On 11 Dec 2015, at 09:17, Alan DeKok <aland@deployingradius.com> wrote:
Anyone using these versions of OpenSSL should either upgrade them, or set "disable_tlsv1_2" in the EAP TLS module configuration.
To make a long story short, these versions of OpenSSL calculate the WiFi encryption keys incorrectly for TLS 1.2. I've pushed a fix to v3.0 which disables TLS 1.2 when the server is built against those versions of OpenSSL.
The solution is to upgrade to a version of OpenSSL which works, upgrade FreeRADIUS, or to use "disable_tlsv1_2" on existing systems.
There's a stripped down version of the centos OpenSSL 1.0.1 spec files in v3.1.x and i've modified the freeradius spec files to build against them if '--with freeradius-openssl' is passed to rpmbuild. Should work ok for Centos/RHEL7, not tested on 6. The OpenSSL problems aren't getting any better, and OS vendors lag behind the latest version massively. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2