FreeRADIUS 3.0.15 fails to respond with TLS 1.0 (Debian testing)

Thomas d'Otreppe tdotreppe at gmail.com
Sat Sep 9 01:30:09 CEST 2017


Hi,

it looks like FreeRADIUS 3.0.15 doesn't work anymore on Debian testing
(with OpenSSL).

I tried connecting an Android 6.0 client to FreeRADIUS and from what I
understand from the following log, it fails responding to one part of
the request because it tries to use TLS 1.0 (eap_peap: ERROR: Failed
in __FUNCTION__ (SSL_read): error:1417D102:SSL
routines:tls_process_client_hello:unsupported protocol) and AFAIK, TLS
1.0 is not supported anymore in OpenSSL:

(0) Received Access-Request Id 37 from 192.168.0.254:46065 to
192.168.0.100:1812 length 139
(0)   User-Name = "me"
(0)   NAS-IP-Address = 192.168.0.254
(0)   NAS-Port = 0
(0)   Called-Station-Id = "D0-7D-0D-0F-1B-22:MyAP"
(0)   Calling-Station-Id = "12-34-56-78-90-AB"
(0)   Framed-MTU = 1400
(0)   NAS-Port-Type = Wireless-802.11
(0)   Connect-Info = "CONNECT 0Mbps 802.11"
(0)   EAP-Message = 0x02000007016d65
(0)   Message-Authenticator = 0xb909500b8d92f535dd010ce46c878d47
(0) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
(0)   authorize {
(0)     policy filter_username {
(0)       if (&User-Name) {
(0)       if (&User-Name)  -> TRUE
(0)       if (&User-Name)  {
(0)         if (&User-Name =~ / /) {
(0)         if (&User-Name =~ / /)  -> FALSE
(0)         if (&User-Name =~ /@[^@]*@/ ) {
(0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(0)         if (&User-Name =~ /\.\./ ) {
(0)         if (&User-Name =~ /\.\./ )  -> FALSE
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
  -> FALSE
(0)         if (&User-Name =~ /\.$/)  {
(0)         if (&User-Name =~ /\.$/)   -> FALSE
(0)         if (&User-Name =~ /@\./)  {
(0)         if (&User-Name =~ /@\./)   -> FALSE
(0)       } # if (&User-Name)  = notfound
(0)     } # policy filter_username = notfound
(0)     [preprocess] = ok
(0)     [chap] = noop
(0)     [mschap] = noop
(0)     [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "me", looking up realm NULL
(0) suffix: No such realm "NULL"
(0)     [suffix] = noop
(0) eap: Peer sent EAP Response (code 2) ID 0 length 7
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit
the rest of authorize
(0)     [eap] = ok
(0)   } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0)   authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_peap to process data
(0) eap_peap: Initiating new EAP-TLS session
(0) eap_peap: [eaptls start] = request
(0) eap: Sending EAP Request (code 1) ID 1 length 6
(0) eap: EAP session adding &reply:State = 0xf60008ccf601110e
(0)     [eap] = handled
(0)   } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0)   Challenge { ... } # empty sub-section is ignored
(0) Sent Access-Challenge Id 37 from 192.168.0.100:1812 to
192.168.0.254:46065 length 0
(0)   EAP-Message = 0x010100061920
(0)   Message-Authenticator = 0x00000000000000000000000000000000
(0)   State = 0xf60008ccf601110e4d96bfb0034242b4
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 38 from 192.168.0.254:46065 to
192.168.0.100:1812 length 260
(1)   User-Name = "me"
(1)   NAS-IP-Address = 192.168.0.254
(1)   NAS-Port = 0
(1)   Called-Station-Id = "D0-7D-0D-0F-1B-22:MyAP"
(1)   Calling-Station-Id = "12-34-56-78-90-AB"
(1)   Framed-MTU = 1400
(1)   NAS-Port-Type = Wireless-802.11
(1)   Connect-Info = "CONNECT 0Mbps 802.11"
(1)   EAP-Message =
0x0201006e198000000064160301005f0100005b0301f3660ce76c4adfd99ae7f539e1867cd020b0da3f818c40bf2116c330cdb148c100001cc00ac0140039c009c0130033c007c0110035002f00050004000a00ff0100001600170000000b00020100000a00080006001700180019
(1)   State = 0xf60008ccf601110e4d96bfb0034242b4
(1)   Message-Authenticator = 0xc2e06b9b63ab56c6fbe401b903304705
(1) session-state: No cached attributes
(1) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
(1)   authorize {
(1)     policy filter_username {
(1)       if (&User-Name) {
(1)       if (&User-Name)  -> TRUE
(1)       if (&User-Name)  {
(1)         if (&User-Name =~ / /) {
(1)         if (&User-Name =~ / /)  -> FALSE
(1)         if (&User-Name =~ /@[^@]*@/ ) {
(1)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(1)         if (&User-Name =~ /\.\./ ) {
(1)         if (&User-Name =~ /\.\./ )  -> FALSE
(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
  -> FALSE
(1)         if (&User-Name =~ /\.$/)  {
(1)         if (&User-Name =~ /\.$/)   -> FALSE
(1)         if (&User-Name =~ /@\./)  {
(1)         if (&User-Name =~ /@\./)   -> FALSE
(1)       } # if (&User-Name)  = notfound
(1)     } # policy filter_username = notfound
(1)     [preprocess] = ok
(1)     [chap] = noop
(1)     [mschap] = noop
(1)     [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "me", looking up realm NULL
(1) suffix: No such realm "NULL"
(1)     [suffix] = noop
(1) eap: Peer sent EAP Response (code 2) ID 1 length 110
(1) eap: Continuing tunnel setup
(1)     [eap] = ok
(1)   } # authorize = ok
(1) Found Auth-Type = eap
(1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(1)   authenticate {
(1) eap: Expiring EAP session with state 0xf60008ccf601110e
(1) eap: Finished EAP session with state 0xf60008ccf601110e
(1) eap: Previous EAP request found for state 0xf60008ccf601110e,
released from the list
(1) eap: Peer sent packet with method EAP PEAP (25)
(1) eap: Calling submodule eap_peap to process data
(1) eap_peap: Continuing EAP-TLS
(1) eap_peap: Peer indicated complete TLS record size will be 100 bytes
(1) eap_peap: Got complete TLS record (100 bytes)
(1) eap_peap: [eaptls verify] = length included
(1) eap_peap: (other): before SSL initialization
(1) eap_peap: TLS_accept: before SSL initialization
(1) eap_peap: TLS_accept: before SSL initialization
(1) eap_peap: <<< recv TLS 1.2  [length 005f]
(1) eap_peap: >>> send TLS 1.0 Alert [length 0002], fatal protocol_version
(1) eap_peap: ERROR: TLS Alert write:fatal:protocol version
tls: TLS_accept: Error in error
(1) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read):
error:1417D102:SSL routines:tls_process_client_hello:unsupported
protocol
(1) eap_peap: ERROR: System call (I/O) error (-1)
(1) eap_peap: ERROR: TLS receive handshake failed during operation
(1) eap_peap: ERROR: [eaptls process] = fail
(1) eap: ERROR: Failed continuing EAP PEAP (25) session.  EAP sub-module failed
(1) eap: Sending EAP Failure (code 4) ID 1 length 4
(1) eap: Failed in EAP select
(1)     [eap] = invalid
(1)   } # authenticate = invalid
(1) Failed to authenticate the user
(1) Using Post-Auth-Type Reject
(1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(1)   Post-Auth-Type REJECT {
(1) attr_filter.access_reject: EXPAND %{User-Name}
(1) attr_filter.access_reject:    --> me
(1) attr_filter.access_reject: Matched entry DEFAULT at line 11
(1)     [attr_filter.access_reject] = updated
(1)     [eap] = noop
(1)     policy remove_reply_message_if_eap {
(1)       if (&reply:EAP-Message && &reply:Reply-Message) {
(1)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(1)       else {
(1)         [noop] = noop
(1)       } # else = noop
(1)     } # policy remove_reply_message_if_eap = noop
(1)   } # Post-Auth-Type REJECT = updated
(1) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(1) Sending delayed response
(1) Sent Access-Reject Id 38 from 192.168.0.100:1812 to
192.168.0.254:46065 length 44
(1)   EAP-Message = 0x04010004
(1)   Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 37 with timestamp +23
(1) Cleaning up request packet ID 38 with timestamp +23


Am I correct? If yes, is there any solution/workaround? Should I open
a bug report?
I tried to look for forcing TLS 1.2 but it doesn't seem to be an
option anywhere (it can be disabled though).

Thanks,

Thomas


More information about the Freeradius-Users mailing list