[RADIATOR] Fixes for TLS based EAP methods now in Radiator 4.15 patches

Heikki Vatiainen hvn at open.com.au
Wed Sep 9 14:13:36 CDT 2015 

The fixes for TLS based EAP methods for clients supporting TLSv1.2 that
were discussed on this list are now in Radiator 4.15 patches.

The patches add better logging during radiusd startup. The Net::SSLeay
version and SSL/TLS library version, if Net::SSLeay is recent enough,
are now logged during the startup. The log messages will also tell if
TLSv1.2 can not be enabled for TLS based EAP methods, which TLS versions
are available in general (if not all) and other related information.

If the SSL/TLS library and Net::SSLeay are recent enough, there is just
a log message that simply announces the versions that are in use.

The EAP TLS fixes change TLS initialisation to enable only those TLS
versions that are known to work. The best situation is when Net::SSLeay
is 1.53 or later and SSL/TLS library is OpenSSL 1.0.1 or later. In this
case Net::SSLeay will calculate the MPPE keys correctly for TLS v1.2 and
all TLS versions are available.

For other combinations, TLSv1.0 and TLSv1.1 may be available, or
possibly just TLSv1.0.

Some examples:
CentOS 5: Based on OpenSSL 0.9.8 series: TLSv1.0 only
CentOS 6: Based on OpenSSL 1.0.1 series, Net:SSLeay 1.35: only TLSv1.0
is enabled for EAP based TLS methods
CentOS 7: Based on OpenSSL 1.0.1 series, Net::SSLeay 1.55: TLSv1.0,
TLSv1.1 and TLSv1.2 available for EAP based TLS methods
Ubuntu 12.04: Based on OpenSSL 1.0.1 series, Net::SSLeay 1.42: only
TLSv1.0 available for EAP based TLS methods

Since CentOS 6 and Ubuntu 12.04 come with OpenSSL 1.0.1 series, a
locally installed Net::SSLeay 1.53 or later (try the latest first)
should work to enable all TLS versions for EAP based TLS methods.

These changes do not affect stream based classes and protocols such as
RadSec. What is addressed is the compatibility with TLS based EAP
clients that support TLS v1.2 such as Apple iOS 9, OS X 10.11 El Capitan
and Android 6 Marshmallow.

Thanks,
Heikki

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

More information about the radiator mailing list