Error with TLS 1.3 - Problem with wpa_supplicant or freeradius?
Hello, I'm currently testing freeradius v4 with eduroam and have encountered an issue with TLS 1.3: FreeRADIUS errors with the following error message:
(9) eap.ttls - Continuing EAP-TLS (9) eap.ttls - Got complete TLS record (146 bytes) (9) eap.ttls - [eap-tls verify] = complete (9) eap.ttls - <<< recv TLS 1.3, inner_content_type[length 1] (9) eap.ttls - Decrypted TLS application data (124 bytes) (9) eap.ttls - [eap-tls process] = complete (9) eap.ttls - Session established. Decoding Diameter attributes (9) eap.ttls - ERROR: Decoding TTLS TLVs failed: Tunneled challenge is incorrect (9) eap.ttls (reject) (9) eap - Resuming execution (9) eap - Sending EAP Failure (code 4) ID 10 length 4 (9) eap - Cleaning up EAP session (9) eap (reject)
The error shows up in the second EAP packet from the client after the Server Hello Done by the server (according to a wireshark capture) Server: current master (c406ab8) on debian buster with libssl-dev 1.1.1c-1 Client: Ubuntu 18.04.3 wpa_supplicant v2.6 OpenSSL 1.1.1 I have looked on some issues on Github which pointed out it's a problem on wpa_supplicant side. Since I currently don't have any other TLS1.3 capable radius server to test I just wanted to ask: Is this a problem in FreeRADIUS or in wpa_supplicant? Kind regards Jan-Frederik Rieckers
On Sep 16, 2019, at 5:49 AM, Jan-Frederik Rieckers <rieckers+freeradius-devel@uni-bremen.de> wrote:
I'm currently testing freeradius v4 with eduroam and have encountered an issue with TLS 1.3:
We don't recommend most people use v4. It's not officially released, some things don't work, and the code changes radically from day to day. For similar reasons, we don't recommend people use TLS 1.3. The EAP-TLS specification isn't finished, and neither is the one for EAP-TTLS.
Since I currently don't have any other TLS1.3 capable radius server to test I just wanted to ask: Is this a problem in FreeRADIUS or in wpa_supplicant?
There's a reason no TLS 1.3-capable RADIUS server exists. The specifications aren't finished. If TLS 1.3 works, it's magic. Wonderful. If it doesn't work, wait for the standards to be published. Alan DeKok.
participants (2)
-
Alan DeKok -
Jan-Frederik Rieckers