warning message about suplicants
Hello, I'm using version 3.2.3-1 with TLS 1.3 enabled (support for windows 11 22h2) and the warning message below keeps appearing. Thu Jan 11 21:16:23 2024 : Warning: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Thu Jan 11 21:16:23 2024 : Warning: !! Most supplicants do not support EAP-TLS with TLS 1.3 Thu Jan 11 21:16:23 2024 : Warning: !! Please set tls_max_version = "1.2" Thu Jan 11 21:16:23 2024 : Warning: !! FreeRADIUS only supports TLS 1.3 for special builds of wpa_supplicant and Windows Thu Jan 11 21:16:23 2024 : Warning: !! This limitation is likely to change in late 2021. Thu Jan 11 21:16:23 2024 : Warning: !! If you are using this version of FreeRADIUS after 2021, you will probably need to upgrade Thu Jan 11 21:16:23 2024 : Warning: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Is there anything to update or will it still be something for the future? Regards
On Jan 11, 2024, at 7:25 PM, dextá <dexter7bbot@gmail.com> wrote:
I'm using version 3.2.3-1 with TLS 1.3 enabled (support for windows 11 22h2) and the warning message below keeps appearing.
It's just a warning message. It doesn't signify an error, or other failure case.
Is there anything to update or will it still be something for the future?
That message has been removed in commit 781c46dd9b. It won't be in 3.2.4. Alan DeKok.
Nice! Thanks Alan! Em qui., 11 de jan. de 2024 22:13, Alan DeKok <aland@deployingradius.com> escreveu:
On Jan 11, 2024, at 7:25 PM, dextá <dexter7bbot@gmail.com> wrote:
I'm using version 3.2.3-1 with TLS 1.3 enabled (support for windows 11 22h2) and the warning message below keeps appearing.
It's just a warning message. It doesn't signify an error, or other failure case.
Is there anything to update or will it still be something for the future?
That message has been removed in commit 781c46dd9b. It won't be in 3.2.4.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
W dniu 12.01.2024 o 02:13, Alan DeKok pisze:
On Jan 11, 2024, at 7:25 PM, dextá<dexter7bbot@gmail.com> wrote:
I'm using version 3.2.3-1 with TLS 1.3 enabled (support for windows 11 22h2) and the warning message below keeps appearing. It's just a warning message. It doesn't signify an error, or other failure case.
Is there anything to update or will it still be something for the future? That message has been removed in commit 781c46dd9b. It won't be in 3.2.4. Hello, I missed it, but I'll add to this thread.When should we expect version 3.2.4 to be released approximately ?
Is there any progress with session resumption / fast reauthentication cache for Microsoft supplicant utilizing TLS 1.3 or still the same choice: either session resumption or TLS 1.3 ? Cheers -- Marek Zarychta
On Feb 23, 2024, at 8:47 AM, Marek Zarychta via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
I missed it, but I'll add to this thread.When should we expect version 3.2.4 to be released approximately ?
Hopefully soon? I'd prefer to release it before May 26, which would be a year after 3.2.3 was released.
Is there any progress with session resumption / fast reauthentication cache for Microsoft supplicant utilizing TLS 1.3 or still the same choice: either session resumption or TLS 1.3 ?
I believe that Microsoft has now updated their software to allow for session resumption with TLS 1.3. Alan DeKok.
W dniu 23.02.2024 o 14:59, Alan DeKok pisze:
On Feb 23, 2024, at 8:47 AM, Marek Zarychta via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
I missed it, but I'll add to this thread.When should we expect version 3.2.4 to be released approximately ? Hopefully soon? I'd prefer to release it before May 26, which would be a year after 3.2.3 was released.
Is there any progress with session resumption / fast reauthentication cache for Microsoft supplicant utilizing TLS 1.3 or still the same choice: either session resumption or TLS 1.3 ? I believe that Microsoft has now updated their software to allow for session resumption with TLS 1.3.
Thank you ! -- Marek Zarychta
W dniu 23.02.2024 o 14:59, Alan DeKok pisze:
On Feb 23, 2024, at 8:47 AM, Marek Zarychta via Freeradius-Users<freeradius-users@lists.freeradius.org> wrote:
Is there any progress with session resumption / fast reauthentication cache for Microsoft supplicant utilizing TLS 1.3 or still the same choice: either session resumption or TLS 1.3 ? I believe that Microsoft has now updated their software to allow for session resumption with TLS 1.3.
FWIW, the issue seems to be solved. No more problems with fast reauthentication from Microsoft supplicants connecting over TLS 1.3 now. In the meantime I upgraded OS from FreeBSD 13.2-STABLE to FreeBSD 14.0-STABLE, thus OpenSSL changed from 1.1.1 to 3.0.13. Perhaps OpenSSL 1.1.1 was the real culprit of brokensession resumption for Windows users ? -- Marek Zarychta
On Feb 28, 2024, at 8:49 AM, Marek Zarychta <zarychtam@plan-b.pwste.edu.pl> wrote:
FWIW, the issue seems to be solved. No more problems with fast reauthentication from Microsoft supplicants connecting over TLS 1.3 now.
That's good to hear.
In the meantime I upgraded OS from FreeBSD 13.2-STABLE to FreeBSD 14.0-STABLE, thus OpenSSL changed from 1.1.1 to 3.0.13. Perhaps OpenSSL 1.1.1 was the real culprit of broken session resumption for Windows users ?
Nope. Microsoft chose to skip session resumption for TLS 1.3. I had a few conversations explaining why this was a _very_ bad decision. Universities have ~20K students reconnecting to WiFi every 60-90 minutes. And without session resumption, their Active Directory systems would melt down. That new seemed to incentivize the decision to add session resumption. Alan DeKok.
participants (3)
-
Alan DeKok -
dextá -
Marek Zarychta