Since we upgraded from OpenBSD amd64 7.3 to 7.5 (passing through 7.4)
the FreeRadius EAP authentication no longer works!
We are using a custom version of FreeRadius (because we had to do some
little changes and a module of our own), and everything worked correctly
for many years.
Now, with 7.5, it gives the following errors for EAP authentications
(everything else is OK):
Apr 14 11:29:24 Eldarion radiusd[73262]: TLS Alert write:fatal:protocol
version
Apr 14 11:29:24 Eldarion radiusd[73262]: TLS_accept: error in SSLv3
read client hello B
Apr 14 11:29:24 Eldarion radiusd[73262]: rlm_eap: SSL error
error:1402610B:SSL routines:ACCEPT_SR_CLNT_HELLO:wrong version number
Apr 14 11:29:24 Eldarion radiusd[73262]: SSL: SSL_read failed in a
system call (-1), TLS session fails.
Apr 14 11:29:24 Eldarion radiusd[73262]: Login incorrect (TLS Alert
write:fatal:protocol version): [anonym...@myisp.com/<via Auth-Type =
EAP>] (from client wdsl_neomedia nas 10.10.215.101 port 0 cli
FC-EC-DA-2A-F5-7F service wdsl-neomedia)
I guess that the new LibreSSL version have some new restricted
requirements. And we CANNOT change the client's OpenSSL version or certs
(they are Ubiquiti devices).
Some time ago (I think upgrading to 7.3) we had to add
"SSL_CTX_set_security_level( ctx, 0 );" to make it work. So we already
have set Security Level to 0.
Is there something else we can do to make LibreSSL accept everything it
accepted in previous release?
Thanks.
- Since upgrade to OpenBSD 7.5 the FreeRADIUS EAP authen... Federico Giannici
-
