FreeRADIUS 3.0.15 fails to respond with TLS 1.0 (Debian testing)

Sat Sep 9 01:55:49 CEST 2017

On Sep 8, 2017, at 7:30 PM, Thomas d'Otreppe <tdotreppe at gmail.com> wrote:
> it looks like FreeRADIUS 3.0.15 doesn't work anymore on Debian testing
> (with OpenSSL).

  The Debian people broke OpenSSL.  They have their reasons, but that's the short summary.

> I tried connecting an Android 6.0 client to FreeRADIUS and from what I
> understand from the following log, it fails responding to one part of
> the request because it tries to use TLS 1.0 (eap_peap: ERROR: Failed
> in __FUNCTION__ (SSL_read): error:1417D102:SSL
> routines:tls_process_client_hello:unsupported protocol) and AFAIK, TLS
> 1.0 is not supported anymore in OpenSSL:

  It's supported, but the application has to jump through hoops to do it.

  The debian patches were made after 3.0.15 was released.  So there's every reason to expect that 3.0.15 won't work with  broken OpenSSL

> Am I correct? If yes, is there any solution/workaround? Should I open
> a bug report?

  We've already fixed it in the v4 branch.  We're looking at fixing it in the v3 branch, too.  Probably next week, depending on what else is going on.

> I tried to look for forcing TLS 1.2 but it doesn't seem to be an
> option anywhere (it can be disabled though).

  The server is requiring TLS 1.2 (due to the OpenSSL changes), but the client is only doing 1.0.  And that's the problem.

  In the mean time... don't use Debian "testing".  It's TLS implementation is incompatible with pretty much every piece of software from 2 years ago (EAP systems, web browsers, etc).  Debian testing will also break any server running on it which uses TLS.  Those servers will be able to talk to new clients (released in the last 1-2 years).  But they won't be able to talk to clients which are older than that.

  While I like security, you don't protect yourself from a cliff by nailing your feet to the floor.

  Alan DeKok.