OpenSSL reports wrong TLS version to FreeRADIUS
iilinasi
Irina.Ilina-Sidorova at ulb.ac.be
Tue Mar 3 11:25:08 UTC 2020
Thank you Alfred!
Yup, I used old ciphers indeed. I suspect it stops even before checking
them, but I'll add newer ones and let you know.
This is the relevant part of freeradius log, just in case:
--
(1) eap_tls: TLS_accept: before SSL initialization
(1) eap_tls: TLS_accept: before SSL initialization
(1) eap_tls: <<< recv TLS 1.3 [length 0048]
(1) eap_tls: >>> send TLS 1.0 Alert [length 0002], fatal
protocol_version
(1) eap_tls: ERROR: TLS Alert write:fatal:protocol version
tls: TLS_accept: Error in error
(1) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read):
error:14209102:SSL
routines:tls_early_post_process_client_hello:unsupported protocol
(1) eap_tls: ERROR: System call (I/O) error (-1)
(1) eap_tls: ERROR: TLS receive handshake failed during operation
(1) eap_tls: ERROR: [eaptls process] = fail
--
On 02.03.2020 14:15, Alfred Arnold wrote:
> Hi,
>
>> I'd like to understand, how does OpenSSL get to the idea of "0304"
>> version, if there is no such a
>> byte sequence in the packet...
>> My question is: how OpenSSL determines the TLS version? How to debug
>> it?
>
> I don't see any TLS 1.3 in the capture as well, but I see that your
> client is using only outdated (if not to say: historic) cryptographic
> algorithms: RC4, RC2 (never seen that in practice!), 3DES and DES.
> And those even combined with export options to weaken key strength.
> Many modern servers are configured to disallow such outdated crypto:
> make your client use at least
>
> - AES128/256 (either in CBC or GCM mode)
> - TLS 1.2
> - no export cipher suites
>
> Then you might get a more positive reply from the server...
>
> Best regards
>
> Alfred Arnold
--
Thanks and regards,
Irina Ilina-Sidorova
More information about the openssl-users
mailing list