TLS 1.3
Alan DeKok
aland at deployingradius.com
Mon Jun 29 14:33:26 CEST 2020
On Jun 29, 2020, at 8:29 AM, Vieri via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
>
> Hi,
>
> What does this log snippet mean?
>
> (2) eap_peap: Continuing EAP-TLS
> (2) eap_peap: Peer indicated complete TLS record size will be 71 bytes
> (2) eap_peap: Got complete TLS record (71 bytes)
> (2) eap_peap: [eaptls verify] = length included
> (2) eap_peap: (other): before SSL initialization
> (2) eap_peap: TLS_accept: before SSL initialization
> (2) eap_peap: TLS_accept: before SSL initialization
> (2) eap_peap: <<< recv TLS 1.3 [length 0042]
> (2) eap_peap: >>> send TLS 1.0 Alert [length 0002], fatal handshake_failure
> (2) eap_peap: ERROR: TLS Alert write:fatal:handshake failure
> tls: TLS_accept: Error in error
> (2) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher
> (2) eap_peap: ERROR: System call (I/O) error (-1)
> (2) eap_peap: ERROR: TLS receive handshake failed during operation
> (2) eap_peap: ERROR: [eaptls process] = fail
> (2) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed
> (2) eap: Sending EAP Failure (code 4) ID 101 length 4
> (2) eap: Failed in EAP select
>
> Does it mean that the wifi client asked for TLS 1.3, but we replied with TLS 1.0?
It means that the there is no shared cipher.
TLS uses a variety of encryption methods. The methods used by the client and server have to agree, otherwise they cannot communicate.
> I have this in freeradius:
>
> tls_min_version = "1.0"
> tls_max_version = "1.2"
>
> and I'm using openssl-1.1.1g.
That should work.
Perhaps the client has been configured to require TLS 1.3, *or* it has been configured to understand only a very limited set of ciphers.
Alan DeKok.
More information about the Freeradius-Users
mailing list