Authentication problems with some devices: TLS version too low
Alan DeKok
aland at deployingradius.com
Sat Sep 9 21:39:25 CEST 2017
On Sep 9, 2017, at 2:59 PM, Lars Veldscholte <lars at tuxplace.nl> wrote:
>
> I tried it using packages from sid, but that wouldn't compile on my system (with dpkg-buildpackage). So initially I gave up, but currently Buster is on the same OpenSSL version as Sid (1.1.0f-5), so I did the same thing with the packages downloaded from apt source.
>
> They built fine and I think my change in OpenSSL worked. I can successfully connect using TLS1.0 (tested with openssl s_client -connect google.com:443 -tls1). I should note that I haven't tested this *before* (with the 'unmodded' OpenSSL) though, but I assume that the above test would have failed.
>
> However it did not have any effect on FreeRADIUS, I'm getting the same error as before. Of course I did restart my FreeRADIUS service.
>
> How can I check what libssl FreeRADIUS is using?
$ freeradius -XxC | grep ssl
And you'll see the OpenSSL version.
> I noticed that there are two libssl versions installed on my system: libssl1.0.2 and libssl1.1. I only made the change in libssl1.1. Could it be that FreeRADIUS is using the former instead?
Yes.
It's really not a good idea to install multiple versions of OpenSSL.
Alan DeKok.
More information about the Freeradius-Users
mailing list