EAP-TLS Suggestions on FreeRadius

Alan DeKok aland at deployingradius.com
Mon Nov 3 20:09:06 CET 2014 

Max Freeman wrote:
> Good evening,
> 
> Thank you for your suggestions/ reply. 
> My comments/ questions are underneath your thoughts using ">>". 

  Ugh.  Standard quoting rules are nicer.

>>> Do you mean within the OpenSSL source code? I've been trying to track
> down the location of where OpenSSL picks a TLS 1.0 handshake over TLS 1.2. 

  No.  I mean via the FreeRADIUS configuration.  There is no TLS 1.0
versus 1.2 configuration currently in the server.  It's not really needed.

>>> I'll continue to read. Is it acceptable under the ECC Curve section in
> EAP.Conf to use two elliptic curves?  That is what wire shark is sending
> over. 

  I think it's only one, but I'm not really sure.  It's more of an
OpenSSL question.

>> The client (wpa_Supplicant) sends FreeRadius a Client Hello over TLS 1.0
>> (could perhaps cause problems with ECC?) and then FreeRadius Rejects it
>> because of and "SSL3_CLIENT_HELLO: no shared cipher."  However, I have
>> confirmed that the latest version of openssl supports my cipher.  

  FreeRADIUS depends on OpenSSL to do all SSL.  If OpenSSL says "no
shared cipher", FreeRADIUS can't do much about it.

>>> wire shark has been showing the correct cipher suites are available on
> nth sides, which is odd.  It seems that FR server rejects the Client
> Hello right away, even though the client hello seemingly has all the
> necessary information. Could it have something to do with Users/
> clients.conf?

  No.

  Presuming you've listed the NAS in the "clients.conf" file...

>> Does the EAP.conf/ FR have anything to do with Elliptic Curve's and
>> their shared cipher besides putting in "ALL" for the cipher and
>> "secptxxx" for the curve?

  No.

>> I have also confirmed through OpenSSL's   s_client/ s_server   program
>> that my certificates are set up properly and ONLY succeed with TLS1_2
>> and not TLS1.0 or TLS1.1.

  Hmm.. that might be the issue.

  In v3, try editing src/main/tls.c.

Change:

	ctx = SSL_CTX_new(TLSv1_method());

to:

	ctx = SSL_CTX_new(SSLv23_method());


  If that works, I'll make the change in the main tree.

  Alan DeKok.

More information about the Freeradius-Users mailing list