OpenSSL reports wrong TLS version to FreeRADIUS
Irina.Ilina-Sidorova at ulb.ac.be
Mon Mar 2 11:28:18 UTC 2020
I'm looking for your pointers to help me to debug&solve the issue I
I try to implement an auth exchange with the RADIUS, requesting EAP-TLS.
At this moment I only need to get to the phase when server responds with
Access-Challenge with server certificate (so, 2 packets from NAD and 2
from the server). To generate NAD-side packets I use python3 with scapy.
Freeradius (3.0.16, 3.0.20) was set up to use EAP-TLS for test user
auth. First access-request from the NAD side is responded with
Access-Challenge from the server. So far so good.
But when I send the second packet, I receive an Access-Reject.
Suprisingly, the server reports I'm using unsupported TLS version ?0304?
(which corresponds to TLS1.3). Why "surprizingly"? Well, because I use
earlier TLS version, and it is well visible (AVP "Eap-Message" - EAP
section - TLS part has "0301", that corresponds to TLS1.0, handshake
version also set to TLS1.0 (0x0301)).
I also checked in Wireshark (captured both on the server machine and
"NAD" machine - same results) - the packet is correctly dissected by
latest wireshark (no errors reported) and has TLS1.0 inside.
OpenSSL is already at the newest version (1.1.1-1ubuntu2.1~18.04.5).
After a discussion in freeradius maillist, I got to know that freeradius
receives all the TLS-related information from the OpenSSL.
I attach the packet exchange for the reference, the packet in question
I'd like to understand, how does OpenSSL get to the idea of "0304"
version, if there is no such a byte sequence in the packet...
My question is: how OpenSSL determines the TLS version? How to debug it?
Have a great day!
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 996 bytes
Desc: not available
More information about the openssl-users