Authentication problems with some devices: TLS version too low

Lars Veldscholte lars at tuxplace.nl
Sat Sep 9 22:52:42 CEST 2017


On 09/09/2017 21:39, Alan DeKok wrote:
> On Sep 9, 2017, at 2:59 PM, Lars Veldscholte <lars at tuxplace.nl> wrote:
>>
>> I tried it using packages from sid, but that wouldn't compile on my system (with dpkg-buildpackage). So initially I gave up, but currently Buster is on the same OpenSSL version as Sid (1.1.0f-5), so I did the same thing with the packages downloaded from apt source.
>>
>> They built fine and I think my change in OpenSSL worked. I can successfully connect using TLS1.0 (tested with openssl s_client -connect google.com:443 -tls1). I should note that I haven't tested this *before* (with the 'unmodded' OpenSSL) though, but I assume that the above test would have failed.
>>
>> However it did not have any effect on FreeRADIUS, I'm getting the same error as before. Of course I did restart my FreeRADIUS service.
>>
>> How can I check what libssl FreeRADIUS is using?
> 
> $ freeradius -XxC | grep ssl
> 
>    And you'll see the OpenSSL version.
> 
>> I noticed that there are two libssl versions installed on my system: libssl1.0.2 and libssl1.1. I only made the change in libssl1.1. Could it be that FreeRADIUS is using the former instead?
> 
>    Yes.
> 
>    It's really not a good idea to install multiple versions of OpenSSL.
> 
>    Alan DeKok.
> 
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 

I never did that manually; both versions are installed as a consequence 
of packages that depend on them. (if I try to remove libssl1.0.2, apt 
wants to remove a whole bunch of (rather essential) packages, including 
OpenSSH.

Thanks to Kamil's hint I know for sure that FreeRADIUS is using 
libssl1.1. "freeradius -XxC | grep ssl" also confirms that.

I can also confirm that installing openssl 1.1.0f-3 works!

Lars

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20170909/4479d00a/attachment-0001.sig>


More information about the Freeradius-Users mailing list