Fwd: Question regarding the direction of eap_tls: <<< recv and eap_tls: >>> send

classic Classic list List threaded Threaded
4 messages Options
| Threaded
Open this post in threaded view
|

Fwd: Question regarding the direction of eap_tls: <<< recv and eap_tls: >>> send

Eric Nguyen
Hi,

I'd like to ask a question regarding the direction of the exchanges in the
radius log  (radiusd -X).

I used eapol_test as a client/authenticator against FreeRADIUS 3.0.21.

- If I set the following parameters in the FreeRADIUS eap file, espol_test
will results in a failure.
In this case, "eap_tls: <<< recv TLS 1.3" looks like an exchange from
FreeRADIUS to eapol_test (SERVER -> CLIENT):

tls_min_version = "1.3"
tls_max_version = "1.3"

The FREERADIUS log shows:

(2) eap_tls: <<< recv TLS 1.3  [length 00b9]
(2) eap_tls: >>> send TLS 1.2  [length 0002]
(2) eap_tls: ERROR: TLS Alert write:fatal:protocol version


-  If I set the following parameters in the FreeRADIUS eap file, espol_test
will results in a success.
In this case, "eap_tls: <<< recv TLS 1.2"  looks like an exchange from
eapol_test to FreeRADIUS (CLIENT TO SERVER):

tls_min_version = "1.2"
tls_max_version = "1.3"

(6) eap_tls: <<< recv TLS 1.2  [length 08de]
(6) eap_tls: TLS - Creating attributes from certificate OIDs


Could you please clarify the meaning of these "eap_tls: <<< recv" log
messages?

Thanks,
Eric


-------------------------------------------------------------------------------------------------------------------------------------------
FULL LOG

tls_min_version = "1.3"
tls_max_version = "1.3"

(2) eap: Calling submodule eap_tls to process data
(2) eap_tls: Continuing EAP-TLS
(2) eap_tls: [eaptls verify] = ok
(2) eap_tls: Done initial handshake
(2) eap_tls: (other): before SSL initialization
(2) eap_tls: TLS_accept: before SSL initialization
(2) eap_tls: TLS_accept: before SSL initialization
(2) eap_tls: <<< recv TLS 1.3  [length 00b9]
(2) eap_tls: >>> send TLS 1.2  [length 0002]
(2) eap_tls: ERROR: TLS Alert write:fatal:protocol version
tls: TLS_accept: Error in error
(2) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:14209102:SSL
routines:tls_early_post_process_client_hello:unsupported protocol
(2) eap_tls: ERROR: System call (I/O) error (-1)
(2) eap_tls: ERROR: TLS receive handshake failed during operation
(2) eap_tls: ERROR: [eaptls process] = fail
(2) eap: ERROR: Failed continuing EAP TLS (13) session.  EAP sub-module
failed
(2) eap: Sending EAP Failure (code 4) ID 54 length 4
(2) eap: Failed in EAP select
(2)     [eap] = invalid
(2)   } # authenticate = invalid


-------------------------------------------------------------------------------------------------------------------------------------------
tls_min_version = "1.2"
tls_max_version = "1.3"

(6) eap: Calling submodule eap_tls to process data
(6) eap_tls: Continuing EAP-TLS
(6) eap_tls: Got final TLS record fragment (1272 bytes)
(6) eap_tls: [eaptls verify] = ok
(6) eap_tls: Done initial handshake
(6) eap_tls: TLS_accept: SSLv3/TLS write server done
(6) eap_tls: <<< recv TLS 1.2  [length 08de]
(6) eap_tls: TLS - Creating attributes from certificate OIDs
(6) eap_tls:   TLS-Cert-Serial :=
"315fa3c827cb5c44e13222c88ff80369d1a176f1"
(6) eap_tls:   TLS-Cert-Expiration := "210113170058Z"
(6) eap_tls:   TLS-Cert-Valid-Since := "201114170058Z"
(6) eap_tls:   TLS-Cert-Subject := "/C=FR/ST=Radius/L=Somewhere/O=Example
Inc./emailAddress=[hidden email]/CN=Example Certificate Authority"
(6) eap_tls:   TLS-Cert-Issuer := "/C=FR/ST=Radius/L=Somewhere/O=Example
Inc./emailAddress=[hidden email]/CN=Example Certificate Authority"
(6) eap_tls:   TLS-Cert-Common-Name := "Example Certificate Authority"
(6) eap_tls: TLS - Creating attributes from certificate OIDs
(6) eap_tls:   TLS-Client-Cert-Serial := "02"
(6) eap_tls:   TLS-Client-Cert-Expiration := "210113170058Z"
(6) eap_tls:   TLS-Client-Cert-Valid-Since := "201114170058Z"
(6) eap_tls:   TLS-Client-Cert-Subject := "/C=FR/ST=Radius/O=Example
Inc./CN=[hidden email]/emailAddress=[hidden email]"
(6) eap_tls:   TLS-Client-Cert-Issuer :=
"/C=FR/ST=Radius/L=Somewhere/O=Example Inc./emailAddress=
[hidden email]/CN=Example Certificate Authority"
(6) eap_tls:   TLS-Client-Cert-Common-Name := "[hidden email]"
(6) eap_tls:   TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Client
Authentication"
(6) eap_tls:   TLS-Client-Cert-X509v3-Extended-Key-Usage-OID +=
"1.3.6.1.5.5.7.3.2"
(6) eap_tls: TLS_accept: SSLv3/TLS read client certificate
(6) eap_tls: <<< recv TLS 1.2  [length 0046]
(6) eap_tls: TLS_accept: SSLv3/TLS read client key exchange
(6) eap_tls: <<< recv TLS 1.2  [length 0108]
(6) eap_tls: TLS_accept: SSLv3/TLS read certificate verify
(6) eap_tls: TLS_accept: SSLv3/TLS read change cipher spec
(6) eap_tls: <<< recv TLS 1.2  [length 0010]
(6) eap_tls: TLS_accept: SSLv3/TLS read finished
(6) eap_tls: >>> send TLS 1.2  [length 0001]
(6) eap_tls: TLS_accept: SSLv3/TLS write change cipher spec
(6) eap_tls: >>> send TLS 1.2  [length 0010]
(6) eap_tls: TLS_accept: SSLv3/TLS write finished
(6) eap_tls: (other): SSL negotiation finished successfully
(6) eap_tls: TLS - Connection Established
(6) eap_tls: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(6) eap_tls: TLS-Session-Version = "TLS 1.2"
(6) eap_tls: TLS - got 51 bytes of data
(6) eap_tls: [eaptls process] = handled
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Question regarding the direction of eap_tls: <<< recv and eap_tls: >>> send

Alan DeKok-2

On Nov 14, 2020, at 4:37 PM, Eric Nguyen <[hidden email]> wrote:
> I used eapol_test as a client/authenticator against FreeRADIUS 3.0.21.
>
> - If I set the following parameters in the FreeRADIUS eap file, espol_test
> will results in a failure.
> In this case, "eap_tls: <<< recv TLS 1.3" looks like an exchange from
> FreeRADIUS to eapol_test (SERVER -> CLIENT):
>
> tls_min_version = "1.3"
> tls_max_version = "1.3"

  TLS 1.3 is not supported for any EAP method.  There is no standard defined for using TLS 1.3.  Don't use TLS 1.3.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

RE: [External]Fwd: Question regarding the direction of eap_tls: <<< recv and eap_tls: >>> send

Users mailing list
In reply to this post by Eric Nguyen
a


Regards

Prayank Chandorkar
M : +91 90829 61372
Teams : [hidden email]
JioMeet : [hidden email]

-----Original Message-----
From: Freeradius-Users <freeradius-users-bounces+prayank.chandorkar=[hidden email]> On Behalf Of Eric Nguyen
Sent: 15 November 2020 03:07
To: [hidden email]
Subject: [External]Fwd: Question regarding the direction of eap_tls: <<< recv and eap_tls: >>> send

The e-mail below is from an external source. Please do not open attachments or click links from an unknown or suspicious origin.

Hi,

I'd like to ask a question regarding the direction of the exchanges in the radius log  (radiusd -X).

I used eapol_test as a client/authenticator against FreeRADIUS 3.0.21.

- If I set the following parameters in the FreeRADIUS eap file, espol_test will results in a failure.
In this case, "eap_tls: <<< recv TLS 1.3" looks like an exchange from FreeRADIUS to eapol_test (SERVER -> CLIENT):

tls_min_version = "1.3"
tls_max_version = "1.3"

The FREERADIUS log shows:

(2) eap_tls: <<< recv TLS 1.3  [length 00b9]
(2) eap_tls: >>> send TLS 1.2  [length 0002]
(2) eap_tls: ERROR: TLS Alert write:fatal:protocol version


-  If I set the following parameters in the FreeRADIUS eap file, espol_test will results in a success.
In this case, "eap_tls: <<< recv TLS 1.2"  looks like an exchange from eapol_test to FreeRADIUS (CLIENT TO SERVER):

tls_min_version = "1.2"
tls_max_version = "1.3"

(6) eap_tls: <<< recv TLS 1.2  [length 08de]
(6) eap_tls: TLS - Creating attributes from certificate OIDs


Could you please clarify the meaning of these "eap_tls: <<< recv" log messages?

Thanks,
Eric


-------------------------------------------------------------------------------------------------------------------------------------------
FULL LOG

tls_min_version = "1.3"
tls_max_version = "1.3"

(2) eap: Calling submodule eap_tls to process data
(2) eap_tls: Continuing EAP-TLS
(2) eap_tls: [eaptls verify] = ok
(2) eap_tls: Done initial handshake
(2) eap_tls: (other): before SSL initialization
(2) eap_tls: TLS_accept: before SSL initialization
(2) eap_tls: TLS_accept: before SSL initialization
(2) eap_tls: <<< recv TLS 1.3  [length 00b9]
(2) eap_tls: >>> send TLS 1.2  [length 0002]
(2) eap_tls: ERROR: TLS Alert write:fatal:protocol version
tls: TLS_accept: Error in error
(2) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol
(2) eap_tls: ERROR: System call (I/O) error (-1)
(2) eap_tls: ERROR: TLS receive handshake failed during operation
(2) eap_tls: ERROR: [eaptls process] = fail
(2) eap: ERROR: Failed continuing EAP TLS (13) session.  EAP sub-module failed
(2) eap: Sending EAP Failure (code 4) ID 54 length 4
(2) eap: Failed in EAP select
(2)     [eap] = invalid
(2)   } # authenticate = invalid


-------------------------------------------------------------------------------------------------------------------------------------------
tls_min_version = "1.2"
tls_max_version = "1.3"

(6) eap: Calling submodule eap_tls to process data
(6) eap_tls: Continuing EAP-TLS
(6) eap_tls: Got final TLS record fragment (1272 bytes)
(6) eap_tls: [eaptls verify] = ok
(6) eap_tls: Done initial handshake
(6) eap_tls: TLS_accept: SSLv3/TLS write server done
(6) eap_tls: <<< recv TLS 1.2  [length 08de]
(6) eap_tls: TLS - Creating attributes from certificate OIDs
(6) eap_tls:   TLS-Cert-Serial :=
"315fa3c827cb5c44e13222c88ff80369d1a176f1"
(6) eap_tls:   TLS-Cert-Expiration := "210113170058Z"
(6) eap_tls:   TLS-Cert-Valid-Since := "201114170058Z"
(6) eap_tls:   TLS-Cert-Subject := "/C=FR/ST=Radius/L=Somewhere/O=Example
Inc./emailAddress=[hidden email]/CN=Example Certificate Authority"
(6) eap_tls:   TLS-Cert-Issuer := "/C=FR/ST=Radius/L=Somewhere/O=Example
Inc./emailAddress=[hidden email]/CN=Example Certificate Authority"
(6) eap_tls:   TLS-Cert-Common-Name := "Example Certificate Authority"
(6) eap_tls: TLS - Creating attributes from certificate OIDs
(6) eap_tls:   TLS-Client-Cert-Serial := "02"
(6) eap_tls:   TLS-Client-Cert-Expiration := "210113170058Z"
(6) eap_tls:   TLS-Client-Cert-Valid-Since := "201114170058Z"
(6) eap_tls:   TLS-Client-Cert-Subject := "/C=FR/ST=Radius/O=Example
Inc./CN=[hidden email]/emailAddress=[hidden email]"
(6) eap_tls:   TLS-Client-Cert-Issuer :=
"/C=FR/ST=Radius/L=Somewhere/O=Example Inc./emailAddress= [hidden email]/CN=Example Certificate Authority"
(6) eap_tls:   TLS-Client-Cert-Common-Name := "[hidden email]"
(6) eap_tls:   TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Client
Authentication"
(6) eap_tls:   TLS-Client-Cert-X509v3-Extended-Key-Usage-OID +=
"1.3.6.1.5.5.7.3.2"
(6) eap_tls: TLS_accept: SSLv3/TLS read client certificate
(6) eap_tls: <<< recv TLS 1.2  [length 0046]
(6) eap_tls: TLS_accept: SSLv3/TLS read client key exchange
(6) eap_tls: <<< recv TLS 1.2  [length 0108]
(6) eap_tls: TLS_accept: SSLv3/TLS read certificate verify
(6) eap_tls: TLS_accept: SSLv3/TLS read change cipher spec
(6) eap_tls: <<< recv TLS 1.2  [length 0010]
(6) eap_tls: TLS_accept: SSLv3/TLS read finished
(6) eap_tls: >>> send TLS 1.2  [length 0001]
(6) eap_tls: TLS_accept: SSLv3/TLS write change cipher spec
(6) eap_tls: >>> send TLS 1.2  [length 0010]
(6) eap_tls: TLS_accept: SSLv3/TLS write finished
(6) eap_tls: (other): SSL negotiation finished successfully
(6) eap_tls: TLS - Connection Established
(6) eap_tls: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(6) eap_tls: TLS-Session-Version = "TLS 1.2"
(6) eap_tls: TLS - got 51 bytes of data
(6) eap_tls: [eaptls process] = handled
-
List info/subscribe/unsubscribe? See https://protect2.fireeye.com/v1/url?k=c2b07c9d-9d2b3c62-c2b1f662-00259087933a-f3b541b7c9d35e10&q=1&e=e5beceb9-87b2-4cf7-98f5-e78aeb4a7b92&u=http%3A%2F%2Fwww.freeradius.org%2Flist%2Fusers.html
"Confidentiality Warning: This message and any attachments are intended only for the use of the intended recipient(s).
are confidential and may be privileged. If you are not the intended recipient. you are hereby notified that any
review. re-transmission. conversion to hard copy. copying. circulation or other use of this message and any attachments is
strictly prohibited. If you are not the intended recipient. please notify the sender immediately by return email.
and delete this message and any attachments from your system.

Virus Warning: Although the company has taken reasonable precautions to ensure no viruses are present in this email.
The company cannot accept responsibility for any loss or damage arising from the use of this email or attachment."

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: [External]Fwd: Question regarding the direction of eap_tls: <<< recv and eap_tls: >>> send

Alan DeKok-2
  Don't use TLS 1.3.  It isn't standardized, and it doesn't work.


> On Mar 17, 2021, at 4:40 AM, Prayank Chandorkar via Freeradius-Users <[hidden email]> wrote:
>
> a
>
>
> Regards
>
> Prayank Chandorkar
> M : +91 90829 61372
> Teams : [hidden email]
> JioMeet : [hidden email]
>
> -----Original Message-----
> From: Freeradius-Users <freeradius-users-bounces+prayank.chandorkar=[hidden email]> On Behalf Of Eric Nguyen
> Sent: 15 November 2020 03:07
> To: [hidden email]
> Subject: [External]Fwd: Question regarding the direction of eap_tls: <<< recv and eap_tls: >>> send
>
> The e-mail below is from an external source. Please do not open attachments or click links from an unknown or suspicious origin.
>
> Hi,
>
> I'd like to ask a question regarding the direction of the exchanges in the radius log  (radiusd -X).
>
> I used eapol_test as a client/authenticator against FreeRADIUS 3.0.21.
>
> - If I set the following parameters in the FreeRADIUS eap file, espol_test will results in a failure.
> In this case, "eap_tls: <<< recv TLS 1.3" looks like an exchange from FreeRADIUS to eapol_test (SERVER -> CLIENT):
>
> tls_min_version = "1.3"
> tls_max_version = "1.3"
>
> The FREERADIUS log shows:
>
> (2) eap_tls: <<< recv TLS 1.3  [length 00b9]
> (2) eap_tls: >>> send TLS 1.2  [length 0002]
> (2) eap_tls: ERROR: TLS Alert write:fatal:protocol version
>
>
> -  If I set the following parameters in the FreeRADIUS eap file, espol_test will results in a success.
> In this case, "eap_tls: <<< recv TLS 1.2"  looks like an exchange from eapol_test to FreeRADIUS (CLIENT TO SERVER):
>
> tls_min_version = "1.2"
> tls_max_version = "1.3"
>
> (6) eap_tls: <<< recv TLS 1.2  [length 08de]
> (6) eap_tls: TLS - Creating attributes from certificate OIDs
>
>
> Could you please clarify the meaning of these "eap_tls: <<< recv" log messages?
>
> Thanks,
> Eric
>
>
> -------------------------------------------------------------------------------------------------------------------------------------------
> FULL LOG
>
> tls_min_version = "1.3"
> tls_max_version = "1.3"
>
> (2) eap: Calling submodule eap_tls to process data
> (2) eap_tls: Continuing EAP-TLS
> (2) eap_tls: [eaptls verify] = ok
> (2) eap_tls: Done initial handshake
> (2) eap_tls: (other): before SSL initialization
> (2) eap_tls: TLS_accept: before SSL initialization
> (2) eap_tls: TLS_accept: before SSL initialization
> (2) eap_tls: <<< recv TLS 1.3  [length 00b9]
> (2) eap_tls: >>> send TLS 1.2  [length 0002]
> (2) eap_tls: ERROR: TLS Alert write:fatal:protocol version
> tls: TLS_accept: Error in error
> (2) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol
> (2) eap_tls: ERROR: System call (I/O) error (-1)
> (2) eap_tls: ERROR: TLS receive handshake failed during operation
> (2) eap_tls: ERROR: [eaptls process] = fail
> (2) eap: ERROR: Failed continuing EAP TLS (13) session.  EAP sub-module failed
> (2) eap: Sending EAP Failure (code 4) ID 54 length 4
> (2) eap: Failed in EAP select
> (2)     [eap] = invalid
> (2)   } # authenticate = invalid
>
>
> -------------------------------------------------------------------------------------------------------------------------------------------
> tls_min_version = "1.2"
> tls_max_version = "1.3"
>
> (6) eap: Calling submodule eap_tls to process data
> (6) eap_tls: Continuing EAP-TLS
> (6) eap_tls: Got final TLS record fragment (1272 bytes)
> (6) eap_tls: [eaptls verify] = ok
> (6) eap_tls: Done initial handshake
> (6) eap_tls: TLS_accept: SSLv3/TLS write server done
> (6) eap_tls: <<< recv TLS 1.2  [length 08de]
> (6) eap_tls: TLS - Creating attributes from certificate OIDs
> (6) eap_tls:   TLS-Cert-Serial :=
> "315fa3c827cb5c44e13222c88ff80369d1a176f1"
> (6) eap_tls:   TLS-Cert-Expiration := "210113170058Z"
> (6) eap_tls:   TLS-Cert-Valid-Since := "201114170058Z"
> (6) eap_tls:   TLS-Cert-Subject := "/C=FR/ST=Radius/L=Somewhere/O=Example
> Inc./emailAddress=[hidden email]/CN=Example Certificate Authority"
> (6) eap_tls:   TLS-Cert-Issuer := "/C=FR/ST=Radius/L=Somewhere/O=Example
> Inc./emailAddress=[hidden email]/CN=Example Certificate Authority"
> (6) eap_tls:   TLS-Cert-Common-Name := "Example Certificate Authority"
> (6) eap_tls: TLS - Creating attributes from certificate OIDs
> (6) eap_tls:   TLS-Client-Cert-Serial := "02"
> (6) eap_tls:   TLS-Client-Cert-Expiration := "210113170058Z"
> (6) eap_tls:   TLS-Client-Cert-Valid-Since := "201114170058Z"
> (6) eap_tls:   TLS-Client-Cert-Subject := "/C=FR/ST=Radius/O=Example
> Inc./CN=[hidden email]/emailAddress=[hidden email]"
> (6) eap_tls:   TLS-Client-Cert-Issuer :=
> "/C=FR/ST=Radius/L=Somewhere/O=Example Inc./emailAddress= [hidden email]/CN=Example Certificate Authority"
> (6) eap_tls:   TLS-Client-Cert-Common-Name := "[hidden email]"
> (6) eap_tls:   TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Client
> Authentication"
> (6) eap_tls:   TLS-Client-Cert-X509v3-Extended-Key-Usage-OID +=
> "1.3.6.1.5.5.7.3.2"
> (6) eap_tls: TLS_accept: SSLv3/TLS read client certificate
> (6) eap_tls: <<< recv TLS 1.2  [length 0046]
> (6) eap_tls: TLS_accept: SSLv3/TLS read client key exchange
> (6) eap_tls: <<< recv TLS 1.2  [length 0108]
> (6) eap_tls: TLS_accept: SSLv3/TLS read certificate verify
> (6) eap_tls: TLS_accept: SSLv3/TLS read change cipher spec
> (6) eap_tls: <<< recv TLS 1.2  [length 0010]
> (6) eap_tls: TLS_accept: SSLv3/TLS read finished
> (6) eap_tls: >>> send TLS 1.2  [length 0001]
> (6) eap_tls: TLS_accept: SSLv3/TLS write change cipher spec
> (6) eap_tls: >>> send TLS 1.2  [length 0010]
> (6) eap_tls: TLS_accept: SSLv3/TLS write finished
> (6) eap_tls: (other): SSL negotiation finished successfully
> (6) eap_tls: TLS - Connection Established
> (6) eap_tls: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
> (6) eap_tls: TLS-Session-Version = "TLS 1.2"
> (6) eap_tls: TLS - got 51 bytes of data
> (6) eap_tls: [eaptls process] = handled
> -
> List info/subscribe/unsubscribe? See https://protect2.fireeye.com/v1/url?k=c2b07c9d-9d2b3c62-c2b1f662-00259087933a-f3b541b7c9d35e10&q=1&e=e5beceb9-87b2-4cf7-98f5-e78aeb4a7b92&u=http%3A%2F%2Fwww.freeradius.org%2Flist%2Fusers.html
> "Confidentiality Warning: This message and any attachments are intended only for the use of the intended recipient(s).
> are confidential and may be privileged. If you are not the intended recipient. you are hereby notified that any
> review. re-transmission. conversion to hard copy. copying. circulation or other use of this message and any attachments is
> strictly prohibited. If you are not the intended recipient. please notify the sender immediately by return email.
> and delete this message and any attachments from your system.
>
> Virus Warning: Although the company has taken reasonable precautions to ensure no viruses are present in this email.
> The company cannot accept responsibility for any loss or damage arising from the use of this email or attachment."
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html