freeradius - TLS1.3 support

Akhil Pillai akhilpillai101 at gmail.com
Thu Feb 20 19:31:04 UTC 2025 

What is the compatibility issue? Both the server and the client use
openssl 3.0.15.  The wpa_supplicant at the client side is compiled with
openssl 3.0.15. What else could make the configuration incompatible?


On Fri, Feb 21, 2025 at 12:07 AM Alan DeKok <aland at deployingradius.com>
wrote:

> On Feb 20, 2025, at 11:57 AM, Akhil Pillai <akhilpillai101 at gmail.com>
> wrote:
> > Now i did a localhost test on the same machine where the freeradius is
> > running but the results are same. The radius server still fails to use
> > tls1.3.
>
>   TLS versions are _negotiated_.  If the server is configured to allow TLS
> 1.2, and the supplicant is configured to not use TLS 1.3, then the server
> will use TLS 1.2.
>
>   So the issue isnt "the server fails to use TLS 1.3". The issue is that
> the _configuration_ for the supplicant and server is not compatible.  Or,
> the version of OpenSSL on one or both ends doesn't support TLS 1.3.
>
> > Below is the command that I used:
> > eapol_test -c /etc/wpa_supplicant/wpa_supplicant.conf -a 127.0.0.1 -p
> 1812
> > -i veth0 -s password
>
>   Does the wpa_supplicant.conf file allow TLS 1.3?
>
> > Dropping packet without response because of error: Received packet from
> > 127.0.0.1 with invalid Message-Authenticator!  (Shared secret is
> > incorrect.) (from client localhost)
>
>   That seems clear.
>
> > (1) eap_tls: (TLS) TLS - recv TLS 1.3 Handshake, ClientHello
> > (1) eap_tls: (TLS) TLS - send TLS 1.2 Alert, fatal protocol_version
> > (1) eap_tls: ERROR: (TLS) TLS - Alert write:fatal:protocol version
> > (1) eap_tls: ERROR: (TLS) TLS - Server : Error in error
> > (1) eap_tls: ERROR: (TLS) Failed reading from OpenSSL: error:0A000102:SSL
> > routines::unsupported protocol
>
>   Again... the supplicant and server are not configured with a compatible
> TLS version.  Re-posting the same debug output doesn't help.  The issue
> won't change.  The recommended fix won't change.
>
> > Now i think the freeradius is some how misconfigured, how do i test for
> > tls1.3 with freeradius?
>
>   Read the configuration files and debug output.  If you set
> tls_min_version / tls_max_version, the server will:
>
> a) print out the values it's using in debug mode
>
> b) give an error if it *can't* set those values.
>
>   So if you see the correct values for tls_min_version / tls_max_version
> in debug mode AND there's no error, then FreeRADIUS is configured
> correctly.  Go look at the supplicant configuration, and supplicant
> messages, to see what it's doing.
>
>   Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>

More information about the Freeradius-Users mailing list