[RADIATOR] Forcing Radsec connections to use specific TLS version
Stefan Paetow
Stefan.Paetow at jisc.ac.uk
Fri Feb 21 00:07:32 UTC 2020
Hi Heikki,
Thank you very much, that'll be very helpful.
I've been given a config that appears to work because I'm not seeing those errors anymore (the openssl commands are successful by the looks of it); I look forward to the update and I'll re-test once it's applied/installed with the configuration I tried.
With Kind Regards
Stefan Paetow
Federated Roaming Technical Specialist
t: +44 (0)1235 822 125
gpg: 0x3FCE5142
xmpp: stefanp at jabber.dev.ja.net
skype: stefan.paetow.janet
jisc.ac.uk
Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
On 20/02/2020, 18:11, "radiator on behalf of Heikki Vatiainen" <radiator-bounces at lists.open.com.au on behalf of hvn at open.com.au> wrote:
On 20.2.2020 14.55, Stefan Paetow wrote:
> <ServerRADSEC>
> TLS_Protocols TLSv1.2
> </ServerRADSEC>
>
> I understand TLS_Protocols overrides UseTLS, but I then see these messages:
>
> Thu Feb 20 12:46:41 2020: ERR: StreamTLS server error (<other server IP>:37206): -1, 1, 8720,
> Thu Feb 20 12:46:41 2020: ERR: StreamTLS server error (<other server IP>:37204): -1, 1, 8720,
> Thu Feb 20 12:46:41 2020: ERR: StreamTLS server error (<other server IP>:37200): -1, 1, 8720,
>
> Is that the other server saying "Sorry, I don't understand", or is this an error on my side that my server can't create a TLS 1.2 connection?
I think this is the former. I took a look at what happens with wireshark
and the result was TCP connection shutdown immediately from the server
side. There was no TLS alert or anything before TCP disconnect.
Radiator's TLS was provided by OpenSSL 1.1.1d.
A quick way to test the above is with OpenSSL:
% openssl s_client -connect 127.0.0.1:2083 -tls1_1
With -tls1_2 it goes a bit further with the negotiation. Another option
is to use goodies/radsec-client.cfg and test with various client side
options.
> When I disable TLS_Protocols (by commenting it out), all returns to normal.
>
> Am I misunderstanding the documentation?
I think the config is correct. Now when I looked at the logging more
closely, I noticed it could log more detailed error too. I'll see that
this gets updated and then you can see something like this in the logs:
Thu Feb 20 19:35:33 2020: ERR: StreamTLS server error (127.0.0.1 port
63624): -1, 1, 20, 38048: 1 - error:14209102:SSL
routines:tls_early_post_process_client_hello:unsupported protocol
Thu Feb 20 19:35:44 2020: ERR: StreamTLS server error (127.0.0.1 port
63625): -1, 1, 27, 38048: 1 - error:1417C0C7:SSL
routines:tls_process_client_certificate:peer did not return a certificate
It's a minor fix, so it should be in soon. I'll let you know when that
happens.
Thanks,
Heikki
--
Heikki Vatiainen <hvn at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory,
EAP, TLS, TTLS, PEAP, WiMAX, RSA, Vasco, Yubikey, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc.
_______________________________________________
radiator mailing list
radiator at lists.open.com.au
https://lists.open.com.au/mailman/listinfo/radiator
More information about the radiator
mailing list