On Jul 9, 2019, at 3:57 PM, Doug Wussler <doug.wussler@fsu.edu> wrote: >> >> The only case I know of where a client has attempted to negotiate TLS 1.3 (for peap) is an Ubuntu 18.04 client >> running OpenSSL 1.1.1 and it fails during TLS negotiation with our FreeRADIUS server which is v3.0.17 on RHEL >> 7.6 with OpenSSL 1.1.1c. >> >> Do we know with any certainty whether this is a problem with OpenSSL, FreeRADIUS or something else with >> the peers? I can resolve the problem by setting “tls_max_version = ‘1.2’” but would like to see the negotiation >> for 1.3 succeed. On Jul 9, 2019, Alan DeKok <aland@deployingradius.com> replied: > No, you don't want that. > It's simple. EAP-TLS hasn't been standardized for TLS 1.3. PEAP hasn't been standardized for TLS 1.3. > You can't just say "1.3 is greater than 1.2, so we'll all upgrade to 1.3". Using TLS 1.3 is a *lot* more complex than that. > It looks like the standards will be published "soon". i.e. within a year. The standards should be supported by both FreeRADIUS and wpa_supplicant. It's likely that other operating systems will take much longer to support TLS 1.3 and EAP. Got it. I can see we are waiting on, for starters, https://tools.ietf.org/html/draft-dekok-emu-tls-eap-types-00. Thank you for your response. Doug Wussler Florida State University
participants (1)
-
Doug Wussler