TLS version mismatch EAP TLS

Jochem Sparla J.Sparla at iolan.com
Fri Apr 16 15:03:53 CEST 2021 

I had the same issue after updating Ubuntu from 18 to 20. This has something to do with the OpenSSL version.

I fixed it by editing the eap module configuration:
cipher_list = “DEFAULT at SECLEVEL=1”

This forces OpenSSL to not use TLS1.3.





IOLAN B.V. • Mon Plaisir 26 • 4879 AN Etten-Leur • The Netherlands
T +31 (0)76 50 26 100 • F +31 (0)76 50 26 199
E iolan at iolan.com • I http://www.iolan.com/

De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is uitsluitend
bestemd voor de geadresseerde. Indien u dit bericht onterecht ontvangt, wordt u
verzocht de inhoud niet te gebruiken en de afzender direct te informeren door
het bericht te retourneren.
The information contained in this message may be confidential and is
intended to be exclusively for the addressee. Should you receive this message
unintentionally, please do not use the contents here in and notify the sender
immediately by return e-mail.

-----Oorspronkelijk bericht-----
Van: Freeradius-Users [mailto:freeradius-users-bounces+j.sparla=iolan.com at lists.freeradius.org] Namens De Sylvain
Verzonden: vrijdag 16 april 2021 14:51
Aan: freeradius-users at lists.freeradius.org
Onderwerp: TLS version mismatch EAP TLS

Hello Team,

I need to open a case cause I meet an issue with TLS version mismatch between client and server.

My scope :

   - FreeRADIUS Version 3.0.20
   - OpenSSL 1.1.1f
   - Windows client TLS version allowed : TLS1.0/1.1/1.2

Accros few link(show below) I understood that TLS 1.3 was not correctly supported on freeradius.

I have the same issue like this post #3665 <https://github.com/FreeRADIUS/freeradius-server/issues/3665> However my window client is correctly configured and it do no use tls version 1.3.

Furthermore i make a packet capture and i can see that TLS 1.0 is used during TLS client hello.

As show bellow, eap module configuration. I do not use "disable_tls" but tls_min/max feature as recommended.

"# disable_tlsv1_2 = no"
"# disable_tlsv1_1 = no"
"# disable_tlsv1 = no"
tls_min_version = "1.0"
tls_max_version = "1.2"

Freeradius debug :
I do not understand how freeradius server can interptrer the tls request with 1.3 version.
Client side tls 1.3 is not allowed and also on freeradius side.

How can I interpret this issue ? Thanks in advance for your help.

Freeradius live debug
(1) eap: Expiring EAP session with state 0xcf201259cf221f90
(1) eap: Finished EAP session with state 0xcf201259cf221f90
(1) eap: Previous EAP request found for state 0xcf201259cf221f90, released from the list
(1) eap: Peer sent packet with method EAP TLS (13)
(1) eap: Calling submodule eap_tls to process data
(1) eap_tls: Continuing EAP-TLS
(1) eap_tls: Peer indicated complete TLS record size will be 112 bytes
(1) eap_tls: Got complete TLS record (112 bytes)
(1) eap_tls: [eaptls verify] = length included
(1) eap_tls: (other): before SSL initialization
(1) eap_tls: TLS_accept: before SSL initialization
(1) eap_tls: TLS_accept: before SSL initialization
(1) eap_tls: <<< recv TLS 1.3 [length 006b]
(1) eap_tls: >>> send TLS 1.0 Alert [length 0002], fatal protocol_version
(1) eap_tls: ERROR: TLS Alert write:fatal:protocol version
tls: TLS_accept: Error in error
(1) eap_tls: ERROR: Failed in FUNCTION (SSL_read): error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol
(1) eap_tls: ERROR: System call (I/O) error (-1)
(1) eap_tls: ERROR: TLS receive handshake failed during operation
(1) eap_tls: ERROR: [eaptls process] = fail
(1) eap: ERROR: Failed continuing EAP TLS (13) session. EAP sub-module failed
(1) eap: Sending EAP Failure (code 4) ID 2 length 4
(1) eap: Failed in EAP select
(1) [eap] = invalid
(1) } # authenticate = invalid
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list