[RADIATOR] Forcing Radsec connections to use specific TLS version

Heikki Vatiainen hvn at open.com.au
Thu Feb 20 18:04:13 UTC 2020 

On 20.2.2020 14.55, Stefan Paetow wrote:

> <ServerRADSEC>

>      TLS_Protocols TLSv1.2

> </ServerRADSEC>
> 
> I understand TLS_Protocols overrides UseTLS, but I then see these messages:
> 
> Thu Feb 20 12:46:41 2020: ERR: StreamTLS server error (<other server IP>:37206): -1, 1, 8720,
> Thu Feb 20 12:46:41 2020: ERR: StreamTLS server error (<other server IP>:37204): -1, 1, 8720,
> Thu Feb 20 12:46:41 2020: ERR: StreamTLS server error (<other server IP>:37200): -1, 1, 8720,
> 
> Is that the other server saying "Sorry, I don't understand", or is this an error on my side that my server can't create a TLS 1.2 connection?

I think this is the former. I took a look at what happens with wireshark 
and the result was TCP connection shutdown immediately from the server 
side. There was no TLS alert or anything before TCP disconnect. 
Radiator's TLS was provided by OpenSSL 1.1.1d.

A quick way to test the above is with OpenSSL:

% openssl s_client -connect 127.0.0.1:2083 -tls1_1

With -tls1_2 it goes a bit further with the negotiation. Another option 
is to use goodies/radsec-client.cfg and test with various client side 
options.

> When I disable TLS_Protocols (by commenting it out), all returns to normal.
> 
> Am I misunderstanding the documentation?

I think the config is correct. Now when I looked at the logging more 
closely, I noticed it could log more detailed error too. I'll see that 
this gets updated and then you can see something like this in the logs:

Thu Feb 20 19:35:33 2020: ERR: StreamTLS server error (127.0.0.1 port 
63624): -1, 1, 20, 38048: 1 - error:14209102:SSL 
routines:tls_early_post_process_client_hello:unsupported protocol

Thu Feb 20 19:35:44 2020: ERR: StreamTLS server error (127.0.0.1 port 
63625): -1, 1, 27, 38048: 1 - error:1417C0C7:SSL 
routines:tls_process_client_certificate:peer did not return a certificate

It's a minor fix, so it should be in soon. I'll let you know when that 
happens.

Thanks,
Heikki

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory,
EAP, TLS, TTLS, PEAP, WiMAX, RSA, Vasco, Yubikey, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc.

More information about the radiator mailing list