EAP fails on TLS protocol version with Windows 7, works fine with Windows 10
aland at deployingradius.com
Tue Nov 24 14:13:23 CET 2020
On Nov 24, 2020, at 7:57 AM, Jochem Sparla <J.Sparla at iolan.com> wrote:
> After finding this link: https://askubuntu.com/questions/1233186/ubuntu-20-04-how-to-set-lower-ssl-security-level
> I managed to set the SSL security level for OpenSSL 1.1.1f on Ububtu 20.04 to 1, as described in the link.
> Now FreeRADIUS 3.0.20 on Ubuntu 20.04 behavior is more like FreeRADIUS 3.0.16 on Ubuntu 18.04:
> (2) eap_peap: TLS_accept: before SSL initialization
> (2) eap_peap: <<< recv UNKNOWN TLS VERSION ?0304? [length 0062]
> (2) eap_peap: TLS_accept: SSLv3/TLS read client hello
> (2) eap_peap: >>> send TLS 1.0 Handshake [length 003d], ServerHello
> It still (thinks it) receives TLS 1.3 from the Windows 7 client, but the 'unknown TLS version' does not cause a fatal error and the process finishes normal.
> Are there any (known) issues between FreeRADIUS and/or OpenSSL (or setting parameters between them) on Ubuntu 20.04?
> The tls_max_version = "1.2" and tls_min_version = "1.0" in FreeRADIUS eap config are set, but that does not seem to be enough.
I'd blame OpenSSL. :( FreeRADIUS passes that setting to OpenSSL, which may or may not pay attention.
More information about the Freeradius-Users