[RADIATOR] UNS: Re: TLS v1.3

Tue Oct 25 17:25:58 UTC 2022

On 24.10.2022 18.25, Cassidy B. Larson wrote:

> We are using the "EAPTLS_Protocols TLSv1.3" currently in all of our 
> AuthBy's for good measure.  However, the TLS handshake appears to not 
> use TLSv1.3 outbound for the establishment, and instead tries TLSv1.2 
> which fails.
> See these two debug lines:
> DEBUG: AuthSQL EAP-TTLS TLS handshake: Direction*IN, Version: TLS 1.3*, 
> Record content: (22) Handshake, message type: (1) ClientHello
> DEBUG: AuthSQL EAP-TTLS TLS handshake: Direction *OUT, Version: TLS 
> 1.2*, Record content: (21) Alert, level: (2) fatal, description: (70) 
> protocol version

Would it be possible to run tcpdump to get capture from the ClientHello 
that Radiator rejects? The ClientHello might have a combination of 
parameters that don't work with TLSv1.3.

My testing with Radiator-4.26-24.tgz and its demo certificates was 
successful with eapol_test that requires TLSv1.3.

I tested with the following:
- FreeBSD 13.1
- pkg install p5-Net-SSLeay-1.92
- eapol_test compiled on the host



eapol_test compilation
++++++++++++++++++++++
Clone it from https://w1.fi/cvs.html and then do this:

freebsd% git checkout hostap_2_10
HEAD is now at cff80b4f7 Preparations for v2.10 release

freebsd% cd wpa_supplicant
freebsd% cp defconfig .config

Then patch with the diff at the bottom of this message and compile with 
this (note needs pkg install gmake):

freebsd% gmake eapol_test



Testing with eapol_test
+++++++++++++++++++++++
When you have compiled eapol_test, run it with something like this:

./eapol_test -p 1645 -s mysecret -c eapol-eap-ttls.conf

Where eapol-eap-ttls.conf looks something like this:

network={
         phase1="tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1 
tls_disable_tlsv1_2=1 tls_disable_tlsv1_3=0"

         ssid="ttls-ssid"
         key_mgmt=WPA-EAP
         eap=TTLS
         anonymous_identity="mikem-anon"
         identity="mikem"
         password="fred"
         ca_cert="certificates/demoCA/cacert.pem"
	phase2="auth=PAP"
	eap_workaround=0
}

Radiator configuration is goodies/eap_ttls.cfg with EAPTLS_Protocols 
forced to TLSv1.3 with no other remarkable changes.

With the above EAP-TTLS/PAP works fine.



Here's the .config patch to get eapol_test compiled with FreeBSD 13.1:

--- defconfig	2022-10-25 17:59:13.262031000 +0000
+++ .config	2022-10-25 20:00:19.057923000 +0000
@@ -29,7 +29,7 @@
  CONFIG_DRIVER_WEXT=y

  # Driver interface for Linux drivers using the nl80211 kernel interface
-CONFIG_DRIVER_NL80211=y
+#CONFIG_DRIVER_NL80211=y

  # QCA vendor extensions to nl80211
  #CONFIG_DRIVER_NL80211_QCA=y
@@ -77,7 +77,7 @@
  #CONFIG_DRIVER_MACSEC_QCA=y

  # Driver interface for Linux MACsec drivers
-CONFIG_DRIVER_MACSEC_LINUX=y
+#CONFIG_DRIVER_MACSEC_LINUX=y

  # Driver interface for the Broadcom RoboSwitch family
  #CONFIG_DRIVER_ROBOSWITCH=y
@@ -246,7 +246,7 @@
  #CONFIG_NO_WPA_PASSPHRASE=y

  # Simultaneous Authentication of Equals (SAE), WPA3-Personal
-CONFIG_SAE=y
+#CONFIG_SAE=y

  # Disable scan result processing (ap_scan=1) to save code size by 
about 1 kB.
  # This can be used if ap_scan=1 mode is never enabled.
@@ -303,6 +303,7 @@
  # ndis = Windows NDISUIO (note: requires CONFIG_USE_NDISUIO=y)
  # none = Empty template
  #CONFIG_L2_PACKET=linux
+CONFIG_L2_PACKET=none

  # Disable Linux packet socket workaround applicable for station interface
  # in a bridge for EAPOL frames. This should be uncommented only if the 
kernel
@@ -363,7 +364,7 @@

  # Add support for new DBus control interface
  # (fi.w1.wpa_supplicant1)
-CONFIG_CTRL_IFACE_DBUS_NEW=y
+#CONFIG_CTRL_IFACE_DBUS_NEW=y

  # Add introspection support for new DBus control interface
  CONFIG_CTRL_IFACE_DBUS_INTRO=y

-- 
Heikki Vatiainen
OSC, makers of Radiator
Visit radiatorsoftware.com for Radiator AAA server software
