TLS version mismatch EAP TLS

De Sylvain starzzzzzz23 at
Fri Apr 16 14:50:40 CEST 2021

Hello Team,

I need to open a case cause I meet an issue with TLS version mismatch
between client and server.

My scope :

   - FreeRADIUS Version 3.0.20
   - OpenSSL 1.1.1f
   - Windows client TLS version allowed : TLS1.0/1.1/1.2

Accros few link(show below) I understood that TLS 1.3 was not correctly
supported on freeradius.

I have the same issue like this post #3665
<> However my
window client is correctly configured and it do no use tls version 1.3.

Furthermore i make a packet capture and i can see that TLS 1.0 is used
during TLS client hello.

As show bellow, eap module configuration. I do not use "disable_tls" but
tls_min/max feature as recommended.

"# disable_tlsv1_2 = no"
"# disable_tlsv1_1 = no"
"# disable_tlsv1 = no"
tls_min_version = "1.0"
tls_max_version = "1.2"

Freeradius debug :
I do not understand how freeradius server can interptrer the tls request
with 1.3 version.
Client side tls 1.3 is not allowed and also on freeradius side.

How can I interpret this issue ? Thanks in advance for your help.

Freeradius live debug
(1) eap: Expiring EAP session with state 0xcf201259cf221f90
(1) eap: Finished EAP session with state 0xcf201259cf221f90
(1) eap: Previous EAP request found for state 0xcf201259cf221f90, released
from the list
(1) eap: Peer sent packet with method EAP TLS (13)
(1) eap: Calling submodule eap_tls to process data
(1) eap_tls: Continuing EAP-TLS
(1) eap_tls: Peer indicated complete TLS record size will be 112 bytes
(1) eap_tls: Got complete TLS record (112 bytes)
(1) eap_tls: [eaptls verify] = length included
(1) eap_tls: (other): before SSL initialization
(1) eap_tls: TLS_accept: before SSL initialization
(1) eap_tls: TLS_accept: before SSL initialization
(1) eap_tls: <<< recv TLS 1.3 [length 006b]
(1) eap_tls: >>> send TLS 1.0 Alert [length 0002], fatal protocol_version
(1) eap_tls: ERROR: TLS Alert write:fatal:protocol version
tls: TLS_accept: Error in error
(1) eap_tls: ERROR: Failed in FUNCTION (SSL_read): error:14209102:SSL
routines:tls_early_post_process_client_hello:unsupported protocol
(1) eap_tls: ERROR: System call (I/O) error (-1)
(1) eap_tls: ERROR: TLS receive handshake failed during operation
(1) eap_tls: ERROR: [eaptls process] = fail
(1) eap: ERROR: Failed continuing EAP TLS (13) session. EAP sub-module
(1) eap: Sending EAP Failure (code 4) ID 2 length 4
(1) eap: Failed in EAP select
(1) [eap] = invalid
(1) } # authenticate = invalid

More information about the Freeradius-Users mailing list