ERROR: TLS Alert write:fatal:protocol version

Alan DeKok aland at
Thu Jul 1 14:23:10 CEST 2021

On Jul 1, 2021, at 8:14 AM, Jochem Sparla <J.Sparla at> wrote:
> Set
>   cipher_list = "DEFAULT at SECLEVEL=1"
> to fix this.

  Yeah, that's the solution.  Newer versions of OpenSSL disallow TLS 1.0, unless you say "pretty please".  You can set "tls_min_version = 1.0" and NOTHING in OpenSSL will tell you that this setting is ignored.  In addition, the error messages produced by OpenSSL are incredibly opaque and useless.

  We put extensive comments into recent versions of the server to document this, and explain it.  We added more debug messages to warn people about issues like this.

  Yet distributions are still shipping versions of FreeRADIUS which are (in some cases) many years old.  They are actively preventing people from getting updated versions, with updated documentation, and updated fixes.

  This is one main reason we suggest that everyone use our package repositories at

  The packages are provided as a service to the community.  Not just because it's marketing.  But because it helps people, and avoid frustrations like this.

  Alan DeKok.

More information about the Freeradius-Users mailing list