Are there any (known) issues between FreeRADIUS and/or OpenSSL (or setting parameters between them) on Ubuntu 20.04?
The tls_max_version = "1.2" and tls_min_version = "1.0" in FreeRADIUS eap config are set, but that does not seem to be enough.
I'd blame OpenSSL. :( FreeRADIUS passes that setting to OpenSSL, which may or may not pay attention.
Alan DeKok.
It's the 'CipherString = DEFAULT@SECLEVEL=1' that makes a difference. The 'MinProtocol = TLSv1.2' can be left out of openssl.cnf, as long as 'tls_min_version' is set in FreeRADIUS eap config. It now works, with 'eap_peap: <<< recv UNKNOWN TLS VERSION ?0304?' and using 'TLS 1.0' further on according to the debug logging. I'm sure it's not the best or prettiest way, but I do not understand enough of all the techniques and protocols to make it better. Like solving why it still says TLS 1.3 on the first message, and why it doesn't use TLS 1.1/1.2 even though those are enabled in Windows 7, and why the process just stops when forcing TLS 1.1/1.2 by disabling TLS 1.0 in Windows. Jochem IOLAN B.V. • Mon Plaisir 26 • 4879 AN Etten-Leur • The Netherlands T +31 (0)76 50 26 100 • F +31 (0)76 50 26 199 E iolan@iolan.com • I http://www.iolan.com/ De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht onterecht ontvangt, wordt u verzocht de inhoud niet te gebruiken en de afzender direct te informeren door het bericht te retourneren. The information contained in this message may be confidential and is intended to be exclusively for the addressee. Should you receive this message unintentionally, please do not use the contents here in and notify the sender immediately by return e-mail.