FreeRadius and OpenSSL 1.0.2

Dave Duchscher daved at nostrum.com
Mon Mar 23 15:20:23 CET 2015 

I am testing FreeRadius with OpenSSL 1.0.2 and noticed a strange issue.  TTLS-MSCHAPv2 fails.  PEAP and TTLS-(PAP, CHAP, MSCHAPv1) all work.  The error that stands out is 'Invalid ACK received: 0'.  I get this on both 2.2.6 and 3.0.7.

2.2.6
  Mon Mar 23 08:40:09 2015 : Info: [ttls] Authenticate
  Mon Mar 23 08:40:09 2015 : Info: [ttls] processing EAP-TLS
  Mon Mar 23 08:40:09 2015 : Info: [ttls] Received TLS ACK
  Mon Mar 23 08:40:09 2015 : Info: [ttls] ACK default
  Mon Mar 23 08:40:09 2015 : Error: [ttls] Invalid ACK received: 0
  Mon Mar 23 08:40:09 2015 : Info: [ttls] eaptls_verify returned 4
  Mon Mar 23 08:40:09 2015 : Info: [ttls] eaptls_process returned 4

3.0.7
  Mon Mar 23 09:14:26 2015 : Debug: (21) eap_ttls: Authenticate
  Mon Mar 23 09:14:26 2015 : Debug: (21) eap_ttls: processing EAP-TLS
  Mon Mar 23 09:14:26 2015 : Debug: (21) eap_ttls: Received TLS ACK
  Mon Mar 23 09:14:26 2015 : Debug: (21) eap_ttls: Received TLS ACK
  Mon Mar 23 09:14:26 2015 : ERROR: (21) eap_ttls: Invalid ACK received: 0
  Mon Mar 23 09:14:26 2015 : Debug: (21) eap_ttls: eaptls_verify returned 0
  Mon Mar 23 09:14:26 2015 : Debug: (21) eap_ttls: eaptls_process returned 0
  Mon Mar 23 09:14:26 2015 : ERROR: (21) eap: Failed continuing EAP TTLS (21) session. EAP sub-module failed

Downgrading openssl to 1.0.1 and the issue goes away.

2.2.6
  Mon Mar 23 08:50:40 2015 : Info: [ttls] Authenticate
  Mon Mar 23 08:50:40 2015 : Info: [ttls] processing EAP-TLS
  Mon Mar 23 08:50:40 2015 : Info: [ttls] Received TLS ACK
  Mon Mar 23 08:50:40 2015 : Info: [ttls] ACK handshake is finished
  Mon Mar 23 08:50:40 2015 : Info: [ttls] eaptls_verify returned 3
  Mon Mar 23 08:50:40 2015 : Info: [ttls] eaptls_process returned 3

3.0.7
  Mon Mar 23 09:17:54 2015 : Debug: (29) eap_ttls: Authenticate
  Mon Mar 23 09:17:54 2015 : Debug: (29) eap_ttls: processing EAP-TLS
  Mon Mar 23 09:17:54 2015 : Debug: (29) eap_ttls: Received TLS ACK
  Mon Mar 23 09:17:54 2015 : Debug: (29) eap_ttls: Received TLS ACK
  Mon Mar 23 09:17:54 2015 : Debug: (29) eap_ttls: ACK handshake is finished
  Mon Mar 23 09:17:54 2015 : Debug: (29) eap_ttls: eaptls_verify returned 3
  Mon Mar 23 09:17:54 2015 : Debug: (29) eap_ttls: eaptls_process returned 3

This was tested with the default configuration and adding a user to the users file. The OS was FreeBSD 10.1.

I assuming this a problem with the FreeBSD's OpenSSL 1.0.2 port but wanted to ask if anybody else has seen issues with the latest OpenSSL version?

--
Dave

More information about the Freeradius-Users mailing list