ERROR: TLS Alert write:fatal:protocol version
aland at deployingradius.com
Thu Jul 1 14:23:10 CEST 2021
On Jul 1, 2021, at 8:14 AM, Jochem Sparla <J.Sparla at iolan.com> wrote:
> cipher_list = "DEFAULT at SECLEVEL=1"
> to fix this.
Yeah, that's the solution. Newer versions of OpenSSL disallow TLS 1.0, unless you say "pretty please". You can set "tls_min_version = 1.0" and NOTHING in OpenSSL will tell you that this setting is ignored. In addition, the error messages produced by OpenSSL are incredibly opaque and useless.
We put extensive comments into recent versions of the server to document this, and explain it. We added more debug messages to warn people about issues like this.
Yet distributions are still shipping versions of FreeRADIUS which are (in some cases) many years old. They are actively preventing people from getting updated versions, with updated documentation, and updated fixes.
This is one main reason we suggest that everyone use our package repositories at http://packages.networkradius.com
The packages are provided as a service to the community. Not just because it's marketing. But because it helps people, and avoid frustrations like this.
More information about the Freeradius-Users