TLS 1.3 for PEAP?

Alan DeKok aland at
Tue Jul 9 16:42:25 CEST 2019

On Jul 9, 2019, at 3:57 PM, Doug Wussler <doug.wussler at> wrote:
> The only case I know of where a client has attempted to negotiate TLS 1.3 (for peap) is an Ubuntu 18.04 client
> running OpenSSL 1.1.1 and it fails during TLS negotiation with our FreeRADIUS server which is v3.0.17 on RHEL
> 7.6 with OpenSSL 1.1.1c.
> Do we know with any certainty whether this is a problem with OpenSSL, FreeRADIUS or something else with
> the peers?  I can resolve the problem by setting “tls_max_version = ‘1.2’” but would like to see the negotiation
> for 1.3 succeed.

  No, you don't want that.

  It's simple.  EAP-TLS hasn't been standardized for TLS 1.3.  PEAP hasn't been standardized for TLS 1.3.

  You can't just say "1.3 is greater than 1.2, so we'll all upgrade to 1.3".  Using TLS 1.3 is a *lot* more complex than that.

  It looks like the standards will be published "soon".  i.e. within a year.  The standards should be supported by both FreeRADIUS and wpa_supplicant.  It's likely that other operating systems will take much longer to support TLS 1.3 and EAP.

  Alan DeKok.

More information about the Freeradius-Users mailing list