Freeradius and unexpected TLS version ->Access-Reject

Alan DeKok aland at
Mon Feb 24 12:30:01 CET 2020

On Feb 24, 2020, at 5:09 AM, iilinasi <Irina.Ilina-Sidorova at> wrote:
> TLS library for 2 packets would be an overkill... I construct packets in my python script (can share it - but it's really very ugly at the moment). That's why I can tell you the version I send exactly - I fill it in as "0x0301", as per specification. Is there anything I miss?

  Well, if you're creating your own TLS implementation, there isn't much we can do to help.

  FreeRADIUS uses OpenSSL for its TLS implementation.  We rely on OpenSSL to do all TLS work, including reporting to us the TLS version.

> You can see 0x0301 in EAP message part of debug (and TLS 1.3 would correspond to 0x0304). Again, I understand that wireshark is not the ultimate source of truth, but it does not complain on anything and correctly dissects the packet as EAP-TLS 1.0.

  Ask the OpenSSL people how they implement TLS.

  Further, this really isn't a FreeRADIUS issue.  If you're writing your own TLS implementation (even if it's 2 packets), then you need to debug your code.  Or, debug Wireshark / OpenSSL to see what they do.

  Alan DeKok.

More information about the Freeradius-Users mailing list