EAP fails on TLS protocol version with Windows 7, works fine with Windows 10

Jochem Sparla J.Sparla at iolan.com
Tue Nov 24 13:57:20 CET 2020 

After finding this link: https://askubuntu.com/questions/1233186/ubuntu-20-04-how-to-set-lower-ssl-security-level
I managed to set the SSL security level for OpenSSL 1.1.1f on Ububtu 20.04 to 1, as described in the link.

Now FreeRADIUS 3.0.20 on Ubuntu 20.04 behavior is more like FreeRADIUS 3.0.16 on Ubuntu 18.04:
(2) eap_peap: TLS_accept: before SSL initialization
(2) eap_peap: <<< recv UNKNOWN TLS VERSION ?0304? [length 0062]
(2) eap_peap: TLS_accept: SSLv3/TLS read client hello
(2) eap_peap: >>> send TLS 1.0 Handshake [length 003d], ServerHello

It still (thinks it) receives TLS 1.3 from the Windows 7 client, but the 'unknown TLS version' does not cause a fatal error and the process finishes normal.

Are there any (known) issues between FreeRADIUS and/or OpenSSL (or setting parameters between them) on Ubuntu 20.04?

The tls_max_version = "1.2" and tls_min_version = "1.0" in FreeRADIUS eap config are set, but that does not seem to be enough.

Jochem

>>  The issue isn't that TLS 1.0, etc. are enabled.  The issue is that TLS 1.3 is enabled.  You need to turn that off.
>
> That seems odd. As far as I can find, Windows 7 does not support TLS 1.3.
> Also, I disabled the possibility of TLS 1.3 in the registry, in the same way I enabled TLS 1.1 and TLS 1.2 on the Windows 7 client.
>
>
> When I view the data with Wireshark, it recognizes TLS as version 1.0:
> Transport Layer Security
>     TLSv1 Record Layer: Handshake Protocol: Client Hello
>         Content Type: Handshake (22)
>         Version: TLS 1.0 (0x0301)
>         Length: 84
>         Handshake Protocol: Client Hello
>             Handshake Type: Client Hello (1)
>             Length: 80
>             Version: TLS 1.0 (0x0301)
>
> However, FreeRADIUS recognizes it as TLS 1.3, or at least an unsupported protocol version:
> (2) eap_peap: <<< recv TLS 1.3  [length 0062]
> (2) eap_peap: >>> send TLS 1.0 Alert [length 0002], fatal protocol_version
> (2) eap_peap: ERROR: TLS Alert write:fatal:protocol version
> tls: TLS_accept: Error in error
> (2) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read): error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol
>
>
> With FreeRADIUS 3.0.16 on Ubuntu 18.04, the same Windows client works fine, because the 'unknown protocol version' does not cause a fatal error:
> (2) eap_peap: <<< recv UNKNOWN TLS VERSION ?0304? [length 0062]
> (2) eap_peap: TLS_accept: SSLv3/TLS read client hello
> (2) eap_peap: >>> send TLS 1.0 Handshake [length 003d], ServerHello
>
> It still shows TLS version '0304' which indicates TLS 1.3. But FreeRADIUS then proposes TLS 1.0 and that's used.
>
> How is it possible that Wireshark shows TLS 1.0, while FreeRADIUS receives TLS 1.3?
>
>
> Jochem


IOLAN B.V. • Mon Plaisir 26 • 4879 AN Etten-Leur • The Netherlands
T +31 (0)76 50 26 100 • F +31 (0)76 50 26 199
E iolan at iolan.com • I http://www.iolan.com/

De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is uitsluitend
bestemd voor de geadresseerde. Indien u dit bericht onterecht ontvangt, wordt u
verzocht de inhoud niet te gebruiken en de afzender direct te informeren door
het bericht te retourneren.
The information contained in this message may be confidential and is
intended to be exclusively for the addressee. Should you receive this message
unintentionally, please do not use the contents here in and notify the sender
immediately by return e-mail.

More information about the Freeradius-Users mailing list