TLS errors and clients sometimes rejected
Alan DeKok
aland at deployingradius.com
Tue Sep 17 18:16:09 UTC 2024
On Sep 17, 2024, at 12:46 PM, Rodrigo Abrantes Antunes <rodrigoantunes at pelotas.ifsul.edu.br> wrote:
> ## REJECTED
> ..
> (911) eap_peap: (TLS) send TLS 1.2 Alert, fatal protocol_version
> (911) eap_peap: ERROR: (TLS) Alert write:fatal:protocol version
Ah, that's the other end saying it doesn't like the protocol version which FreeRADIUS is using.
It should negotiate a mutually compatible TLS version, but... whatever.
> Doesn't cipher_list = "DEFAULT at SECLEVEL=0" says the server to support the old ciphers?
That configuratio tells OpenSSL to support the old ciphers. Mostly.
Some newer OS distributions have removed support for old TLS versions from OpenSSL. You will need to investigate your local OS to see what it supports, and what TLS versions are supported by the OpenSSL libraries.
Again... this isn't a FreeRADIUS issue. No amount of poking FreeRADIUS will get OpenSSL to support TLS 1.0 with triple-DES, if that's what the clients are using. You night just need to upgrade the client, or build a custom version of OpenSSL.
> > Configure OpenSSL (e.g. cipher_list) so that it works with a new version of OpenSSL. Or, use an old version of OpenSSL. There really aren't many other choices.
>
> What are the other choices possible?
Live with the fact the some devices won't work, because they're too old.
Alan DeKok.
More information about the Freeradius-Users
mailing list