Authentication problems with some devices: TLS version too low

Lars Veldscholte lars at
Sat Sep 9 22:52:42 CEST 2017

On 09/09/2017 21:39, Alan DeKok wrote:
> On Sep 9, 2017, at 2:59 PM, Lars Veldscholte <lars at> wrote:
>> I tried it using packages from sid, but that wouldn't compile on my system (with dpkg-buildpackage). So initially I gave up, but currently Buster is on the same OpenSSL version as Sid (1.1.0f-5), so I did the same thing with the packages downloaded from apt source.
>> They built fine and I think my change in OpenSSL worked. I can successfully connect using TLS1.0 (tested with openssl s_client -connect -tls1). I should note that I haven't tested this *before* (with the 'unmodded' OpenSSL) though, but I assume that the above test would have failed.
>> However it did not have any effect on FreeRADIUS, I'm getting the same error as before. Of course I did restart my FreeRADIUS service.
>> How can I check what libssl FreeRADIUS is using?
> $ freeradius -XxC | grep ssl
>    And you'll see the OpenSSL version.
>> I noticed that there are two libssl versions installed on my system: libssl1.0.2 and libssl1.1. I only made the change in libssl1.1. Could it be that FreeRADIUS is using the former instead?
>    Yes.
>    It's really not a good idea to install multiple versions of OpenSSL.
>    Alan DeKok.
> -
> List info/subscribe/unsubscribe? See

I never did that manually; both versions are installed as a consequence 
of packages that depend on them. (if I try to remove libssl1.0.2, apt 
wants to remove a whole bunch of (rather essential) packages, including 

Thanks to Kamil's hint I know for sure that FreeRADIUS is using 
libssl1.1. "freeradius -XxC | grep ssl" also confirms that.

I can also confirm that installing openssl 1.1.0f-3 works!


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the Freeradius-Users mailing list