Authentication problems with some devices: TLS version too low

Lars Veldscholte lars at tuxplace.nl
Sat Sep 9 21:15:21 CEST 2017 

On 02/09/2017 17:56, Lars Veldscholte wrote:
> Hi Sven,
> 
> So I tried your advice, but there doesn't seem to be a patch with that 
> name.
> 
> /usr/src/openssl-1.1.0f/debian/patches# ls -al
> total 48
> drwxr-xr-x 2 root root 4096 Sep  2 17:36 .
> drwxr-xr-x 5 root root 4096 Sep  2 17:35 ..
> -rw-r--r-- 1 root root 1419 Jun  5 11:39 
> 0001-Only-release-thread-local-key-if-we-created-it.patch
> -rw-r--r-- 1 root root 2014 Jan 26  2017 c_rehash-compat.patch
> -rw-r--r-- 1 root root 4028 Aug  6 23:38 debian-targets.patch
> -rw-r--r-- 1 root root 2280 Aug  6 23:37 Fix-a-Proxy-race-condition.patch
> -rw-r--r-- 1 root root 2556 May 25 20:53 man-section.patch
> -rw-r--r-- 1 root root  534 Aug  4  2016 no-symbolic.patch
> -rw-r--r-- 1 root root  710 May 28  2016 padlock_conf.patch
> -rw-r--r-- 1 root root 5278 Aug  4  2016 pic.patch
> -rw-r--r-- 1 root root  200 Aug  6 23:53 series
> 
> /usr/src/openssl-1.1.0f/debian/patches# cat series
> debian-targets.patch
> man-section.patch
> no-symbolic.patch
> pic.patch
> c_rehash-compat.patch
> #padlock_conf.patch
> 0001-Only-release-thread-local-key-if-we-created-it.patch
> Fix-a-Proxy-race-condition.patch
> 
> It seems to be the current release though, with the changelog indicating 
> that indeed a change has been made in this version to disable TLSv1.0 
> and v.1.1:
> 
> /usr/src/openssl-1.1.0f/debian# head changelog
> openssl (1.1.0f-4) unstable; urgency=medium
> 
>    [ Sebastian Andrzej Siewior ]
>    * Add support for arm64ilp32, patch by Wookey (Closes: #867240)
> 
>    [ Kurt Roeckx ]
>    * Disable TLS 1.0 and 1.1, leaving 1.2 as the only supported SSL/TLS
>      version. This will likely break things, but the hope is that by
>      the release of Buster everything will speak at least TLS 1.2. This 
> will be
>      reconsidered before the Buster release.
> 
> Regards,
> 
> Lars
> 
> On 01/09/2017 21:12, Sven Hartge wrote:
>> On 01.09.2017 20:48, Lars Veldscholte wrote:
>>
>>> That's right, I'm on testing.
>>>
>>> So that's it then... So I was reading the debug log exactly the wrong
>>> way around (client wants to talk in TLSv1.0 but server doesn't support
>>> that)?
>>>
>>> Any way to enable that again, or do I have to find another solution?
>>
>> The "solution" proposed by Kurt Roeckx, the DD maintaining OpenSSL in
>> Debian, is to change every program to use the new APIs in OpenSSL 1.1+
>> to specify the minimum TLS version supported.
>>
>> Or to convince every user to upgrade to a OS supporting TLS1.2.
>>
>> My solution was to recompile the openssl package and reverting those
>> changes back to the former default.
>>
>> This is not complicated, just "apt-get source openssl" and then comment
>> "tls1_2_default.patch" in SRCDIR/debian/patches/series.
>>
>> Rebuild, install, "apt-mark hold libssl1.1 openssl" and your are done.
>>
>> You need to repeat this procedure every update to the package, of course.
>>
>> Grüße,
>> Sven.
>>
>> -
>> List info/subscribe/unsubscribe? See 
>> http://www.freeradius.org/list/users.html
>>
> 
> 
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 

 >
A yes, of course, LDD. It shows 1.1 so it should work...

Installing 1.1.0f-3 is even a simpler solution than downloading the 
source, removing the patch and rebuilding. I'll try that. It's the same 
upstream version so that will work without breaking stuff, right?

Regards,

Lars

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20170909/96fbc743/attachment.sig>

More information about the Freeradius-Users mailing list