TLS Radsec

Rodrigo Prieto rodrigoprieto2019 at gmail.com
Tue Jun 10 10:16:14 UTC 2025 

Hello, I'm using Radsecproxy and when I run it in debug mode, I see that it
reconnects every 30 seconds. I tried changing idle_timeout, but the same
thing keeps happening. Here's the debug log using TLS 1.3:

Listening on auth+acct from client (192.168.122.188, 37511) -> (*, 2083,
virtual-server=default)
(0) (TLS) RADIUS/TLS - Initiating new session
(0) (TLS) RADIUS/TLS - Setting verify mode to require certificate from
client
(0) (TLS) RADIUS/TLS - Handshake state - before SSL initialization
(0) (TLS) RADIUS/TLS - Handshake state - Server before SSL initialization
(0) (TLS) RADIUS/TLS - Handshake state - Server before SSL initialization
(0) (TLS) RADIUS/TLS - recv TLS 1.3 Handshake, ClientHello
(0) (TLS) RADIUS/TLS - Handshake state - Server SSLv3/TLS read client hello
(0) (TLS) RADIUS/TLS - send TLS 1.3 Handshake, ServerHello
(0) (TLS) RADIUS/TLS - Handshake state - Server SSLv3/TLS write server hello
(0) (TLS) RADIUS/TLS - send TLS 1.3 ChangeCipherSpec
(0) (TLS) RADIUS/TLS - Handshake state - Server SSLv3/TLS write change
cipher spec
(0) (TLS) RADIUS/TLS - send TLS 1.3 Handshake, EncryptedExtensions
(0) (TLS) RADIUS/TLS - Handshake state - Server TLSv1.3 write encrypted
extensions
(0) (TLS) RADIUS/TLS - send TLS 1.3 Handshake, CertificateRequest
(0) (TLS) RADIUS/TLS - Handshake state - Server SSLv3/TLS write certificate
request
(0) (TLS) RADIUS/TLS - send TLS 1.3 Handshake, Certificate
(0) (TLS) RADIUS/TLS - Handshake state - Server SSLv3/TLS write certificate
(0) (TLS) RADIUS/TLS - send TLS 1.3 Handshake, CertificateVerify
(0) (TLS) RADIUS/TLS - Handshake state - Server TLSv1.3 write server
certificate verify
(0) (TLS) RADIUS/TLS - send TLS 1.3 Handshake, Finished
(0) (TLS) RADIUS/TLS - Handshake state - Server SSLv3/TLS write finished
(0) (TLS) RADIUS/TLS - Handshake state - Server TLSv1.3 early data
(0) (TLS) RADIUS/TLS - Server : Need to read more data: TLSv1.3 early data
(0) (TLS) RADIUS/TLS - In Handshake Phase
(0) (TLS) RADIUS/TLS - Handshake state - Server TLSv1.3 early data
(0) (TLS) RADIUS/TLS - recv TLS 1.3 Handshake, Certificate
(0) (TLS) RADIUS/TLS - Creating attributes from 2 certificate in chain
(0)   TLS-Cert-Serial := "7903974cb1367854b0fb2ee672ff78c68211ba5e"
(0)   TLS-Cert-Expiration := "250726070714Z"
(0)   TLS-Cert-Valid-Since := "250527070714Z"
(0)   TLS-Cert-Subject := "/C=FR/ST=Radius/L=Somewhere/O=Example
Inc./emailAddress=admin at example.org/CN=free.loli.local"
(0)   TLS-Cert-Issuer := "/C=FR/ST=Radius/L=Somewhere/O=Example
Inc./emailAddress=admin at example.org/CN=free.loli.local"
(0)   TLS-Cert-Common-Name := "free.loli.local"
(0)   TLS-Cert-CRL-Distribution-Points += "
http://www.example.org/example_ca.crl"
(0) (TLS) RADIUS/TLS - Creating attributes from 1 certificate in chain
(0)   TLS-Client-Cert-Serial := "02"
(0)   TLS-Client-Cert-Expiration := "250726070721Z"
(0)   TLS-Client-Cert-Valid-Since := "250527070721Z"
(0)   TLS-Client-Cert-Subject := "/C=FR/ST=Radius/O=Example
Inc./CN=lolito/emailAddress=userdsdsd at example.org"
(0)   TLS-Client-Cert-Issuer := "/C=FR/ST=Radius/L=Somewhere/O=Example
Inc./emailAddress=admin at example.org/CN=free.loli.local"
(0)   TLS-Client-Cert-Common-Name := "lolito"
(0)   TLS-Client-Cert-CRL-Distribution-Points += "
http://www.example.com/example_ca.crl"
(0)   TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Client
Authentication"
(0)   TLS-Client-Cert-X509v3-Subject-Key-Identifier +=
"FD:D3:42:C8:4A:F1:0C:65:A5:A3:B6:8E:2A:73:B0:FA:B2:0D:CF:CD"
(0)   TLS-Client-Cert-X509v3-Authority-Key-Identifier +=
"86:BC:40:4A:6E:B2:66:02:81:A5:75:19:DF:93:B8:AD:12:75:75:60"
(0)   TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.5.5.7.3.2"
(0) (TLS) RADIUS/TLS - Handshake state - Server SSLv3/TLS read client
certificate
(0) (TLS) RADIUS/TLS - recv TLS 1.3 Handshake, CertificateVerify
(0) (TLS) RADIUS/TLS - Handshake state - Server SSLv3/TLS read certificate
verify
(0) (TLS) RADIUS/TLS - recv TLS 1.3 Handshake, Finished
(0) (TLS) RADIUS/TLS - Handshake state - Server SSLv3/TLS read finished
(0) (TLS) RADIUS/TLS - Handshake state - SSL negotiation finished
successfully
(0) (TLS) RADIUS/TLS - Connection Established
(0)   TLS-Session-Cipher-Suite = "TLS_AES_256_GCM_SHA384"
(0)   TLS-Session-Version = "TLS 1.3"
(0) (TLS) RADIUS/TLS - Application data.
(0) (TLS) OpenSSL says that it needs to read more data.

In the radsecproxy debug log, the following appears:

Tue Jun 10 07:00:54 2025: createlistener: listening for udp on *:1812
Tue Jun 10 07:00:54 2025: tlsconnect: TLS connection to freeradius_tls
(Server-Freeradius port 2083), subject
emailAddress=admin at example.org,CN=Server-Freeradius,O=Example
Inc.,ST=Radius,C=FR up
Tue Jun 10 07:01:24 2025: sslreadtimeout: SSL: error:0A000126:SSL
routines::unexpected eof while reading
Tue Jun 10 07:01:24 2025: tlsclientrd: connection to server freeradius_tls
lost
Tue Jun 10 07:01:24 2025: tlsconnect: TLS connection to freeradius_tls
(Server-Freeradius port 2083), subject
emailAddress=admin at example.org,CN=Server-Freeradius,O=Example
Inc.,ST=Radius,C=FR up

Using TLS 1.2 also disconnects, the debug is the same except for this: (0)
(TLS) OpenSSL says that it needs to read more data.

Clients connecting to radsecproxy reach FreeRadius correctly and everything
works normally. I wanted to know if this disconnection is normal or if I'm
doing something wrong? I'm testing this to implement it later.

I'm using Debian 12.

radiusd: FreeRADIUS Version 3.2.7 (git #694a97ddd), for host
x86_64-pc-linux-gnu FreeRADIUS Version 3.2.7

OpenSSL 3.0.16 11 Feb 2025 (Library: OpenSSL 3.0.16 11 Feb 2025)

Thank you.

More information about the Freeradius-Users mailing list