FR 3.0.9 RADSEC with TLS 1.2
Hello, we are testing FR 3.0.9 with radsec, but it seems not to work if our access point uses TLS 1.2. Environment: FR 3.0.9 on SLES 12 OpenSSL 1.0.1j (selfcompiled, configured with --prefix=/opt/openssl1.0.1j -fPIC shared linux-x86_64) LANCOM L-1302acn / Firmware 9.10 If we use RADSEC with TLS 1.0/1.1 it works, but with TLS 1.2 we get this FR output: (0) Initiating new EAP-TLS session (0) Setting verify mode to require certificate from client (0) (other): before/accept initialization (0) TLS_accept: before/accept initialization (0) <<< TLS 1.2 [length 007e] (0) TLS_accept: SSLv3 read client hello A (0) >>> TLS 1.2 [length 0059] (0) TLS_accept: SSLv3 write server hello A (0) >>> TLS 1.2 [length 18c4] (0) TLS_accept: SSLv3 write certificate A (0) >>> TLS 1.2 [length 024d] (0) TLS_accept: SSLv3 write key exchange A (0) >>> TLS 1.2 [length 0096] (0) TLS_accept: SSLv3 write certificate request A (0) TLS_accept: SSLv3 flush data (0) TLS_accept: Need to read more data: SSLv3 read client certificate A (0) TLS_accept: Need to read more data: SSLv3 read client certificate A (0) In SSL Handshake Phase (0) In SSL Accept mode Waking up in 0.5 seconds. (0) <<< TLS 1.2 [length 0002] (0) ERROR: TLS Alert read:fatal:handshake failure (0) ERROR: TLS_accept: Failed in SSLv3 read client certificate A (0) ERROR: SSL says: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure (0) ERROR: SSL_read failed inside of TLS (-1), TLS session failed (0) FAILED in TLS handshake receive Closing TLS socket from client port 11906 Client has closed connection ... shutting down socket auth from client (10.0.0.2, 11906) -> (*, 2083, virtual-server=radsec-guests) A debug output from our access point shows us this: *[RADSEC] 2015/09/17 11:36:29,316 Devicetime: 2015/09/17 11:37:26,575* *Beginning to establish RADSEC connection to 10.0.0.1:2083[INTRANET]* *->establishment begins, local port is 11163* ** *[TLS] 2015/09/17 11:36:29,332 Devicetime: 2015/09/17 11:37:26,577* *Creating connection 890 with peer 10.0.0.1:2083 for requester 'RB':* ** *[TLS] 2015/09/17 11:36:29,332 Devicetime: 2015/09/17 11:37:26,577* *Sending Client Hello on connection 890:* *-> adding renegotiation_info extension to client hello* *-> all fine, receive Server Hello* ** *[TLS] 2015/09/17 11:36:29,332 Devicetime: 2015/09/17 11:37:26,604* *Receiving Server Hello on connection 890:* *-> protocol version is TLSv1.2* *-> server refuses session resumption* *-> selected cipher suite is TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384* *-> parsing TLS extensions* *-> selected elliptic curve point format is uncompressed* *-> all fine, receive Certificate(s)* ** *[TLS] 2015/09/17 11:36:29,332 Devicetime: 2015/09/17 11:37:26,605* *Receiving Certificate(s) on connection 890:* *-> read certificate of CN=radius.materna.de (2182 bytes)* *-> read certificate of DC=com, DC=materna, CN=MATERNA Information & Communications (Root) (1887 bytes)* *-> read certificate of DC=com, DC=materna, CN=MATERNA-INFRASTRUCTURE-CA (2255 bytes)* *-> verification succeeded* *-> all fine, receiving Server Hello Done* ** *[TLS] 2015/09/17 11:36:29,332 Devicetime: 2015/09/17 11:37:26,614* *Receiving Server Key Exchange on connection 890:* *-> selected elliptic curve is secp256r1* *-> selected signature method is (sha256,rsa)* *-> signature match* ** *[TLS] 2015/09/17 11:36:29,332 Devicetime: 2015/09/17 11:37:26,618* *Receiving Certificate Request on connection 890:* *-> my own certificate's issuer is DC=com, DC=materna, CN=MATERNA-INFRASTRUCTURE-CA* *-> truncated CA name, exiting* ** *[TLS] 2015/09/17 11:36:29,332 Devicetime: 2015/09/17 11:37:26,618* *Preparing records to send on connection 890:* *-> not in application state, bailing out* ** *[TLS] 2015/09/17 11:36:29,332 Devicetime: 2015/09/17 11:37:26,618* *Closing connection 890 (broken packet received):* *--> application state not reached (ClientRcvServerHelloDone)* *--> sending failure to requester* ** *[RADSEC] 2015/09/17 11:36:29,332 Devicetime: 2015/09/17 11:37:26,619* *RADSEC connection to 10.0.0.1:2083[INTRANET] failed: Handshake failure* *->marking connection as dead* So is this a error created through FR or does the access point something wrong? Kind regards. D. Stabla
On Sep 17, 2015, at 6:11 AM, Stabla, Daniel <dstabla@materna.de> wrote:
we are testing FR 3.0.9 with radsec, but it seems not to work if our access point uses TLS 1.2.
Environment: FR 3.0.9 on SLES 12 OpenSSL 1.0.1j (selfcompiled, configured with --prefix=/opt/openssl1.0.1j -fPIC shared linux-x86_64) LANCOM L-1302acn / Firmware 9.10
I'd say upgrade OpenSSL. Alan DeKok.
participants (2)
-
Alan DeKok -
Stabla, Daniel