Authentication problems with some devices: TLS version too low
lars at tuxplace.nl
Fri Sep 1 20:24:19 CEST 2017
Thanks for your reply.
I am running a recent Debian install (Buster) with OpenSSL 1.1.0f, which
should support TLSv1.2 to my knowledge.
On 01/09/2017 20:20, Alan DeKok wrote:
> On Sep 1, 2017, at 1:16 PM, Lars Veldscholte <lars at tuxplace.nl> wrote:
>> I have problems with authenticating some clients using PEAP-MSCHAP. I've seen two (unrelated) devices having this issue so far: an Android phone and a Windows 7 PC. Other clients do not have this problem.
> Vendors are starting to move to TLS 1.2 everywhere.
>> (2) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417D18C:SSL routines:tls_process_client_hello:version too low
>> (2) eap_peap: ERROR: System call (I/O) error (-1)
>> (2) eap_peap: ERROR: TLS receive handshake failed during operation
>> (2) eap_peap: ERROR: [eaptls process] = fail
>> (2) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed
>> (2) eap: Sending EAP Failure (code 4) ID 230 length 4
>> (2) eap: Failed in EAP select
>> (2) [eap] = invalid
>> (2) } # authenticate = invalid
>> (2) Failed to authenticate the user
>> I'm not sure if I'm interpreting this correctly, but it seems that the client is trying to talk in TLSv1.2 while FreeRADIUS doesn't support that?
> Pretty much. They *should* be able to negotiate a compatible TLS version, if your local version of OpenSSL supports TLS 1.2
>> I don't know what started this problem. PEAP always worked in the past, until now.
> The clients upgraded, and now only allow TLS 1.2.
>> The only thing I can think of is that I've recently generated new certificates (old ones were expired). There has also been a FreeRADIUS update (just regular Debian updates, I'm on 3.0.15 now). Could that be related?
> You will need to update OpenSSL to a version which supports TLS 1.2. And then re-build and re-install FreeRADIUS.
> Given that *everything* depends on OpenSSL, you're probably better off just installing a new VM with a recent version of Debian. Then, copy your current configuration over to the new machine.
> Alan DeKok.
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 488 bytes
Desc: OpenPGP digital signature
More information about the Freeradius-Users