TLS 1.3 for PEAP?
Doug Wussler
doug.wussler at fsu.edu
Tue Jul 9 19:46:59 CEST 2019
On Jul 9, 2019, at 3:57 PM, Doug Wussler <doug.wussler at fsu.edu> wrote:
>>
>> The only case I know of where a client has attempted to negotiate TLS 1.3 (for peap) is an Ubuntu 18.04 client
>> running OpenSSL 1.1.1 and it fails during TLS negotiation with our FreeRADIUS server which is v3.0.17 on RHEL
>> 7.6 with OpenSSL 1.1.1c.
>>
>> Do we know with any certainty whether this is a problem with OpenSSL, FreeRADIUS or something else with
>> the peers? I can resolve the problem by setting “tls_max_version = ‘1.2’” but would like to see the negotiation
>> for 1.3 succeed.
On Jul 9, 2019, Alan DeKok <aland at deployingradius.com> replied:
> No, you don't want that.
> It's simple. EAP-TLS hasn't been standardized for TLS 1.3. PEAP hasn't been standardized for TLS 1.3.
> You can't just say "1.3 is greater than 1.2, so we'll all upgrade to 1.3". Using TLS 1.3 is a *lot* more complex than that.
> It looks like the standards will be published "soon". i.e. within a year. The standards should be supported by both FreeRADIUS and wpa_supplicant. It's likely that other operating systems will take much longer to support TLS 1.3 and EAP.
Got it. I can see we are waiting on, for starters, https://tools.ietf.org/html/draft-dekok-emu-tls-eap-types-00.
Thank you for your response.
Doug Wussler
Florida State University
More information about the Freeradius-Users
mailing list