[RADIATOR] TLS 1.1 and TLS 1.2 Support in Radiator
hvn at open.com.au
Thu Nov 6 11:39:30 CST 2014
On 11/06/2014 02:36 PM, Nick Lowe wrote:
> A quick question: Does Radiator support TLS 1.1 and TLS 1.2 with the
> TLS-based EAP types that it implements when paired with a
> feature-capable version of OpenSSL?
Yes, provided a one-line patch similar to what you have described below
is applied first. Now it uses TLSv1_method() directly.
> The FreeRADIUS maintainers found that the code was calling
> TLSv1_method() rather than the very poorly named SSLv23_method(),
> inadvertently prohibiting the use of the newer TLS versions.
The similar change for Radiator is to use Net::SSLeay::CTX_new();
instead. This is an alias for SSLv23_method() but looks less confusing.
Since the options are already set to include SSL_OP_NO_SSLv2 and
SSL_OP_NO_SSLv3, a one line change is enough.
> When SSLv23_method() is called, SSL_OP_NO_SSLv2 and SSL_OP_NO_SSLv3
> are specified to prohibit the use of these old protocols.
> This is documented at https://www.openssl.org/docs/ssl/SSL_CTX_new.html
The respective documentation for Perl/Net-SSLeay can be found here:
> The upcoming FreeRADIUS 2.2.6 and 3.0.5 releases will allow TLS 1.1
> and TLS 1.2 to be used by EAP clients, and by default:
Similar patch with similar description will be in Radiator patches today
and part of the next Radiator 4.14 release.
I did quick testing with PEAP and EAP-TTLS. For testing I used
eapol_test from wpa_supplicant that was compiled to use TLS 1.1 or TLS
1.2 to see if it can authenticate against Radiator. I did additional
monitoring with Wireshark.
With a recent OpenSSL eapol_test authenticated successfully with TLS 1.1
and TLS 1.2.
I test against Centos 5 to see how it behaves with older OpenSSL. There
I was able to use only TLS 1.0. The other TLS versions failed with
'tlsv1 alert protocol version'.
The results with PEAP and EAP-TTLS provided similar results, which was
> Microsoft also now support TLS 1.1 and TLS 1.2 with their TLS-based
> EAP implementations when configured through a TlsVersion bit
> flags-based DWORD in the Registry.
> [This covers Network Policy Server (NPS) therefore...]
> See "More Information" towards the end of
Here's one additional document: Microsoft's own documentation for PEAP.
It seems they still say only TLS 1.0 must be used.
Hopefully this will not cause any confusion when migrating to more
recent TLS versions.
> As somebody who is not yet familiar with Radiator, I am therefore
> curious what the state of play is.
I hope I was able to help. Thanks for letting us know about this.
Heikki Vatiainen <hvn at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
More information about the radiator