12 Jun
2020
12 Jun
'20
3:45 p.m.
On Jun 12, 2020, at 3:34 PM, Peter Bance <peter@peterbance.co.uk> wrote:
A final update on this, in case anyone here's interested (or to "wrap up" for anyone stumbling across this thread online) - I fixed it, and Windows clients are now happily joining WiFi. It's a beautiful thing to behold :-)
In the end, I had to force OpenSSL on FreeRADIUS to stop offering TLS1.3 ciphers using the mods/eap config:
tls_max_version = "1.2"
Good to hear.
It seems there may be a bug in OpenSSL 1.1.1 such that even though the negotiation resulted in a TLS 1.2 session, the weird back-port of TLS 1.3 ciphers into TLS 1.2 confused things (a lot), and it tried checking for TLS 1.3 style signatures inappropriately.
Weird, but OK. It's OpenSSL :( Alan DeKok.