Authentication problems with some devices: TLS version too low

Lars Veldscholte lars at tuxplace.nl
Sat Sep 2 17:56:03 CEST 2017


Hi Sven,

So I tried your advice, but there doesn't seem to be a patch with that name.

/usr/src/openssl-1.1.0f/debian/patches# ls -al
total 48
drwxr-xr-x 2 root root 4096 Sep  2 17:36 .
drwxr-xr-x 5 root root 4096 Sep  2 17:35 ..
-rw-r--r-- 1 root root 1419 Jun  5 11:39 
0001-Only-release-thread-local-key-if-we-created-it.patch
-rw-r--r-- 1 root root 2014 Jan 26  2017 c_rehash-compat.patch
-rw-r--r-- 1 root root 4028 Aug  6 23:38 debian-targets.patch
-rw-r--r-- 1 root root 2280 Aug  6 23:37 Fix-a-Proxy-race-condition.patch
-rw-r--r-- 1 root root 2556 May 25 20:53 man-section.patch
-rw-r--r-- 1 root root  534 Aug  4  2016 no-symbolic.patch
-rw-r--r-- 1 root root  710 May 28  2016 padlock_conf.patch
-rw-r--r-- 1 root root 5278 Aug  4  2016 pic.patch
-rw-r--r-- 1 root root  200 Aug  6 23:53 series

/usr/src/openssl-1.1.0f/debian/patches# cat series
debian-targets.patch
man-section.patch
no-symbolic.patch
pic.patch
c_rehash-compat.patch
#padlock_conf.patch
0001-Only-release-thread-local-key-if-we-created-it.patch
Fix-a-Proxy-race-condition.patch

It seems to be the current release though, with the changelog indicating 
that indeed a change has been made in this version to disable TLSv1.0 
and v.1.1:

/usr/src/openssl-1.1.0f/debian# head changelog
openssl (1.1.0f-4) unstable; urgency=medium

   [ Sebastian Andrzej Siewior ]
   * Add support for arm64ilp32, patch by Wookey (Closes: #867240)

   [ Kurt Roeckx ]
   * Disable TLS 1.0 and 1.1, leaving 1.2 as the only supported SSL/TLS
     version. This will likely break things, but the hope is that by
     the release of Buster everything will speak at least TLS 1.2. This 
will be
     reconsidered before the Buster release.

Regards,

Lars

On 01/09/2017 21:12, Sven Hartge wrote:
> On 01.09.2017 20:48, Lars Veldscholte wrote:
> 
>> That's right, I'm on testing.
>>
>> So that's it then... So I was reading the debug log exactly the wrong
>> way around (client wants to talk in TLSv1.0 but server doesn't support
>> that)?
>>
>> Any way to enable that again, or do I have to find another solution?
> 
> The "solution" proposed by Kurt Roeckx, the DD maintaining OpenSSL in
> Debian, is to change every program to use the new APIs in OpenSSL 1.1+
> to specify the minimum TLS version supported.
> 
> Or to convince every user to upgrade to a OS supporting TLS1.2.
> 
> My solution was to recompile the openssl package and reverting those
> changes back to the former default.
> 
> This is not complicated, just "apt-get source openssl" and then comment
> "tls1_2_default.patch" in SRCDIR/debian/patches/series.
> 
> Rebuild, install, "apt-mark hold libssl1.1 openssl" and your are done.
> 
> You need to repeat this procedure every update to the package, of course.
> 
> Grüße,
> Sven.
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20170902/31e2c0df/attachment.sig>


More information about the Freeradius-Users mailing list