Fwd: Question regarding the direction of eap_tls: <<< recv and eap_tls: >>> send

Hi,

I'd like to ask a question regarding the direction of the exchanges in the
radius log  (radiusd -X).

I used eapol_test as a client/authenticator against FreeRADIUS 3.0.21.

- If I set the following parameters in the FreeRADIUS eap file, espol_test
will results in a failure.
In this case, "eap_tls: <<< recv TLS 1.3" looks like an exchange from
FreeRADIUS to eapol_test (SERVER -> CLIENT):

tls_min_version = "1.3"
tls_max_version = "1.3"

The FREERADIUS log shows:

(2) eap_tls: <<< recv TLS 1.3  [length 00b9]
(2) eap_tls: >>> send TLS 1.2  [length 0002]
(2) eap_tls: ERROR: TLS Alert write:fatal:protocol version


-  If I set the following parameters in the FreeRADIUS eap file, espol_test
will results in a success.
In this case, "eap_tls: <<< recv TLS 1.2"  looks like an exchange from
eapol_test to FreeRADIUS (CLIENT TO SERVER):

tls_min_version = "1.2"
tls_max_version = "1.3"

(6) eap_tls: <<< recv TLS 1.2  [length 08de]
(6) eap_tls: TLS - Creating attributes from certificate OIDs


Could you please clarify the meaning of these "eap_tls: <<< recv" log
messages?

Thanks,
Eric


-------------------------------------------------------------------------------------------------------------------------------------------
FULL LOG

tls_min_version = "1.3"
tls_max_version = "1.3"

(2) eap: Calling submodule eap_tls to process data
(2) eap_tls: Continuing EAP-TLS
(2) eap_tls: [eaptls verify] = ok
(2) eap_tls: Done initial handshake
(2) eap_tls: (other): before SSL initialization
(2) eap_tls: TLS_accept: before SSL initialization
(2) eap_tls: TLS_accept: before SSL initialization
(2) eap_tls: <<< recv TLS 1.3  [length 00b9]
(2) eap_tls: >>> send TLS 1.2  [length 0002]
(2) eap_tls: ERROR: TLS Alert write:fatal:protocol version
tls: TLS_accept: Error in error
(2) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:14209102:SSL
routines:tls_early_post_process_client_hello:unsupported protocol
(2) eap_tls: ERROR: System call (I/O) error (-1)
(2) eap_tls: ERROR: TLS receive handshake failed during operation
(2) eap_tls: ERROR: [eaptls process] = fail
(2) eap: ERROR: Failed continuing EAP TLS (13) session.  EAP sub-module
failed
(2) eap: Sending EAP Failure (code 4) ID 54 length 4
(2) eap: Failed in EAP select
(2)     [eap] = invalid
(2)   } # authenticate = invalid


-------------------------------------------------------------------------------------------------------------------------------------------
tls_min_version = "1.2"
tls_max_version = "1.3"

(6) eap: Calling submodule eap_tls to process data
(6) eap_tls: Continuing EAP-TLS
(6) eap_tls: Got final TLS record fragment (1272 bytes)
(6) eap_tls: [eaptls verify] = ok
(6) eap_tls: Done initial handshake
(6) eap_tls: TLS_accept: SSLv3/TLS write server done
(6) eap_tls: <<< recv TLS 1.2  [length 08de]
(6) eap_tls: TLS - Creating attributes from certificate OIDs
(6) eap_tls:   TLS-Cert-Serial :=
"315fa3c827cb5c44e13222c88ff80369d1a176f1"
(6) eap_tls:   TLS-Cert-Expiration := "210113170058Z"
(6) eap_tls:   TLS-Cert-Valid-Since := "201114170058Z"
(6) eap_tls:   TLS-Cert-Subject := "/C=FR/ST=Radius/L=Somewhere/O=Example
Inc./emailAddress=[hidden email]/CN=Example Certificate Authority"
(6) eap_tls:   TLS-Cert-Issuer := "/C=FR/ST=Radius/L=Somewhere/O=Example
Inc./emailAddress=[hidden email]/CN=Example Certificate Authority"
(6) eap_tls:   TLS-Cert-Common-Name := "Example Certificate Authority"
(6) eap_tls: TLS - Creating attributes from certificate OIDs
(6) eap_tls:   TLS-Client-Cert-Serial := "02"
(6) eap_tls:   TLS-Client-Cert-Expiration := "210113170058Z"
(6) eap_tls:   TLS-Client-Cert-Valid-Since := "201114170058Z"
(6) eap_tls:   TLS-Client-Cert-Subject := "/C=FR/ST=Radius/O=Example
Inc./CN=[hidden email]/emailAddress=[hidden email]"
(6) eap_tls:   TLS-Client-Cert-Issuer :=
"/C=FR/ST=Radius/L=Somewhere/O=Example Inc./emailAddress=
[hidden email]/CN=Example Certificate Authority"
(6) eap_tls:   TLS-Client-Cert-Common-Name := "[hidden email]"
(6) eap_tls:   TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Client
Authentication"
(6) eap_tls:   TLS-Client-Cert-X509v3-Extended-Key-Usage-OID +=
"1.3.6.1.5.5.7.3.2"
(6) eap_tls: TLS_accept: SSLv3/TLS read client certificate
(6) eap_tls: <<< recv TLS 1.2  [length 0046]
(6) eap_tls: TLS_accept: SSLv3/TLS read client key exchange
(6) eap_tls: <<< recv TLS 1.2  [length 0108]
(6) eap_tls: TLS_accept: SSLv3/TLS read certificate verify
(6) eap_tls: TLS_accept: SSLv3/TLS read change cipher spec
(6) eap_tls: <<< recv TLS 1.2  [length 0010]
(6) eap_tls: TLS_accept: SSLv3/TLS read finished
(6) eap_tls: >>> send TLS 1.2  [length 0001]
(6) eap_tls: TLS_accept: SSLv3/TLS write change cipher spec
(6) eap_tls: >>> send TLS 1.2  [length 0010]
(6) eap_tls: TLS_accept: SSLv3/TLS write finished
(6) eap_tls: (other): SSL negotiation finished successfully
(6) eap_tls: TLS - Connection Established
(6) eap_tls: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(6) eap_tls: TLS-Session-Version = "TLS 1.2"
(6) eap_tls: TLS - got 51 bytes of data
(6) eap_tls: [eaptls process] = handled
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

On Nov 14, 2020, at 4:37 PM, Eric Nguyen <[hidden email]> wrote:
> I used eapol_test as a client/authenticator against FreeRADIUS 3.0.21.
>
> - If I set the following parameters in the FreeRADIUS eap file, espol_test
> will results in a failure.
> In this case, "eap_tls: <<< recv TLS 1.3" looks like an exchange from
> FreeRADIUS to eapol_test (SERVER -> CLIENT):
>
> tls_min_version = "1.3"
> tls_max_version = "1.3"

  TLS 1.3 is not supported for any EAP method.  There is no standard defined for using TLS 1.3.  Don't use TLS 1.3.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html