[RADIATOR] AuthBy DUO issue

Heikki Vatiainen hvn at open.com.au
Thu May 27 16:57:45 UTC 2021


On 27.5.2021 19.36, Heikki Vatiainen wrote:
> On 27.5.2021 14.58, Alexander.Hartmaier at t-systems.com wrote:

>> Is this a known issue?

> As mentioned above, it's not. From what I know it's been used 
> successfully on RHEL/CentOS systems and it works for me on Mac.

The problem might be TLS version related. The above don't do TLSv1.3.

> I'd say this is something specific for Debian 10 because the problem is 
> not that hard to reproduce. This needs further investigation.

If possible, can you update AuthDUO.pm sub get_ssl_opts() with the 
following:

   $ssl_opts{SSL_version} = 'TLSv1_2';

This kind of behaviour where TLS socket indicates read but there's no 
user data available reminded me about TLS 1.3 and how it can send keys 
for session resumption after TLS handshake has been done.

A look at HTTPS traffic shows that there's both TLS 1.2 and 1.3 by 
default. Restricting TLS to 1.2 seems to make the problem go away.

If you could also check this, please let me know if it changes anything.

Thanks,
Heikki


-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory,
EAP, TLS, TTLS, PEAP, WiMAX, RSA, Vasco, Yubikey, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc.


More information about the radiator mailing list