EAP fails on TLS protocol version with Windows 7, works fine with Windows 10

Jochem Sparla J.Sparla at iolan.com
Tue Nov 24 10:47:17 CET 2020

>> I checked and enabled TLS 1.1 and 1.2 as described.
>> With 1.0 + 1.1 + 1.2 enabled, the problem stays the same.

>  Was this on the Windows system?


>  The issue isn't that TLS 1.0, etc. are enabled.  The issue is that TLS 1.3 is enabled.  You need to turn that off.

That seems odd. As far as I can find, Windows 7 does not support TLS 1.3.
Also, I disabled the possibility of TLS 1.3 in the registry, in the same way I enabled TLS 1.1 and TLS 1.2 on the Windows 7 client.

When I view the data with Wireshark, it recognizes TLS as version 1.0:
Transport Layer Security
    TLSv1 Record Layer: Handshake Protocol: Client Hello
        Content Type: Handshake (22)
        Version: TLS 1.0 (0x0301)
        Length: 84
        Handshake Protocol: Client Hello
            Handshake Type: Client Hello (1)
            Length: 80
            Version: TLS 1.0 (0x0301)

However, FreeRADIUS recognizes it as TLS 1.3, or at least an unsupported protocol version:
(2) eap_peap: <<< recv TLS 1.3  [length 0062]
(2) eap_peap: >>> send TLS 1.0 Alert [length 0002], fatal protocol_version
(2) eap_peap: ERROR: TLS Alert write:fatal:protocol version
tls: TLS_accept: Error in error
(2) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read): error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol

With FreeRADIUS 3.0.16 on Ubuntu 18.04, the same Windows client works fine, because the 'unknown protocol version' does not cause a fatal error:
(2) eap_peap: <<< recv UNKNOWN TLS VERSION ?0304? [length 0062]
(2) eap_peap: TLS_accept: SSLv3/TLS read client hello
(2) eap_peap: >>> send TLS 1.0 Handshake [length 003d], ServerHello

It still shows TLS version '0304' which indicates TLS 1.3. But FreeRADIUS then proposes TLS 1.0 and that's used.

How is it possible that Wireshark shows TLS 1.0, while FreeRADIUS receives TLS 1.3?


IOLAN B.V. • Mon Plaisir 26 • 4879 AN Etten-Leur • The Netherlands
T +31 (0)76 50 26 100 • F +31 (0)76 50 26 199
E iolan at iolan.com • I http://www.iolan.com/

De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is uitsluitend
bestemd voor de geadresseerde. Indien u dit bericht onterecht ontvangt, wordt u
verzocht de inhoud niet te gebruiken en de afzender direct te informeren door
het bericht te retourneren.
The information contained in this message may be confidential and is
intended to be exclusively for the addressee. Should you receive this message
unintentionally, please do not use the contents here in and notify the sender
immediately by return e-mail.

More information about the Freeradius-Users mailing list