Connection issues with Android Marshmallow

Sebastian Hagedorn Hagedorn at uni-koeln.de
Fri Oct 16 15:29:34 CEST 2015 

--On 15. Oktober 2015 16:42:47 -0400 Arran Cudbard-Bell 
<a.cudbardb at freeradius.org> wrote:

>> and have options
>> to force it to use a particular TLS...  does it??  ;)
>
> tls_disable_tlsv1_0=1 - disable use of TLSv1.0
> tls_disable_tlsv1_1=1 - disable use of TLSv1.1 (a workaround for AAA
> servers        that have issues interoperating with updated TLS version)
> tls_disable_tlsv1_2=1 - disable use of TLSv1.2 (a workaround for AAA
> servers        that have issues interoperating with updated TLS version)

I hope this isn't a dumb question ... I (successfully) tried eapol_test on 
a RHEL 6 system with OpenSSL openssl-1.0.1e-42.el6.x86_64 and FreeRadius 
3.0.10 and was surprised that I didn't see TLSv1... at all. Here are all 
the lines referencing TLS:

TLS: Phase2 EAP types - hexdump(len=8): 00 00 00 00 1a 00 00 00
TLS: using phase1 config options
SSL: TLS Message Length: 5263
TLS: tls_verify_cb - preverify_ok=1 err=19 (self signed certificate in 
certificate chain) ca_cert_verify=0 depth=3 buf='/C=DE/O=Deutsche Telekom 
AG/OU=T-TeleSec Trust Center/CN=Deutsche Telekom Root CA 2'
TLS: tls_verify_cb - preverify_ok=1 err=19 (self signed certificate in 
certificate chain) ca_cert_verify=0 depth=3 buf='/C=DE/O=Deutsche Telekom 
AG/OU=T-TeleSec Trust Center/CN=Deutsche Telekom Root CA 2'
TLS: tls_verify_cb - preverify_ok=1 err=19 (self signed certificate in 
certificate chain) ca_cert_verify=0 depth=2 
buf='/C=DE/O=DFN-Verein/OU=DFN-PKI/CN=DFN-Verein PCA Global - G01'
TLS: tls_verify_cb - preverify_ok=1 err=19 (self signed certificate in 
certificate chain) ca_cert_verify=0 depth=1 
buf='/C=DE/L=Koeln/O=Universitaet zu Koeln/CN=UniKoeln 
CA/emailAddress=camaster at uni-koeln.de'
TLS: tls_verify_cb - preverify_ok=1 err=19 (self signed certificate in 
certificate chain) ca_cert_verify=0 depth=0 
buf='/C=DE/ST=Nordrhein-Westfalen/L=Koeln/O=Universitaet zu 
Koeln/OU=Zentrum fuer Angewandte Informatik/CN=radius1.rrz.uni-koeln.de'
EAP-PEAP: TLS done, proceed to Phase 2

Everything else looks like SSLv3:

SSL: SSL_connect:SSLv2/v3 write client hello A
SSL: SSL_connect:error in SSLv2/v3 read server hello A
SSL: SSL_connect:SSLv3 read server hello A
SSL: SSL_connect:SSLv3 read server certificate A
SSL: SSL_connect:SSLv3 read server key exchange A
SSL: SSL_connect:SSLv3 read server done A
SSL: SSL_connect:SSLv3 write client key exchange A
SSL: SSL_connect:SSLv3 write change cipher spec A
SSL: SSL_connect:SSLv3 write finished A
SSL: SSL_connect:SSLv3 flush data
SSL: SSL_connect:error in SSLv3 read finished A
SSL: SSL_connect:error in SSLv3 read finished A
SSL: SSL_connect:SSLv3 read finished A

What's going on there?
-- 
    .:.Sebastian Hagedorn - Weyertal 121 (Gebäude 133), Zimmer 2.02.:.
                 .:.Regionales Rechenzentrum (RRZK).:.
   .:.Universität zu Köln / Cologne University - ✆ +49-221-470-89578.:.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20151016/af5bf7e3/attachment.sig>

More information about the Freeradius-Users mailing list