Reject for unknown TLS version
Norman Elton
normelton at gmail.com
Wed Aug 15 17:39:50 CEST 2018
> For anyone having this problem ... upgrading to FreeRADIUS 3.0.17, and
> to openssl 1.0.2p appears to have solved the problem.
> Moving to FR3 is long overdue. It will require some reconfigurations
> on my part, which will surely prompt more questions. Thanks for the
> advice so far.
Just a follow-up to my follow-up, purely for those that run into this
issue in the future. The root cause was not FR version related. It
appears that my client (Mac OS 10.13.6) terminates the TLS session
when it realizes that it does not trust the server-side certificate.
FreeRADIUS is barking about the closure of this TLS session. The same
issue recurs under FreeRADIUS 3.0.17, albeit with a slightly different
output. I finally rooted this out digging through client-side 802.1x
logs and discovered a misconfiguration in our onboarding tool.
Thanks
Norman
On Tue, Aug 14, 2018 at 4:10 PM Norman Elton <normelton at gmail.com> wrote:
>
> >> To be fair, we have FreeRADIUS deployed on RHEL6, using the
> >> RedHat-supplied packages. So far, we've been happy with the stability
> >> this provides, but realize that FreeRADIUS 2.2.6 is way outdated.
>
> > Yup. You should upgrade to 2.2.10 at least. It also has fixes for TLS 1.2. :)
>
> For anyone having this problem ... upgrading to FreeRADIUS 3.0.17, and
> to openssl 1.0.2p appears to have solved the problem.
>
> Moving to FR3 is long overdue. It will require some reconfigurations
> on my part, which will surely prompt more questions. Thanks for the
> advice so far.
>
> Norman
> On Tue, Aug 14, 2018 at 10:39 AM Alan DeKok <aland at deployingradius.com> wrote:
> >
> > On Aug 14, 2018, at 10:34 AM, Norman Elton <normelton at gmail.com> wrote:
> > >
> > > Deploying EAP-TLS, I've got the CA and certificate configured on the
> > > server, and the client-side certificate on the client. But I'm getting
> > > a "Unknown TLS version [length 0002]" message. Debug output below.
> >
> > You're running v2. I would suggest upgrading.
> >
> > > Is the "[length 0002]" referring to only have two bytes to parse? Is
> > > some of the transaction getting lost someplace?
> >
> > I'm not sure. It's a TLS issue.
> >
> > > To be fair, we have FreeRADIUS deployed on RHEL6, using the
> > > RedHat-supplied packages. So far, we've been happy with the stability
> > > this provides, but realize that FreeRADIUS 2.2.6 is way outdated.
> >
> > Yup. You should upgrade to 2.2.10 at least. It also has fixes for TLS 1.2. :)
> >
> > Alan DeKok.
> >
> >
> > -
> > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list