[RADIATOR] TLS 1.1 and TLS 1.2 Support in Radiator
Heikki Vatiainen
hvn at open.com.au
Thu Nov 6 11:39:30 CST 2014
On 11/06/2014 02:36 PM, Nick Lowe wrote:
> A quick question: Does Radiator support TLS 1.1 and TLS 1.2 with the
> TLS-based EAP types that it implements when paired with a
> feature-capable version of OpenSSL?
Yes, provided a one-line patch similar to what you have described below
is applied first. Now it uses TLSv1_method() directly.
> The FreeRADIUS maintainers found that the code was calling
> TLSv1_method() rather than the very poorly named SSLv23_method(),
> inadvertently prohibiting the use of the newer TLS versions.
The similar change for Radiator is to use Net::SSLeay::CTX_new();
instead. This is an alias for SSLv23_method() but looks less confusing.
Since the options are already set to include SSL_OP_NO_SSLv2 and
SSL_OP_NO_SSLv3, a one line change is enough.
> When SSLv23_method() is called, SSL_OP_NO_SSLv2 and SSL_OP_NO_SSLv3
> are specified to prohibit the use of these old protocols.
>
> This is documented at https://www.openssl.org/docs/ssl/SSL_CTX_new.html
The respective documentation for Perl/Net-SSLeay can be found here:
https://metacpan.org/pod/Net::SSLeay#Low-level-API:-SSL_CTX_-related-functions
> The upcoming FreeRADIUS 2.2.6 and 3.0.5 releases will allow TLS 1.1
> and TLS 1.2 to be used by EAP clients, and by default:
>
>
https://github.com/FreeRADIUS/freeradius-server/commit/d56fb1b5fa81ec25fddb9216ce1cf46eb2d99de9
Similar patch with similar description will be in Radiator patches today
and part of the next Radiator 4.14 release.
I did quick testing with PEAP and EAP-TTLS. For testing I used
eapol_test from wpa_supplicant that was compiled to use TLS 1.1 or TLS
1.2 to see if it can authenticate against Radiator. I did additional
monitoring with Wireshark.
With a recent OpenSSL eapol_test authenticated successfully with TLS 1.1
and TLS 1.2.
I test against Centos 5 to see how it behaves with older OpenSSL. There
I was able to use only TLS 1.0. The other TLS versions failed with
'tlsv1 alert protocol version'.
The results with PEAP and EAP-TTLS provided similar results, which was
expected.
> Microsoft also now support TLS 1.1 and TLS 1.2 with their TLS-based
> EAP implementations when configured through a TlsVersion bit
> flags-based DWORD in the Registry.
> [This covers Network Policy Server (NPS) therefore...]
>
> See "More Information" towards the end of
> https://support.microsoft.com/kb/2977292
Here's one additional document: Microsoft's own documentation for PEAP.
It seems they still say only TLS 1.0 must be used.
http://msdn.microsoft.com/en-us/library/cc238354.aspx
Hopefully this will not cause any confusion when migrating to more
recent TLS versions.
> As somebody who is not yet familiar with Radiator, I am therefore
> curious what the state of play is.
I hope I was able to help. Thanks for letting us know about this.
Heikki
--
Heikki Vatiainen <hvn at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
More information about the radiator
mailing list