On 22.10.2022 0.15, Dubravko Penezic via radiator wrote:
> from my experience you have two options :
> * set system SSL library to work only wit TLS v1.3
> * set RADIATOR configuration to accept only TLS v1.3 by setting
> TLS_Protocols to TLSv1.3
I would the latter and put this to Radiator configuration under the
AuthBy that terminates EAP-TTLS tunnel:
<AuthBy ...>
# To support both TLSv1.2 and 1.3
#EAPTLS_Protocols TLSv1.2, TLSv1.3
# To support just TLSv1.3
EAPTLS_Protocols TLSv1.3
TLS_Protocols controls RadSec, Diameter and other non-EAP protocols.
It's a config option, but not for EAP.
> Also be aware that from many recent reports client which declare that
> work only with TLS v1.3 doesnt do that on correct way or not work at all
> with v1.3.
EAP-TTLS is currently set in Radiator 4.26-24 and other 4.26-nn versions
so that session resumption is disabled. The reasons is for this is that
EAP-TTLS/PAP (and non-EAP CHAP variants) did not work with all EAP-TTLS
implementations. The reason is how session resumption is done and is one
example not fully all clients fully working.
For more information see discussion related to document
draft-ietf-emu-tls-eap-types that has been ongoing this year on the
IETF's EAP Method Update (EMU) mailing list:
https://www.ietf.org/mailman/listinfo/emu
The next Radiator release supports TLSv1.3 for RadSec and has been
updated for EAP-TLS, EAP-TTLS and PEAP with TLSv1.3. There could still
be some work-arounds enabled, such as disabled session resumption, but
full authentication should work fine for the said EAP methods.
Thanks,
Heikki
> Regards,
> Dubravko Penezic
> Srce
>
> On 10/21/22 22:54, Cassidy B. Larson via radiator wrote:
>> More specifically, here's the debug output:
>>
>> Fri Oct 21 14:52:17 2022: DEBUG: AuthSQL Handling EAP type 1
>> (Identity), code: 2 (Response), identifier: 191, length: 20
>> Fri Oct 21 14:52:17 2022: DEBUG: Initialised SSL library: Net::SSLeay
>> 1.92, OpenSSL 1.1.1o-freebsd 3 May 2022
>> Fri Oct 21 14:52:17 2022: DEBUG: TLS: Using 0x9 (9) for Net::SSLeay
>> constant ERROR_WANT_ASYNC
>> Fri Oct 21 14:52:17 2022: DEBUG: TLS: Using 0xa (10) for Net::SSLeay
>> constant ERROR_WANT_ASYNC_JOB
>> Fri Oct 21 14:52:17 2022: DEBUG: TLS: Using 0xb (11) for Net::SSLeay
>> constant ERROR_WANT_CLIENT_HELLO_CB
>> Fri Oct 21 14:52:17 2022: DEBUG: TLS: Using 0xc (12) for Net::SSLeay
>> constant ERROR_WANT_RETRY_VERIFY
>> Fri Oct 21 14:52:17 2022: DEBUG: TLS: Using 0x8 (8) for Net::SSLeay
>> constant SSL2_MT_CLIENT_CERTIFICATE
>> Fri Oct 21 14:52:17 2022: DEBUG: TLS: Using 0x3 (3) for Net::SSLeay
>> constant SSL2_MT_CLIENT_FINISHED
>> Fri Oct 21 14:52:17 2022: DEBUG: TLS: Using 0x2 (2) for Net::SSLeay
>> constant SSL2_MT_CLIENT_MASTER_KEY
>> Fri Oct 21 14:52:17 2022: DEBUG: TLS: Using 0x0 (0) for Net::SSLeay
>> constant SSL2_MT_ERROR
>> Fri Oct 21 14:52:17 2022: DEBUG: TLS: Using 0x6 (6) for Net::SSLeay
>> constant SSL2_MT_REQUEST_CERTIFICATE
>> Fri Oct 21 14:52:17 2022: DEBUG: TLS: Using 0x6 (6) for Net::SSLeay
>> constant SSL2_MT_SERVER_FINISHED
>> Fri Oct 21 14:52:17 2022: DEBUG: TLS: Using 0x4 (4) for Net::SSLeay
>> constant SSL2_MT_SERVER_HELLO
>> Fri Oct 21 14:52:17 2022: DEBUG: TLS: Using 0x5 (5) for Net::SSLeay
>> constant SSL2_MT_SERVER_VERIFY
>> Fri Oct 21 14:52:17 2022: DEBUG: TLS: Using 0x2 (2) for Net::SSLeay
>> constant TLSEXT_ERR_ALERT_FATAL
>> Fri Oct 21 14:52:17 2022: DEBUG: TLS: Using 0x1 (1) for Net::SSLeay
>> constant TLSEXT_ERR_ALERT_WARNING
>> Fri Oct 21 14:52:17 2022: DEBUG: TLS: Using 0x3 (3) for Net::SSLeay
>> constant TLSEXT_ERR_NOACK
>> Fri Oct 21 14:52:17 2022: DEBUG: TLS: Using 0x0 (0) for Net::SSLeay
>> constant TLSEXT_ERR_OK
>> Fri Oct 21 14:52:17 2022: DEBUG: AuthSQL setting TLS protocols to:
>> TLSv1.3
>> Fri Oct 21 14:52:17 2022: DEBUG: AuthSQL setting EAPTLS_Ciphers to:
>> DEFAULT:!EXPORT:!LOW at SECLEVEL=1
>> Fri Oct 21 14:52:17 2022: DEBUG: EAP result: 3, EAP-TTLS Challenge
>> Fri Oct 21 14:52:17 2022: DEBUG: Radius::AuthGROUP: result:
>> CHALLENGE, EAP-TTLS Challenge
>> Fri Oct 21 14:52:17 2022: DEBUG: AuthBy GROUP result: CHALLENGE,
>> EAP-TTLS Challenge
>> Fri Oct 21 14:52:17 2022: DEBUG: Access challenged for <....>:
>> EAP-TTLS Challenge
>>
>>
>> Fri Oct 21 14:52:17 2022: DEBUG: Handling with Radius::AuthGROUP:
>> Fri Oct 21 14:52:17 2022: DEBUG: Handling with AuthSQL
>> Fri Oct 21 14:52:17 2022: DEBUG: Handling with Radius::AuthSQL:
>> Fri Oct 21 14:52:17 2022: DEBUG: AuthSQL Handling EAP type 21 (TTLS),
>> code: 2 (Response), identifier: 192, length: 196
>> Fri Oct 21 14:52:17 2022: DEBUG: AuthSQL EAP-TTLS TLS state: before
>> SSL initialization
>> Fri Oct 21 14:52:17 2022: DEBUG: AuthSQL EAP-TTLS TLS state: before
>> SSL initialization
>> Fri Oct 21 14:52:17 2022: DEBUG: AuthSQL EAP-TTLS TLS state: before
>> SSL initialization
>> Fri Oct 21 14:52:17 2022: DEBUG: AuthSQL EAP-TTLS TLS handshake:
>> Direction IN, Version: TLS 1.3, Record content: (22) Handshake,
>> message type: (1) ClientHello
>> Fri Oct 21 14:52:17 2022: DEBUG: AuthSQL EAP-TTLS TLS handshake:
>> Direction OUT, Version: TLS 1.2, Record content: (21) Alert, level:
>> (2) fatal, description: (70) protocol version
>> Fri Oct 21 14:52:17 2022: DEBUG: AuthSQL EAP-TTLS TLS state: error
>> Fri Oct 21 14:52:17 2022: DEBUG: AuthSQL EAP-TTLS TLS state: error
>> Fri Oct 21 14:52:17 2022: DEBUG: AuthSQL EAP-TTLS SSL_accept result:
>> -1, reason/error: 'SSL_ERROR_SSL, state: 'error'
>> Fri Oct 21 14:52:17 2022: ERR: AuthSQL EAP-TTLS TLS Handshake error:
>> result: -1, reason/error: 'SSL_ERROR_SSL', state: 'error',
>> error:14209102:SSL
>> routines:tls_early_post_process_client_hello:unsupported protocol
>> Fri Oct 21 14:52:17 2022: DEBUG: AuthSQL EAP Failure, elapsed time
>> 0.050957
>> Fri Oct 21 14:52:17 2022: DEBUG: EAP result: 1, EAP-TTLS TLS Handshake
>> error: unsupported protocol
>> Fri Oct 21 14:52:17 2022: DEBUG: Radius::AuthGROUP: result: REJECT,
>> EAP-TTLS TLS Handshake error: unsupported protocol
>> Fri Oct 21 14:52:17 2022: DEBUG: AuthBy GROUP result: REJECT, EAP-TTLS
>> TLS Handshake error: unsupported protocol
>> Fri Oct 21 14:52:17 2022: INFO: Access rejected for 888901007406545:
>> EAP-TTLS TLS Handshake error: unsupported protocol
>>
>> We're running OpenSSL 1.1.1o and Net:SSLeay 1.92 as detailed above.
>>
>>
>> On Fri, Oct 21, 2022 at 1:39 PM Cassidy B. Larson <alandaluz at gmail.com
>> <mailto:alandaluz at gmail.com>> wrote:
>>
>> We're spinning up a new EAP-TTLS source. Installed latest dev of
>> 4.26-24. When I force EAP_TLS_Protocols to TLSv1.3 alone, I see the
>> TLSv1.3 handshake request come in, but outbound handshake is
>> TLSv1.2. Apparently our vendor only allows TLSv1.3 right now.
>>
>> Any ideas how to get outbound handshakes to use TLSv1.3?
>>
>> Fri Oct 21 13:30:12 2022: DEBUG: AuthSQL EAP-TTLS TLS handshake:
>> Direction IN, Version: TLS 1.3, Record content: (22) Handshake,
>> message type: (1) ClientHello Fri Oct 21 13:30:12 2022: DEBUG:
>> AuthSQL EAP-TTLS TLS handshake: Direction OUT, Version: TLS 1.2,
>> Record content: (21) Alert, level: (2) fatal, description: (70)
>> protocol version
>>
>>
>> Thanks!
>>
>> -c
>>
>>
>> _______________________________________________
>> radiator mailing list
>> radiator at lists.open.com.au
>> https://lists.open.com.au/mailman/listinfo/radiator
> _______________________________________________
> radiator mailing list
> radiator at lists.open.com.au
> https://lists.open.com.au/mailman/listinfo/radiator
--
Heikki Vatiainen
OSC, makers of Radiator
Visit radiatorsoftware.com for Radiator AAA server software