[EXT] Re: TLS 1.3

HERCEK, Marián marian.hercek at ucm.sk
Mon May 31 13:54:57 CEST 2021


1) it's very unlikely Android 4.4 supports TLS 1.3

2) recv TLS 1.3 Handshake, ClientHello - does it belong to client (Android 4.4) or NAS (e.g. WiFi AP)?

3) you mean I have to configure just tls_max_version and not tls_min_version?



-----Pôvodná správa-----
Od: Freeradius-Users <freeradius-users-bounces+marian.hercek=ucm.sk at lists.freeradius.org> V mene používateľa Alan DeKok
Odoslané: pondelok 31. mája 2021 13:39
Komu: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Predmet: [EXT] Re: TLS 1.3

On May 31, 2021, at 6:15 AM, HERCEK, Marián <marian.hercek at ucm.sk> wrote:
> after upgrading to 3.0.22 I can see many authentication problems with 
> old devices (e.g. Android 4.4)

  Those devices don't support TLS 1.3.  They might *ask for* TLS 1.3, but they won't *implement* it properly.

> Using EAP + MSCHAPv2.

  If you read the debug output, you'll see that PEAP doesn't support 1.3, either.

  This is because (for now), we only support TLS 1.3 for EAP-TLS.  The reasons why are complex.

> I configured tls_min_version to “1.0” and tls_max_version to “1.3”.


	tls_max_version = "1.3"

  Alan DeKok.

List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6860 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20210531/fa6eff4a/attachment-0001.bin>

More information about the Freeradius-Users mailing list