshake state - Server before SSL initialization (0)
(32) eap_peap: (TLS) recv TLS 1.3 Handshake, ClientHello
(32) eap_peap: (TLS) send TLS 1.0 Alert, fatal protocol_version
(32) eap_peap: ERROR: (TLS) Alert write:fatal:protocol version
(32) eap_peap: ERROR: (TLS) Server : Error in error
(32) eap_peap: ERROR: (TLS) Failed reading from OpenSSL: error:14209102:SSL
routines:tls_early_post_process_client_hello:unsupported protocol
(32) eap_peap: ERROR: (TLS) System call (I/O) error (-1)
(32) eap_peap: ERROR: (TLS) EAP Receive handshake failed during operation
freeradius -Xxv
Mon May 31 12:00:32 2021 : Info: radiusd: FreeRADIUS Version 3.0.22 (git
#7c658e1c0), for host x86_64-pc-linux-gnu
Mon May 31 12:00:32 2021 : Debug: Server was built with:
Mon May 31 12:00:32 2021 : Debug: accounting : yes
Mon May 31 12:00:32 2021 : Debug: authentication : yes
Mon May 31 12:00:32 2021 : Debug: ascend-binary-attributes : yes
Mon May 31 12:00:32 2021 : Debug: coa : yes
Mon May 31 12:00:32 2021 : Debug: control-socket : yes
Mon May 31 12:00:32 2021 : Debug: detail : yes
Mon May 31 12:00:32 2021 : Debug: dhcp : yes
Mon May 31 12:00:32 2021 : Debug: dynamic-clients : yes
Mon May 31 12:00:32 2021 : Debug: osfc2 : no
Mon May 31 12:00:32 2021 : Debug: proxy : yes
Mon May 31 12:00:32 2021 : Debug: regex-pcre : no
Mon May 31 12:00:32 2021 : Debug: regex-posix : yes
Mon May 31 12:00:32 2021 : Debug: regex-posix-extended : yes
Mon May 31 12:00:32 2021 : Debug: session-management : yes
Mon May 31 12:00:32 2021 : Debug: stats : yes
Mon May 31 12:00:32 2021 : Debug: systemd : yes
Mon May 31 12:00:32 2021 : Debug: tcp : yes
Mon May 31 12:00:32 2021 : Debug: threads : yes
Mon May 31 12:00:32 2021 : Debug: tls : yes
Mon May 31 12:00:32 2021 : Debug: unlang : yes
Mon May 31 12:00:32 2021 : Debug: vmps : yes
Mon May 31 12:00:32 2021 : Debug: developer : no
Mon May 31 12:00:32 2021 : Debug: Server core libs:
Mon May 31 12:00:32 2021 : Debug: freeradius-server : 3.0.22
Mon May 31 12:00:32 2021 : Debug: talloc : 2.1.*
Mon May 31 12:00:32 2021 : Debug: ssl : 1.1.1d
release
openssl ciphers -s -v -tls1
ECDHE-ECDSA-AES256-SHA TLSv1 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA1
ECDHE-RSA-AES256-SHA TLSv1 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1
DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
ECDHE-ECDSA-AES128-SHA TLSv1 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA1
ECDHE-RSA-AES128-SHA TLSv1 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA1
DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
openssl ciphers -s -v -tls1_2
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256)
Mac=AEAD
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256)
Mac=AEAD
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256)
Mac=AEAD
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA
Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA
Enc=CHACHA20/POLY1305(256) Mac=AEAD
DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=DH Au=RSA
Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128)
Mac=AEAD
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128)
Mac=AEAD
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128)
Mac=AEAD
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256)
Mac=SHA384
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384
DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA256
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128)
Mac=SHA256
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256
DHE-RSA-AES128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA256
ECDHE-ECDSA-AES256-SHA TLSv1 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA1
ECDHE-RSA-AES256-SHA TLSv1 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1
DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
ECDHE-ECDSA-AES128-SHA TLSv1 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA1
ECDHE-RSA-AES128-SHA TLSv1 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA1
DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
AES256-GCM-SHA384 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(256) Mac=AEAD
AES128-GCM-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(128) Mac=AEAD
AES256-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA256
AES128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA256
AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
openssl ciphers -s -v -tls1_3
TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD
TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any
Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6860 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20210531/46676341/attachment.bin>
More information about the Freeradius-Users
mailing list