FR 3.0.9 RADSEC with TLS 1.2

Stabla, Daniel dstabla at materna.de
Thu Sep 17 12:11:54 CEST 2015 

Hello,

we are testing FR 3.0.9 with radsec, but it seems not to work
if our access point uses TLS 1.2.

Environment:
FR 3.0.9 on SLES 12
OpenSSL 1.0.1j (selfcompiled, configured with 
--prefix=/opt/openssl1.0.1j -fPIC shared linux-x86_64)
LANCOM L-1302acn / Firmware 9.10

If we use RADSEC with TLS 1.0/1.1 it works, but with TLS 1.2 we get this 
FR output:

(0) Initiating new EAP-TLS session
(0) Setting verify mode to require certificate from client
(0) (other): before/accept initialization
(0) TLS_accept: before/accept initialization
(0) <<< TLS 1.2  [length 007e]
(0) TLS_accept: SSLv3 read client hello A
(0) >>> TLS 1.2  [length 0059]
(0) TLS_accept: SSLv3 write server hello A
(0) >>> TLS 1.2  [length 18c4]
(0) TLS_accept: SSLv3 write certificate A
(0) >>> TLS 1.2  [length 024d]
(0) TLS_accept: SSLv3 write key exchange A
(0) >>> TLS 1.2  [length 0096]
(0) TLS_accept: SSLv3 write certificate request A
(0) TLS_accept: SSLv3 flush data
(0) TLS_accept: Need to read more data: SSLv3 read client certificate A
(0) TLS_accept: Need to read more data: SSLv3 read client certificate A
(0) In SSL Handshake Phase
(0) In SSL Accept mode
Waking up in 0.5 seconds.
(0) <<< TLS 1.2  [length 0002]
(0) ERROR: TLS Alert read:fatal:handshake failure
(0) ERROR: TLS_accept: Failed in SSLv3 read client certificate A
(0) ERROR: SSL says: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 
alert handshake failure
(0) ERROR: SSL_read failed inside of TLS (-1), TLS session failed
(0) FAILED in TLS handshake receive
Closing TLS socket from client port 11906
Client has closed connection
  ... shutting down socket auth from client (10.0.0.2, 11906) -> (*, 
2083, virtual-server=radsec-guests)

A debug output from our access point shows us this:


*[RADSEC] 2015/09/17 11:36:29,316  Devicetime: 2015/09/17 11:37:26,575*

*Beginning to establish RADSEC connection to 10.0.0.1:2083[INTRANET]*

*->establishment begins, local port is 11163*

**

*[TLS] 2015/09/17 11:36:29,332  Devicetime: 2015/09/17 11:37:26,577*

*Creating connection 890 with peer 10.0.0.1:2083 for requester 'RB':*

**

*[TLS] 2015/09/17 11:36:29,332  Devicetime: 2015/09/17 11:37:26,577*

*Sending Client Hello on connection 890:*

*-> adding renegotiation_info extension to client hello*

*-> all fine, receive Server Hello*

**

*[TLS] 2015/09/17 11:36:29,332  Devicetime: 2015/09/17 11:37:26,604*

*Receiving Server Hello on connection 890:*

*-> protocol version is TLSv1.2*

*-> server refuses session resumption*

*-> selected cipher suite is TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384*

*-> parsing TLS extensions*

*-> selected elliptic curve point format is uncompressed*

*-> all fine, receive Certificate(s)*

**

*[TLS] 2015/09/17 11:36:29,332  Devicetime: 2015/09/17 11:37:26,605*

*Receiving Certificate(s) on connection 890:*

*-> read certificate of CN=radius.materna.de (2182 bytes)*

*-> read certificate of DC=com, DC=materna, CN=MATERNA Information & 
Communications (Root) (1887 bytes)*

*-> read certificate of DC=com, DC=materna, CN=MATERNA-INFRASTRUCTURE-CA 
(2255 bytes)*

*-> verification succeeded*

*-> all fine, receiving Server Hello Done*

**

*[TLS] 2015/09/17 11:36:29,332  Devicetime: 2015/09/17 11:37:26,614*

*Receiving Server Key Exchange on connection 890:*

*-> selected elliptic curve is secp256r1*

*-> selected signature method is (sha256,rsa)*

*-> signature match*

**

*[TLS] 2015/09/17 11:36:29,332  Devicetime: 2015/09/17 11:37:26,618*

*Receiving Certificate Request on connection 890:*

*-> my own certificate's issuer is DC=com, DC=materna, 
CN=MATERNA-INFRASTRUCTURE-CA*

*-> truncated CA name, exiting*

**

*[TLS] 2015/09/17 11:36:29,332  Devicetime: 2015/09/17 11:37:26,618*

*Preparing records to send on connection 890:*

*-> not in application state, bailing out*

**

*[TLS] 2015/09/17 11:36:29,332  Devicetime: 2015/09/17 11:37:26,618*

*Closing connection 890 (broken packet received):*

*--> application state not reached (ClientRcvServerHelloDone)*

*--> sending failure to requester*

**

*[RADSEC] 2015/09/17 11:36:29,332  Devicetime: 2015/09/17 11:37:26,619*

*RADSEC connection to 10.0.0.1:2083[INTRANET] failed: Handshake failure*

*->marking connection as dead*


So is this a error created through FR or does the access point something 
wrong?

Kind regards.
D. Stabla

More information about the Freeradius-Users mailing list