eap-tls tls_max_version empty

Alan DeKok aland at deployingradius.com
Thu Jan 20 16:07:52 UTC 2022

On Jan 20, 2022, at 10:52 AM, Kai Rüsen <R&D at hs-technik.com> wrote:
> I want to set up a FreeRADIUS server to test eap-tls connections with embedded devices.
> I'm using self signed certificates. I have two embedded devices, one using tls v1.2 the other using tls v1.0 (only testing). 
> Every request get's rejected, with an error output from the eap-tls submodule.
> I get a little bit confused, because the configuration of the tls_max_version parameter in the eap mod doesn't seem to be accepted.
> Please see the debug output where the value of that parameter is empty ("")

  Read the debug output again.  It's empty for the TLS configuration in a "listen" section.  You need to look at the "eap" module to see the TLS configuration.

  And there it says:

  	tls_max_version = "1.2"

  So it's fine.

> The rejection doesn't seem to be due to an invalid certificate, can you please tell me why it get's rejected?
> (1) eap_tls: WARNING: Total received TLS record fragments (54 bytes), does not equal indicated TLS record length (0 bytes)

  That doesn't seem write.  It's likely not a serious issue, but it generally shouldn't happen.

> (1) eap_tls: ERROR: TLS Alert write:fatal:internal error
> tls: TLS_accept: Error in error
> (1) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:14201044:SSL routines:tls_choose_sigalg:internal error

  That's a magic error from OpenSSL.  Unfortunately it doesn't give much in the way of useful information.  We know it's in the middle of TLS negotiation, and then... OpenSSL says "something is wrong".

  You should upgrade to 3.0.25.  It not only has a bunch of issues fixed, it has a LOT more messages (and better ones) for debugging TLS issues.  It's likely that you'll get more useful information there.

  Alan DeKok.

More information about the Freeradius-Users mailing list