Freeradius and unexpected TLS version ->Access-Reject

irina.ilina-sidorova at irina.ilina-sidorova at
Mon Feb 24 12:32:28 CET 2020

   Thanks Alan!
   Yup, I will continue with OpenSSL then
   Have a great day!

   -------- Original message --------
   From: Alan DeKok <aland at>
   Date: Mon, 24 Feb 2020, 12:30
   To: FreeRadius users mailing list
   <freeradius-users at>
   Subject: Re: Freeradius and unexpected TLS version ->Access-Reject

     On Feb 24, 2020, at 5:09 AM, iilinasi
     <Irina.Ilina-Sidorova at> wrote:
     > TLS library for 2 packets would be an overkill... I construct
     packets in my python script (can share it - but it's really very
     ugly at the moment). That's why I can tell you the version I send
     exactly - I fill it in as "0x0301", as per specification. Is there
     anything I miss?
       Well, if you're creating your own TLS implementation, there isn't
     much we can do to help.
       FreeRADIUS uses OpenSSL for its TLS implementation.  We rely on
     OpenSSL to do all TLS work, including reporting to us the TLS
     > You can see 0x0301 in EAP message part of debug (and TLS 1.3 would
     correspond to 0x0304). Again, I understand that wireshark is not the
     ultimate source of truth, but it does not complain on anything and
     correctly dissects the packet as EAP-TLS 1.0.
       Ask the OpenSSL people how they implement TLS.
       Further, this really isn't a FreeRADIUS issue.  If you're writing
     your own TLS implementation (even if it's 2 packets), then you need
     to debug your code.  Or, debug Wireshark / OpenSSL to see what they
       Alan DeKok.
     List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list