OpenSSL reports wrong TLS version to FreeRADIUS
iilinasi
Irina.Ilina-Sidorova at ulb.ac.be
Tue Mar 3 12:51:09 UTC 2020
Alfred, I'd like to say "thanks" once more.
I tried with newer ciphers and version 1.2 - and now freeradius (3.0.16)
indeed sends me the second "challenge". So, it's a huge progress.
However it still complains on the unknown TLS version. I attach the
server log and the packet capture, just in case.
Have a lovely day!
--
Thanks and regards,
Irina Ilina-Sidorova
On 03.03.2020 12:25, iilinasi wrote:
> Thank you Alfred!
>
> Yup, I used old ciphers indeed. I suspect it stops even before
> checking them, but I'll add newer ones and let you know.
>
>
> This is the relevant part of freeradius log, just in case:
> --
> (1) eap_tls: TLS_accept: before SSL initialization
> (1) eap_tls: TLS_accept: before SSL initialization
> (1) eap_tls: <<< recv TLS 1.3 [length 0048]
> (1) eap_tls: >>> send TLS 1.0 Alert [length 0002], fatal
> protocol_version
> (1) eap_tls: ERROR: TLS Alert write:fatal:protocol version
> tls: TLS_accept: Error in error
> (1) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read):
> error:14209102:SSL
> routines:tls_early_post_process_client_hello:unsupported protocol
> (1) eap_tls: ERROR: System call (I/O) error (-1)
> (1) eap_tls: ERROR: TLS receive handshake failed during operation
> (1) eap_tls: ERROR: [eaptls process] = fail
> --
>
>
> On 02.03.2020 14:15, Alfred Arnold wrote:
>> Hi,
>>
>>> I'd like to understand, how does OpenSSL get to the idea of "0304"
>>> version, if there is no such a
>>> byte sequence in the packet...
>>> My question is: how OpenSSL determines the TLS version? How to debug
>>> it?
>>
>> I don't see any TLS 1.3 in the capture as well, but I see that your
>> client is using only outdated (if not to say: historic) cryptographic
>> algorithms: RC4, RC2 (never seen that in practice!), 3DES and DES.
>> And those even combined with export options to weaken key strength.
>> Many modern servers are configured to disallow such outdated crypto:
>> make your client use at least
>>
>> - AES128/256 (either in CBC or GCM mode)
>> - TLS 1.2
>> - no export cipher suites
>>
>> Then you might get a more positive reply from the server...
>>
>> Best regards
>>
>> Alfred Arnold
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: test_with_1_2.txt
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20200303/452c4b47/attachment-0001.txt>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: test_with_1_2.pcapng
Type: application/octet-stream
Size: 2020 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20200303/452c4b47/attachment-0001.obj>
More information about the openssl-users
mailing list