Heikki Vatiainen hvn at open.com.au
Tue Oct 25 17:25:58 UTC 2022

On 24.10.2022 18.25, Cassidy B. Larson wrote:

> We are using the "EAPTLS_Protocols TLSv1.3" currently in all of our 
> AuthBy's for good measure.  However, the TLS handshake appears to not 
> use TLSv1.3 outbound for the establishment, and instead tries TLSv1.2 
> which fails.
> See these two debug lines:
> DEBUG: AuthSQL EAP-TTLS TLS handshake: Direction*IN, Version: TLS 1.3*, 
> Record content: (22) Handshake, message type: (1) ClientHello
> DEBUG: AuthSQL EAP-TTLS TLS handshake: Direction *OUT, Version: TLS 
> 1.2*, Record content: (21) Alert, level: (2) fatal, description: (70) 
> protocol version

Would it be possible to run tcpdump to get capture from the ClientHello 
that Radiator rejects? The ClientHello might have a combination of 
parameters that don't work with TLSv1.3.

My testing with Radiator-4.26-24.tgz and its demo certificates was 
successful with eapol_test that requires TLSv1.3.

I tested with the following:
- FreeBSD 13.1
- pkg install p5-Net-SSLeay-1.92
- eapol_test compiled on the host

eapol_test compilation
Clone it from https://w1.fi/cvs.html and then do this:

freebsd% git checkout hostap_2_10
HEAD is now at cff80b4f7 Preparations for v2.10 release

freebsd% cd wpa_supplicant
freebsd% cp defconfig .config

Then patch with the diff at the bottom of this message and compile with 
this (note needs pkg install gmake):

freebsd% gmake eapol_test

Testing with eapol_test
When you have compiled eapol_test, run it with something like this:

./eapol_test -p 1645 -s mysecret -c eapol-eap-ttls.conf

Where eapol-eap-ttls.conf looks something like this:

         phase1="tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1 
tls_disable_tlsv1_2=1 tls_disable_tlsv1_3=0"


Radiator configuration is goodies/eap_ttls.cfg with EAPTLS_Protocols 
forced to TLSv1.3 with no other remarkable changes.

With the above EAP-TTLS/PAP works fine.

Here's the .config patch to get eapol_test compiled with FreeBSD 13.1:

--- defconfig	2022-10-25 17:59:13.262031000 +0000
+++ .config	2022-10-25 20:00:19.057923000 +0000
@@ -29,7 +29,7 @@

  # Driver interface for Linux drivers using the nl80211 kernel interface

  # QCA vendor extensions to nl80211
@@ -77,7 +77,7 @@

  # Driver interface for Linux MACsec drivers

  # Driver interface for the Broadcom RoboSwitch family
@@ -246,7 +246,7 @@

  # Simultaneous Authentication of Equals (SAE), WPA3-Personal

  # Disable scan result processing (ap_scan=1) to save code size by 
about 1 kB.
  # This can be used if ap_scan=1 mode is never enabled.
@@ -303,6 +303,7 @@
  # ndis = Windows NDISUIO (note: requires CONFIG_USE_NDISUIO=y)
  # none = Empty template

  # Disable Linux packet socket workaround applicable for station interface
  # in a bridge for EAPOL frames. This should be uncommented only if the 
@@ -363,7 +364,7 @@

  # Add support for new DBus control interface
  # (fi.w1.wpa_supplicant1)

  # Add introspection support for new DBus control interface

Heikki Vatiainen
OSC, makers of Radiator
Visit radiatorsoftware.com for Radiator AAA server software

More information about the radiator mailing list