On Jul 1, 2021, at 8:14 AM, Jochem Sparla <J.Sparla@iolan.com> wrote:
Set
cipher_list = "DEFAULT@SECLEVEL=1"
to fix this.
Yeah, that's the solution. Newer versions of OpenSSL disallow TLS 1.0, unless you say "pretty please". You can set "tls_min_version = 1.0" and NOTHING in OpenSSL will tell you that this setting is ignored. In addition, the error messages produced by OpenSSL are incredibly opaque and useless. We put extensive comments into recent versions of the server to document this, and explain it. We added more debug messages to warn people about issues like this. Yet distributions are still shipping versions of FreeRADIUS which are (in some cases) many years old. They are actively preventing people from getting updated versions, with updated documentation, and updated fixes. This is one main reason we suggest that everyone use our package repositories at http://packages.networkradius.com The packages are provided as a service to the community. Not just because it's marketing. But because it helps people, and avoid frustrations like this. Alan DeKok.