[External]Fwd: Question regarding the direction of eap_tls: <<< recv and eap_tls: >>> send

Alan DeKok aland at deployingradius.com
Wed Mar 17 14:32:51 CET 2021


  Don't use TLS 1.3.  It isn't standardized, and it doesn't work.


> On Mar 17, 2021, at 4:40 AM, Prayank Chandorkar via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> 
> a
> 
> 
> Regards
> 
> Prayank Chandorkar
> M : +91 90829 61372
> Teams : prayank.chandorkar at ril.com
> JioMeet : prayank.chandorkar at ril.com
> 
> -----Original Message-----
> From: Freeradius-Users <freeradius-users-bounces+prayank.chandorkar=ril.com at lists.freeradius.org> On Behalf Of Eric Nguyen
> Sent: 15 November 2020 03:07
> To: freeradius-users at lists.freeradius.org
> Subject: [External]Fwd: Question regarding the direction of eap_tls: <<< recv and eap_tls: >>> send
> 
> The e-mail below is from an external source. Please do not open attachments or click links from an unknown or suspicious origin.
> 
> Hi,
> 
> I'd like to ask a question regarding the direction of the exchanges in the radius log  (radiusd -X).
> 
> I used eapol_test as a client/authenticator against FreeRADIUS 3.0.21.
> 
> - If I set the following parameters in the FreeRADIUS eap file, espol_test will results in a failure.
> In this case, "eap_tls: <<< recv TLS 1.3" looks like an exchange from FreeRADIUS to eapol_test (SERVER -> CLIENT):
> 
> tls_min_version = "1.3"
> tls_max_version = "1.3"
> 
> The FREERADIUS log shows:
> 
> (2) eap_tls: <<< recv TLS 1.3  [length 00b9]
> (2) eap_tls: >>> send TLS 1.2  [length 0002]
> (2) eap_tls: ERROR: TLS Alert write:fatal:protocol version
> 
> 
> -  If I set the following parameters in the FreeRADIUS eap file, espol_test will results in a success.
> In this case, "eap_tls: <<< recv TLS 1.2"  looks like an exchange from eapol_test to FreeRADIUS (CLIENT TO SERVER):
> 
> tls_min_version = "1.2"
> tls_max_version = "1.3"
> 
> (6) eap_tls: <<< recv TLS 1.2  [length 08de]
> (6) eap_tls: TLS - Creating attributes from certificate OIDs
> 
> 
> Could you please clarify the meaning of these "eap_tls: <<< recv" log messages?
> 
> Thanks,
> Eric
> 
> 
> -------------------------------------------------------------------------------------------------------------------------------------------
> FULL LOG
> 
> tls_min_version = "1.3"
> tls_max_version = "1.3"
> 
> (2) eap: Calling submodule eap_tls to process data
> (2) eap_tls: Continuing EAP-TLS
> (2) eap_tls: [eaptls verify] = ok
> (2) eap_tls: Done initial handshake
> (2) eap_tls: (other): before SSL initialization
> (2) eap_tls: TLS_accept: before SSL initialization
> (2) eap_tls: TLS_accept: before SSL initialization
> (2) eap_tls: <<< recv TLS 1.3  [length 00b9]
> (2) eap_tls: >>> send TLS 1.2  [length 0002]
> (2) eap_tls: ERROR: TLS Alert write:fatal:protocol version
> tls: TLS_accept: Error in error
> (2) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol
> (2) eap_tls: ERROR: System call (I/O) error (-1)
> (2) eap_tls: ERROR: TLS receive handshake failed during operation
> (2) eap_tls: ERROR: [eaptls process] = fail
> (2) eap: ERROR: Failed continuing EAP TLS (13) session.  EAP sub-module failed
> (2) eap: Sending EAP Failure (code 4) ID 54 length 4
> (2) eap: Failed in EAP select
> (2)     [eap] = invalid
> (2)   } # authenticate = invalid
> 
> 
> -------------------------------------------------------------------------------------------------------------------------------------------
> tls_min_version = "1.2"
> tls_max_version = "1.3"
> 
> (6) eap: Calling submodule eap_tls to process data
> (6) eap_tls: Continuing EAP-TLS
> (6) eap_tls: Got final TLS record fragment (1272 bytes)
> (6) eap_tls: [eaptls verify] = ok
> (6) eap_tls: Done initial handshake
> (6) eap_tls: TLS_accept: SSLv3/TLS write server done
> (6) eap_tls: <<< recv TLS 1.2  [length 08de]
> (6) eap_tls: TLS - Creating attributes from certificate OIDs
> (6) eap_tls:   TLS-Cert-Serial :=
> "315fa3c827cb5c44e13222c88ff80369d1a176f1"
> (6) eap_tls:   TLS-Cert-Expiration := "210113170058Z"
> (6) eap_tls:   TLS-Cert-Valid-Since := "201114170058Z"
> (6) eap_tls:   TLS-Cert-Subject := "/C=FR/ST=Radius/L=Somewhere/O=Example
> Inc./emailAddress=admin at example.org/CN=Example Certificate Authority"
> (6) eap_tls:   TLS-Cert-Issuer := "/C=FR/ST=Radius/L=Somewhere/O=Example
> Inc./emailAddress=admin at example.org/CN=Example Certificate Authority"
> (6) eap_tls:   TLS-Cert-Common-Name := "Example Certificate Authority"
> (6) eap_tls: TLS - Creating attributes from certificate OIDs
> (6) eap_tls:   TLS-Client-Cert-Serial := "02"
> (6) eap_tls:   TLS-Client-Cert-Expiration := "210113170058Z"
> (6) eap_tls:   TLS-Client-Cert-Valid-Since := "201114170058Z"
> (6) eap_tls:   TLS-Client-Cert-Subject := "/C=FR/ST=Radius/O=Example
> Inc./CN=user at example.org/emailAddress=user at example.org"
> (6) eap_tls:   TLS-Client-Cert-Issuer :=
> "/C=FR/ST=Radius/L=Somewhere/O=Example Inc./emailAddress= admin at example.org/CN=Example Certificate Authority"
> (6) eap_tls:   TLS-Client-Cert-Common-Name := "user at example.org"
> (6) eap_tls:   TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Client
> Authentication"
> (6) eap_tls:   TLS-Client-Cert-X509v3-Extended-Key-Usage-OID +=
> "1.3.6.1.5.5.7.3.2"
> (6) eap_tls: TLS_accept: SSLv3/TLS read client certificate
> (6) eap_tls: <<< recv TLS 1.2  [length 0046]
> (6) eap_tls: TLS_accept: SSLv3/TLS read client key exchange
> (6) eap_tls: <<< recv TLS 1.2  [length 0108]
> (6) eap_tls: TLS_accept: SSLv3/TLS read certificate verify
> (6) eap_tls: TLS_accept: SSLv3/TLS read change cipher spec
> (6) eap_tls: <<< recv TLS 1.2  [length 0010]
> (6) eap_tls: TLS_accept: SSLv3/TLS read finished
> (6) eap_tls: >>> send TLS 1.2  [length 0001]
> (6) eap_tls: TLS_accept: SSLv3/TLS write change cipher spec
> (6) eap_tls: >>> send TLS 1.2  [length 0010]
> (6) eap_tls: TLS_accept: SSLv3/TLS write finished
> (6) eap_tls: (other): SSL negotiation finished successfully
> (6) eap_tls: TLS - Connection Established
> (6) eap_tls: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
> (6) eap_tls: TLS-Session-Version = "TLS 1.2"
> (6) eap_tls: TLS - got 51 bytes of data
> (6) eap_tls: [eaptls process] = handled
> -
> List info/subscribe/unsubscribe? See https://protect2.fireeye.com/v1/url?k=c2b07c9d-9d2b3c62-c2b1f662-00259087933a-f3b541b7c9d35e10&q=1&e=e5beceb9-87b2-4cf7-98f5-e78aeb4a7b92&u=http%3A%2F%2Fwww.freeradius.org%2Flist%2Fusers.html
> "Confidentiality Warning: This message and any attachments are intended only for the use of the intended recipient(s). 
> are confidential and may be privileged. If you are not the intended recipient. you are hereby notified that any 
> review. re-transmission. conversion to hard copy. copying. circulation or other use of this message and any attachments is 
> strictly prohibited. If you are not the intended recipient. please notify the sender immediately by return email. 
> and delete this message and any attachments from your system.
> 
> Virus Warning: Although the company has taken reasonable precautions to ensure no viruses are present in this email. 
> The company cannot accept responsibility for any loss or damage arising from the use of this email or attachment."
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




More information about the Freeradius-Users mailing list