--On 15. Oktober 2015 16:42:47 -0400 Arran Cudbard-Bell <a.cudbardb@freeradius.org> wrote:
and have options to force it to use a particular TLS... does it?? ;)
tls_disable_tlsv1_0=1 - disable use of TLSv1.0 tls_disable_tlsv1_1=1 - disable use of TLSv1.1 (a workaround for AAA servers that have issues interoperating with updated TLS version) tls_disable_tlsv1_2=1 - disable use of TLSv1.2 (a workaround for AAA servers that have issues interoperating with updated TLS version)
I hope this isn't a dumb question ... I (successfully) tried eapol_test on a RHEL 6 system with OpenSSL openssl-1.0.1e-42.el6.x86_64 and FreeRadius 3.0.10 and was surprised that I didn't see TLSv1... at all. Here are all the lines referencing TLS: TLS: Phase2 EAP types - hexdump(len=8): 00 00 00 00 1a 00 00 00 TLS: using phase1 config options SSL: TLS Message Length: 5263 TLS: tls_verify_cb - preverify_ok=1 err=19 (self signed certificate in certificate chain) ca_cert_verify=0 depth=3 buf='/C=DE/O=Deutsche Telekom AG/OU=T-TeleSec Trust Center/CN=Deutsche Telekom Root CA 2' TLS: tls_verify_cb - preverify_ok=1 err=19 (self signed certificate in certificate chain) ca_cert_verify=0 depth=3 buf='/C=DE/O=Deutsche Telekom AG/OU=T-TeleSec Trust Center/CN=Deutsche Telekom Root CA 2' TLS: tls_verify_cb - preverify_ok=1 err=19 (self signed certificate in certificate chain) ca_cert_verify=0 depth=2 buf='/C=DE/O=DFN-Verein/OU=DFN-PKI/CN=DFN-Verein PCA Global - G01' TLS: tls_verify_cb - preverify_ok=1 err=19 (self signed certificate in certificate chain) ca_cert_verify=0 depth=1 buf='/C=DE/L=Koeln/O=Universitaet zu Koeln/CN=UniKoeln CA/emailAddress=camaster@uni-koeln.de' TLS: tls_verify_cb - preverify_ok=1 err=19 (self signed certificate in certificate chain) ca_cert_verify=0 depth=0 buf='/C=DE/ST=Nordrhein-Westfalen/L=Koeln/O=Universitaet zu Koeln/OU=Zentrum fuer Angewandte Informatik/CN=radius1.rrz.uni-koeln.de' EAP-PEAP: TLS done, proceed to Phase 2 Everything else looks like SSLv3: SSL: SSL_connect:SSLv2/v3 write client hello A SSL: SSL_connect:error in SSLv2/v3 read server hello A SSL: SSL_connect:SSLv3 read server hello A SSL: SSL_connect:SSLv3 read server certificate A SSL: SSL_connect:SSLv3 read server key exchange A SSL: SSL_connect:SSLv3 read server done A SSL: SSL_connect:SSLv3 write client key exchange A SSL: SSL_connect:SSLv3 write change cipher spec A SSL: SSL_connect:SSLv3 write finished A SSL: SSL_connect:SSLv3 flush data SSL: SSL_connect:error in SSLv3 read finished A SSL: SSL_connect:error in SSLv3 read finished A SSL: SSL_connect:SSLv3 read finished A What's going on there? -- .:.Sebastian Hagedorn - Weyertal 121 (Gebäude 133), Zimmer 2.02.:. .:.Regionales Rechenzentrum (RRZK).:. .:.Universität zu Köln / Cologne University - ✆ +49-221-470-89578.:.