freeradius - TLS1.3 support

Alan DeKok aland at deployingradius.com
Thu Feb 20 18:37:17 UTC 2025 

On Feb 20, 2025, at 11:57 AM, Akhil Pillai <akhilpillai101 at gmail.com> wrote:
> Now i did a localhost test on the same machine where the freeradius is
> running but the results are same. The radius server still fails to use
> tls1.3.

  TLS versions are _negotiated_.  If the server is configured to allow TLS 1.2, and the supplicant is configured to not use TLS 1.3, then the server will use TLS 1.2.

  So the issue isnt "the server fails to use TLS 1.3". The issue is that the _configuration_ for the supplicant and server is not compatible.  Or, the version of OpenSSL on one or both ends doesn't support TLS 1.3.

> Below is the command that I used:
> eapol_test -c /etc/wpa_supplicant/wpa_supplicant.conf -a 127.0.0.1 -p 1812
> -i veth0 -s password

  Does the wpa_supplicant.conf file allow TLS 1.3?

> Dropping packet without response because of error: Received packet from
> 127.0.0.1 with invalid Message-Authenticator!  (Shared secret is
> incorrect.) (from client localhost)

  That seems clear.

> (1) eap_tls: (TLS) TLS - recv TLS 1.3 Handshake, ClientHello
> (1) eap_tls: (TLS) TLS - send TLS 1.2 Alert, fatal protocol_version
> (1) eap_tls: ERROR: (TLS) TLS - Alert write:fatal:protocol version
> (1) eap_tls: ERROR: (TLS) TLS - Server : Error in error
> (1) eap_tls: ERROR: (TLS) Failed reading from OpenSSL: error:0A000102:SSL
> routines::unsupported protocol

  Again... the supplicant and server are not configured with a compatible TLS version.  Re-posting the same debug output doesn't help.  The issue won't change.  The recommended fix won't change.

> Now i think the freeradius is some how misconfigured, how do i test for
> tls1.3 with freeradius?

  Read the configuration files and debug output.  If you set tls_min_version / tls_max_version, the server will:

a) print out the values it's using in debug mode

b) give an error if it *can't* set those values.

  So if you see the correct values for tls_min_version / tls_max_version in debug mode AND there's no error, then FreeRADIUS is configured correctly.  Go look at the supplicant configuration, and supplicant messages, to see what it's doing.

  Alan DeKok.

More information about the Freeradius-Users mailing list