Hi,
I'd like to ask a question regarding the direction of the exchanges in the radius log (radiusd -X). I used eapol_test as a client/authenticator against FreeRADIUS 3.0.21. - If I set the following parameters in the FreeRADIUS eap file, espol_test will results in a failure. In this case, "eap_tls: <<< recv TLS 1.3" looks like an exchange from FreeRADIUS to eapol_test (SERVER -> CLIENT): tls_min_version = "1.3" tls_max_version = "1.3" The FREERADIUS log shows: (2) eap_tls: <<< recv TLS 1.3 [length 00b9] (2) eap_tls: >>> send TLS 1.2 [length 0002] (2) eap_tls: ERROR: TLS Alert write:fatal:protocol version - If I set the following parameters in the FreeRADIUS eap file, espol_test will results in a success. In this case, "eap_tls: <<< recv TLS 1.2" looks like an exchange from eapol_test to FreeRADIUS (CLIENT TO SERVER): tls_min_version = "1.2" tls_max_version = "1.3" (6) eap_tls: <<< recv TLS 1.2 [length 08de] (6) eap_tls: TLS - Creating attributes from certificate OIDs Could you please clarify the meaning of these "eap_tls: <<< recv" log messages? Thanks, Eric ------------------------------------------------------------------------------------------------------------------------------------------- FULL LOG tls_min_version = "1.3" tls_max_version = "1.3" (2) eap: Calling submodule eap_tls to process data (2) eap_tls: Continuing EAP-TLS (2) eap_tls: [eaptls verify] = ok (2) eap_tls: Done initial handshake (2) eap_tls: (other): before SSL initialization (2) eap_tls: TLS_accept: before SSL initialization (2) eap_tls: TLS_accept: before SSL initialization (2) eap_tls: <<< recv TLS 1.3 [length 00b9] (2) eap_tls: >>> send TLS 1.2 [length 0002] (2) eap_tls: ERROR: TLS Alert write:fatal:protocol version tls: TLS_accept: Error in error (2) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol (2) eap_tls: ERROR: System call (I/O) error (-1) (2) eap_tls: ERROR: TLS receive handshake failed during operation (2) eap_tls: ERROR: [eaptls process] = fail (2) eap: ERROR: Failed continuing EAP TLS (13) session. EAP sub-module failed (2) eap: Sending EAP Failure (code 4) ID 54 length 4 (2) eap: Failed in EAP select (2) [eap] = invalid (2) } # authenticate = invalid ------------------------------------------------------------------------------------------------------------------------------------------- tls_min_version = "1.2" tls_max_version = "1.3" (6) eap: Calling submodule eap_tls to process data (6) eap_tls: Continuing EAP-TLS (6) eap_tls: Got final TLS record fragment (1272 bytes) (6) eap_tls: [eaptls verify] = ok (6) eap_tls: Done initial handshake (6) eap_tls: TLS_accept: SSLv3/TLS write server done (6) eap_tls: <<< recv TLS 1.2 [length 08de] (6) eap_tls: TLS - Creating attributes from certificate OIDs (6) eap_tls: TLS-Cert-Serial := "315fa3c827cb5c44e13222c88ff80369d1a176f1" (6) eap_tls: TLS-Cert-Expiration := "210113170058Z" (6) eap_tls: TLS-Cert-Valid-Since := "201114170058Z" (6) eap_tls: TLS-Cert-Subject := "/C=FR/ST=Radius/L=Somewhere/O=Example Inc./emailAddress=[hidden email]/CN=Example Certificate Authority" (6) eap_tls: TLS-Cert-Issuer := "/C=FR/ST=Radius/L=Somewhere/O=Example Inc./emailAddress=[hidden email]/CN=Example Certificate Authority" (6) eap_tls: TLS-Cert-Common-Name := "Example Certificate Authority" (6) eap_tls: TLS - Creating attributes from certificate OIDs (6) eap_tls: TLS-Client-Cert-Serial := "02" (6) eap_tls: TLS-Client-Cert-Expiration := "210113170058Z" (6) eap_tls: TLS-Client-Cert-Valid-Since := "201114170058Z" (6) eap_tls: TLS-Client-Cert-Subject := "/C=FR/ST=Radius/O=Example Inc./CN=[hidden email]/emailAddress=[hidden email]" (6) eap_tls: TLS-Client-Cert-Issuer := "/C=FR/ST=Radius/L=Somewhere/O=Example Inc./emailAddress= [hidden email]/CN=Example Certificate Authority" (6) eap_tls: TLS-Client-Cert-Common-Name := "[hidden email]" (6) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Client Authentication" (6) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.5.5.7.3.2" (6) eap_tls: TLS_accept: SSLv3/TLS read client certificate (6) eap_tls: <<< recv TLS 1.2 [length 0046] (6) eap_tls: TLS_accept: SSLv3/TLS read client key exchange (6) eap_tls: <<< recv TLS 1.2 [length 0108] (6) eap_tls: TLS_accept: SSLv3/TLS read certificate verify (6) eap_tls: TLS_accept: SSLv3/TLS read change cipher spec (6) eap_tls: <<< recv TLS 1.2 [length 0010] (6) eap_tls: TLS_accept: SSLv3/TLS read finished (6) eap_tls: >>> send TLS 1.2 [length 0001] (6) eap_tls: TLS_accept: SSLv3/TLS write change cipher spec (6) eap_tls: >>> send TLS 1.2 [length 0010] (6) eap_tls: TLS_accept: SSLv3/TLS write finished (6) eap_tls: (other): SSL negotiation finished successfully (6) eap_tls: TLS - Connection Established (6) eap_tls: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (6) eap_tls: TLS-Session-Version = "TLS 1.2" (6) eap_tls: TLS - got 51 bytes of data (6) eap_tls: [eaptls process] = handled - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html |
On Nov 14, 2020, at 4:37 PM, Eric Nguyen <[hidden email]> wrote: > I used eapol_test as a client/authenticator against FreeRADIUS 3.0.21. > > - If I set the following parameters in the FreeRADIUS eap file, espol_test > will results in a failure. > In this case, "eap_tls: <<< recv TLS 1.3" looks like an exchange from > FreeRADIUS to eapol_test (SERVER -> CLIENT): > > tls_min_version = "1.3" > tls_max_version = "1.3" TLS 1.3 is not supported for any EAP method. There is no standard defined for using TLS 1.3. Don't use TLS 1.3. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html |
In reply to this post by Eric Nguyen
a
Regards Prayank Chandorkar M : +91 90829 61372 Teams : [hidden email] JioMeet : [hidden email] -----Original Message----- From: Freeradius-Users <freeradius-users-bounces+prayank.chandorkar=[hidden email]> On Behalf Of Eric Nguyen Sent: 15 November 2020 03:07 To: [hidden email] Subject: [External]Fwd: Question regarding the direction of eap_tls: <<< recv and eap_tls: >>> send The e-mail below is from an external source. Please do not open attachments or click links from an unknown or suspicious origin. Hi, I'd like to ask a question regarding the direction of the exchanges in the radius log (radiusd -X). I used eapol_test as a client/authenticator against FreeRADIUS 3.0.21. - If I set the following parameters in the FreeRADIUS eap file, espol_test will results in a failure. In this case, "eap_tls: <<< recv TLS 1.3" looks like an exchange from FreeRADIUS to eapol_test (SERVER -> CLIENT): tls_min_version = "1.3" tls_max_version = "1.3" The FREERADIUS log shows: (2) eap_tls: <<< recv TLS 1.3 [length 00b9] (2) eap_tls: >>> send TLS 1.2 [length 0002] (2) eap_tls: ERROR: TLS Alert write:fatal:protocol version - If I set the following parameters in the FreeRADIUS eap file, espol_test will results in a success. In this case, "eap_tls: <<< recv TLS 1.2" looks like an exchange from eapol_test to FreeRADIUS (CLIENT TO SERVER): tls_min_version = "1.2" tls_max_version = "1.3" (6) eap_tls: <<< recv TLS 1.2 [length 08de] (6) eap_tls: TLS - Creating attributes from certificate OIDs Could you please clarify the meaning of these "eap_tls: <<< recv" log messages? Thanks, Eric ------------------------------------------------------------------------------------------------------------------------------------------- FULL LOG tls_min_version = "1.3" tls_max_version = "1.3" (2) eap: Calling submodule eap_tls to process data (2) eap_tls: Continuing EAP-TLS (2) eap_tls: [eaptls verify] = ok (2) eap_tls: Done initial handshake (2) eap_tls: (other): before SSL initialization (2) eap_tls: TLS_accept: before SSL initialization (2) eap_tls: TLS_accept: before SSL initialization (2) eap_tls: <<< recv TLS 1.3 [length 00b9] (2) eap_tls: >>> send TLS 1.2 [length 0002] (2) eap_tls: ERROR: TLS Alert write:fatal:protocol version tls: TLS_accept: Error in error (2) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol (2) eap_tls: ERROR: System call (I/O) error (-1) (2) eap_tls: ERROR: TLS receive handshake failed during operation (2) eap_tls: ERROR: [eaptls process] = fail (2) eap: ERROR: Failed continuing EAP TLS (13) session. EAP sub-module failed (2) eap: Sending EAP Failure (code 4) ID 54 length 4 (2) eap: Failed in EAP select (2) [eap] = invalid (2) } # authenticate = invalid ------------------------------------------------------------------------------------------------------------------------------------------- tls_min_version = "1.2" tls_max_version = "1.3" (6) eap: Calling submodule eap_tls to process data (6) eap_tls: Continuing EAP-TLS (6) eap_tls: Got final TLS record fragment (1272 bytes) (6) eap_tls: [eaptls verify] = ok (6) eap_tls: Done initial handshake (6) eap_tls: TLS_accept: SSLv3/TLS write server done (6) eap_tls: <<< recv TLS 1.2 [length 08de] (6) eap_tls: TLS - Creating attributes from certificate OIDs (6) eap_tls: TLS-Cert-Serial := "315fa3c827cb5c44e13222c88ff80369d1a176f1" (6) eap_tls: TLS-Cert-Expiration := "210113170058Z" (6) eap_tls: TLS-Cert-Valid-Since := "201114170058Z" (6) eap_tls: TLS-Cert-Subject := "/C=FR/ST=Radius/L=Somewhere/O=Example Inc./emailAddress=[hidden email]/CN=Example Certificate Authority" (6) eap_tls: TLS-Cert-Issuer := "/C=FR/ST=Radius/L=Somewhere/O=Example Inc./emailAddress=[hidden email]/CN=Example Certificate Authority" (6) eap_tls: TLS-Cert-Common-Name := "Example Certificate Authority" (6) eap_tls: TLS - Creating attributes from certificate OIDs (6) eap_tls: TLS-Client-Cert-Serial := "02" (6) eap_tls: TLS-Client-Cert-Expiration := "210113170058Z" (6) eap_tls: TLS-Client-Cert-Valid-Since := "201114170058Z" (6) eap_tls: TLS-Client-Cert-Subject := "/C=FR/ST=Radius/O=Example Inc./CN=[hidden email]/emailAddress=[hidden email]" (6) eap_tls: TLS-Client-Cert-Issuer := "/C=FR/ST=Radius/L=Somewhere/O=Example Inc./emailAddress= [hidden email]/CN=Example Certificate Authority" (6) eap_tls: TLS-Client-Cert-Common-Name := "[hidden email]" (6) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Client Authentication" (6) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.5.5.7.3.2" (6) eap_tls: TLS_accept: SSLv3/TLS read client certificate (6) eap_tls: <<< recv TLS 1.2 [length 0046] (6) eap_tls: TLS_accept: SSLv3/TLS read client key exchange (6) eap_tls: <<< recv TLS 1.2 [length 0108] (6) eap_tls: TLS_accept: SSLv3/TLS read certificate verify (6) eap_tls: TLS_accept: SSLv3/TLS read change cipher spec (6) eap_tls: <<< recv TLS 1.2 [length 0010] (6) eap_tls: TLS_accept: SSLv3/TLS read finished (6) eap_tls: >>> send TLS 1.2 [length 0001] (6) eap_tls: TLS_accept: SSLv3/TLS write change cipher spec (6) eap_tls: >>> send TLS 1.2 [length 0010] (6) eap_tls: TLS_accept: SSLv3/TLS write finished (6) eap_tls: (other): SSL negotiation finished successfully (6) eap_tls: TLS - Connection Established (6) eap_tls: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (6) eap_tls: TLS-Session-Version = "TLS 1.2" (6) eap_tls: TLS - got 51 bytes of data (6) eap_tls: [eaptls process] = handled - List info/subscribe/unsubscribe? See https://protect2.fireeye.com/v1/url?k=c2b07c9d-9d2b3c62-c2b1f662-00259087933a-f3b541b7c9d35e10&q=1&e=e5beceb9-87b2-4cf7-98f5-e78aeb4a7b92&u=http%3A%2F%2Fwww.freeradius.org%2Flist%2Fusers.html "Confidentiality Warning: This message and any attachments are intended only for the use of the intended recipient(s). are confidential and may be privileged. If you are not the intended recipient. you are hereby notified that any review. re-transmission. conversion to hard copy. copying. circulation or other use of this message and any attachments is strictly prohibited. If you are not the intended recipient. please notify the sender immediately by return email. and delete this message and any attachments from your system. Virus Warning: Although the company has taken reasonable precautions to ensure no viruses are present in this email. The company cannot accept responsibility for any loss or damage arising from the use of this email or attachment." - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html |
Don't use TLS 1.3. It isn't standardized, and it doesn't work.
> On Mar 17, 2021, at 4:40 AM, Prayank Chandorkar via Freeradius-Users <[hidden email]> wrote: > > a > > > Regards > > Prayank Chandorkar > M : +91 90829 61372 > Teams : [hidden email] > JioMeet : [hidden email] > > -----Original Message----- > From: Freeradius-Users <freeradius-users-bounces+prayank.chandorkar=[hidden email]> On Behalf Of Eric Nguyen > Sent: 15 November 2020 03:07 > To: [hidden email] > Subject: [External]Fwd: Question regarding the direction of eap_tls: <<< recv and eap_tls: >>> send > > The e-mail below is from an external source. Please do not open attachments or click links from an unknown or suspicious origin. > > Hi, > > I'd like to ask a question regarding the direction of the exchanges in the radius log (radiusd -X). > > I used eapol_test as a client/authenticator against FreeRADIUS 3.0.21. > > - If I set the following parameters in the FreeRADIUS eap file, espol_test will results in a failure. > In this case, "eap_tls: <<< recv TLS 1.3" looks like an exchange from FreeRADIUS to eapol_test (SERVER -> CLIENT): > > tls_min_version = "1.3" > tls_max_version = "1.3" > > The FREERADIUS log shows: > > (2) eap_tls: <<< recv TLS 1.3 [length 00b9] > (2) eap_tls: >>> send TLS 1.2 [length 0002] > (2) eap_tls: ERROR: TLS Alert write:fatal:protocol version > > > - If I set the following parameters in the FreeRADIUS eap file, espol_test will results in a success. > In this case, "eap_tls: <<< recv TLS 1.2" looks like an exchange from eapol_test to FreeRADIUS (CLIENT TO SERVER): > > tls_min_version = "1.2" > tls_max_version = "1.3" > > (6) eap_tls: <<< recv TLS 1.2 [length 08de] > (6) eap_tls: TLS - Creating attributes from certificate OIDs > > > Could you please clarify the meaning of these "eap_tls: <<< recv" log messages? > > Thanks, > Eric > > > ------------------------------------------------------------------------------------------------------------------------------------------- > FULL LOG > > tls_min_version = "1.3" > tls_max_version = "1.3" > > (2) eap: Calling submodule eap_tls to process data > (2) eap_tls: Continuing EAP-TLS > (2) eap_tls: [eaptls verify] = ok > (2) eap_tls: Done initial handshake > (2) eap_tls: (other): before SSL initialization > (2) eap_tls: TLS_accept: before SSL initialization > (2) eap_tls: TLS_accept: before SSL initialization > (2) eap_tls: <<< recv TLS 1.3 [length 00b9] > (2) eap_tls: >>> send TLS 1.2 [length 0002] > (2) eap_tls: ERROR: TLS Alert write:fatal:protocol version > tls: TLS_accept: Error in error > (2) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol > (2) eap_tls: ERROR: System call (I/O) error (-1) > (2) eap_tls: ERROR: TLS receive handshake failed during operation > (2) eap_tls: ERROR: [eaptls process] = fail > (2) eap: ERROR: Failed continuing EAP TLS (13) session. EAP sub-module failed > (2) eap: Sending EAP Failure (code 4) ID 54 length 4 > (2) eap: Failed in EAP select > (2) [eap] = invalid > (2) } # authenticate = invalid > > > ------------------------------------------------------------------------------------------------------------------------------------------- > tls_min_version = "1.2" > tls_max_version = "1.3" > > (6) eap: Calling submodule eap_tls to process data > (6) eap_tls: Continuing EAP-TLS > (6) eap_tls: Got final TLS record fragment (1272 bytes) > (6) eap_tls: [eaptls verify] = ok > (6) eap_tls: Done initial handshake > (6) eap_tls: TLS_accept: SSLv3/TLS write server done > (6) eap_tls: <<< recv TLS 1.2 [length 08de] > (6) eap_tls: TLS - Creating attributes from certificate OIDs > (6) eap_tls: TLS-Cert-Serial := > "315fa3c827cb5c44e13222c88ff80369d1a176f1" > (6) eap_tls: TLS-Cert-Expiration := "210113170058Z" > (6) eap_tls: TLS-Cert-Valid-Since := "201114170058Z" > (6) eap_tls: TLS-Cert-Subject := "/C=FR/ST=Radius/L=Somewhere/O=Example > Inc./emailAddress=[hidden email]/CN=Example Certificate Authority" > (6) eap_tls: TLS-Cert-Issuer := "/C=FR/ST=Radius/L=Somewhere/O=Example > Inc./emailAddress=[hidden email]/CN=Example Certificate Authority" > (6) eap_tls: TLS-Cert-Common-Name := "Example Certificate Authority" > (6) eap_tls: TLS - Creating attributes from certificate OIDs > (6) eap_tls: TLS-Client-Cert-Serial := "02" > (6) eap_tls: TLS-Client-Cert-Expiration := "210113170058Z" > (6) eap_tls: TLS-Client-Cert-Valid-Since := "201114170058Z" > (6) eap_tls: TLS-Client-Cert-Subject := "/C=FR/ST=Radius/O=Example > Inc./CN=[hidden email]/emailAddress=[hidden email]" > (6) eap_tls: TLS-Client-Cert-Issuer := > "/C=FR/ST=Radius/L=Somewhere/O=Example Inc./emailAddress= [hidden email]/CN=Example Certificate Authority" > (6) eap_tls: TLS-Client-Cert-Common-Name := "[hidden email]" > (6) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Client > Authentication" > (6) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += > "1.3.6.1.5.5.7.3.2" > (6) eap_tls: TLS_accept: SSLv3/TLS read client certificate > (6) eap_tls: <<< recv TLS 1.2 [length 0046] > (6) eap_tls: TLS_accept: SSLv3/TLS read client key exchange > (6) eap_tls: <<< recv TLS 1.2 [length 0108] > (6) eap_tls: TLS_accept: SSLv3/TLS read certificate verify > (6) eap_tls: TLS_accept: SSLv3/TLS read change cipher spec > (6) eap_tls: <<< recv TLS 1.2 [length 0010] > (6) eap_tls: TLS_accept: SSLv3/TLS read finished > (6) eap_tls: >>> send TLS 1.2 [length 0001] > (6) eap_tls: TLS_accept: SSLv3/TLS write change cipher spec > (6) eap_tls: >>> send TLS 1.2 [length 0010] > (6) eap_tls: TLS_accept: SSLv3/TLS write finished > (6) eap_tls: (other): SSL negotiation finished successfully > (6) eap_tls: TLS - Connection Established > (6) eap_tls: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" > (6) eap_tls: TLS-Session-Version = "TLS 1.2" > (6) eap_tls: TLS - got 51 bytes of data > (6) eap_tls: [eaptls process] = handled > - > List info/subscribe/unsubscribe? See https://protect2.fireeye.com/v1/url?k=c2b07c9d-9d2b3c62-c2b1f662-00259087933a-f3b541b7c9d35e10&q=1&e=e5beceb9-87b2-4cf7-98f5-e78aeb4a7b92&u=http%3A%2F%2Fwww.freeradius.org%2Flist%2Fusers.html > "Confidentiality Warning: This message and any attachments are intended only for the use of the intended recipient(s). > are confidential and may be privileged. If you are not the intended recipient. you are hereby notified that any > review. re-transmission. conversion to hard copy. copying. circulation or other use of this message and any attachments is > strictly prohibited. If you are not the intended recipient. please notify the sender immediately by return email. > and delete this message and any attachments from your system. > > Virus Warning: Although the company has taken reasonable precautions to ensure no viruses are present in this email. > The company cannot accept responsibility for any loss or damage arising from the use of this email or attachment." > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html |
Free forum by Nabble | Edit this page |