Authentication problems with some devices: TLS version too low

Lars Veldscholte lars at tuxplace.nl
Fri Sep 1 20:24:19 CEST 2017 

Hi Alan,

Thanks for your reply.

I am running a recent Debian install (Buster) with OpenSSL 1.1.0f, which 
should support TLSv1.2 to my knowledge.

Regards,

Lars


On 01/09/2017 20:20, Alan DeKok wrote:
> On Sep 1, 2017, at 1:16 PM, Lars Veldscholte <lars at tuxplace.nl> wrote:
>> I have problems with authenticating some clients using PEAP-MSCHAP. I've seen two (unrelated) devices having this issue so far: an Android phone and a Windows 7 PC. Other clients do not have this problem.
>    Vendors are starting to move to TLS 1.2 everywhere.
>
> ...
>> (2) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417D18C:SSL routines:tls_process_client_hello:version too low
>> (2) eap_peap: ERROR: System call (I/O) error (-1)
>> (2) eap_peap: ERROR: TLS receive handshake failed during operation
>> (2) eap_peap: ERROR: [eaptls process] = fail
>> (2) eap: ERROR: Failed continuing EAP PEAP (25) session.  EAP sub-module failed
>> (2) eap: Sending EAP Failure (code 4) ID 230 length 4
>> (2) eap: Failed in EAP select
>> (2)     [eap] = invalid
>> (2)   } # authenticate = invalid
>> (2) Failed to authenticate the user
>>
>> I'm not sure if I'm interpreting this correctly, but it seems that the client is trying to talk in TLSv1.2 while FreeRADIUS doesn't support that?
>    Pretty much.  They *should* be able to negotiate a compatible TLS version, if your local version of OpenSSL supports TLS 1.2
>
>> I don't know what started this problem. PEAP always worked in the past, until now.
>    The clients upgraded, and now only allow TLS 1.2.
>
>> The only thing I can think of is that I've recently generated new certificates (old ones were expired). There has also been a FreeRADIUS update (just regular Debian updates, I'm on 3.0.15 now). Could that be related?
>    No.
>
>    You will need to update OpenSSL to a version which supports TLS 1.2.  And then re-build and re-install FreeRADIUS.
>
>    Given that *everything* depends on OpenSSL, you're probably better off just installing a new VM with a recent version of Debian.  Then, copy your current configuration over to the new machine.
>
>    Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20170901/e3c76815/attachment.sig>

More information about the Freeradius-Users mailing list