Freeradius and unexpected TLS version ->Access-Reject

iilinasi Irina.Ilina-Sidorova at
Mon Feb 24 11:09:05 CET 2020

Hi, Alan,

On 21.02.2020 23:26, Alan DeKok wrote:
> On Feb 21, 2020, at 4:43 PM, iilinasi <Irina.Ilina-Sidorova at> 
> wrote:
>> Yes, I totally understand that 1.3 is not supported. The thing is: I 
>> construct the packet myself and fill in the version to be 1.1.
>   How do you construct the packet yourself?  Are you writing your own
> TLS library?
TLS library for 2 packets would be an overkill... I construct packets in 
my python script (can share it - but it's really very ugly at the 
moment). That's why I can tell you the version I send exactly - I fill 
it in as "0x0301", as per specification. Is there anything I miss?

You can see 0x0301 in EAP message part of debug (and TLS 1.3 would 
correspond to 0x0304). Again, I understand that wireshark is not the 
ultimate source of truth, but it does not complain on anything and 
correctly dissects the packet as EAP-TLS 1.0.

>> Standard package for Ubuntu is 3.0.16 now, that's why I'm using it. 
>> I'd avoid blind upgrade. Any specific reason to go with 3.0.20 in 
>> regards with my issue?
>   Because it's newer and will likely solve any issues.
>   It's faster to install 3.0.20 than to wait for replies on a mailing 
> list.
I installed 3.0.20 (didn't went without a few hiccups, but it's not 
related to this thread). The issue is still exactly the same, just 
debugs now a bit more readable. I attach them together with the packet 

Thanks a lot!

>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See 

Cheers, Iron
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: test.txt
URL: <>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: test.pcapng
Type: application/octet-stream
Size: 996 bytes
Desc: not available
URL: <>

More information about the Freeradius-Users mailing list