Some problems with TLS 1.3 and PSK

Alan DeKok aland at
Mon Jan 14 14:47:32 CET 2019

On Jan 14, 2019, at 7:48 AM, Alex Perez-Mendez <Alex.Perez-Mendez at> wrote:
> as you know, Moonshot and the Trust Router use dynamically established 
> TLS PSK for allowing communication between RADIUS servers.
> This has been working nicely so far, but I've started testing with 
> Debian Buster, which ships OpenSSL 1.1 which defaults to TLS 1.3 and 
> I've found some issues with both, 3.0.17 and 3.0.18.

  The 3.0.17 issue was due to a typo in a macro.  See commit fd803c9d35592

  The 3.0.18 issue is due to trying to fix other issues.  :(  And, OpenSSL seems to change its behaviour rather a lot.  Things which work in one version don't work in another.

> In this case, the issue seems to have been caused by this commit 
> as reverting it reverts to the previous issue with 3.0.17.

  That commit should still be done, as it fixes other issues...

  I've pushed a fix to the v3.0.x branch which turns that check into a soft fail.  I think that should fix it, while also initializing the ssl_session variable.

  Alan DeKok.

More information about the Freeradius-Devel mailing list