OpenSSL reports wrong TLS version to FreeRADIUS
alfred at ccac.rwth-aachen.de
Tue Mar 3 15:03:03 UTC 2020
>Alfred, I'd like to say "thanks" once more.
>I tried with newer ciphers and version 1.2 - and now freeradius (3.0.16)
>indeed sends me the second
>"challenge". So, it's a huge progress.
Indeed, the capture now looks like an EAP-TLS negotiation should go on.
The server accepted the client hello, an prepared its message flight of
messages. Among them is the server's Certificate message, which is quite
huge, and so they cannot be sent in one packet. Your client would next
send an empty EAP-TLS message, thereby acknowledging reception of this
message fragment. The server would then send the next fragment of these
messages. Since the overall length of the message flight is 3137, and
FreeRADUIS decided to send ~1000 bytes per fragment, expect another two of
those 'ping-pongs' to happen until your client is able to reassemble and
process the server's messages.
>However it still complains on the unknown TLS version. I attach the
>server log and the packet capture, just in case.
Well, no idea where the version 0x0304 is coming from. One would probably
have to look into the FreeRADIUS sources, or ask on the proper FreeRADIUS
mailing lists for assistance. My personal "wild guess" is that this is
some sort of 'internal default' as long as the the EAP-TLS module hasn't
yet decided about the used protocol version. I wouldn't bother about this
too much if you're interested in other things.
There's however one other thing I wanted to mention: The Random value your
clients sends in the Client Hello is not that random...there is the time
stamp in the first four bytes, but the remaining 28 bytes are all-zero -
they should contain data from a cryptographically safe random number
Alfred Arnold E-Mail: alfred at ccac.rwth-aachen.de
Computer Club at the http://john.ccac.rwth-aachen.de:8000/alf/
Technical University Phone: +49-241-406526
More information about the openssl-users