OpenSSL reports wrong TLS version to FreeRADIUS
iilinasi
Irina.Ilina-Sidorova at ulb.ac.be
Thu Mar 5 09:53:10 UTC 2020
On 03.03.2020 16:03, Alfred Arnold wrote:
> Hi,
>
>> Alfred, I'd like to say "thanks" once more.
>>
>> I tried with newer ciphers and version 1.2 - and now freeradius
>> (3.0.16) indeed sends me the second
>> "challenge". So, it's a huge progress.
>
> Indeed, the capture now looks like an EAP-TLS negotiation should go
> on. The server accepted the client hello, an prepared its message
> flight of messages. Among them is the server's Certificate message,
> which is quite huge, and so they cannot be sent in one packet. Your
> client would next send an empty EAP-TLS message, thereby acknowledging
> reception of this message fragment. The server would then send the
> next fragment of these messages. Since the overall length of the
> message flight is 3137, and FreeRADUIS decided to send ~1000 bytes per
> fragment, expect another two of those 'ping-pongs' to happen until
> your client is able to reassemble and process the server's messages.
>
Yes, this is what I'm adding to my script now.
>> However it still complains on the unknown TLS version. I attach the
>> server log and the packet capture, just in case.
>
> Well, no idea where the version 0x0304 is coming from. One would
> probably have to look into the FreeRADIUS sources, or ask on the
> proper FreeRADIUS mailing lists for assistance. My personal "wild
> guess" is that this is some sort of 'internal default' as long as the
> the EAP-TLS module hasn't yet decided about the used protocol version.
> I wouldn't bother about this too much if you're interested in other
> things.
>
> There's however one other thing I wanted to mention: The Random value
> your clients sends in the Client Hello is not that random...there is
> the time stamp in the first four bytes, but the remaining 28 bytes are
> all-zero - they should contain data from a cryptographically safe
> random number generator.
>
Thank you :-) Yes, I set it to zeroes as it was easier to read the
packet with this big zeroed part (and also I wanted to be sure in
absence of "0304"). Thanks for the reminder - I'll put there some output
from /dev/urandom.
> Best regards
>
> Alfred Arnold
Have a lovely day!
--
Thanks and regards,
Irina Ilina-Sidorova
More information about the openssl-users
mailing list