On 2024-04-17, Federico Giannici <giann...@neomedia.it> wrote: > Since we upgraded from OpenBSD amd64 7.3 to 7.5 (passing through 7.4) > the FreeRadius EAP authentication no longer works! > > We are using a custom version of FreeRadius (because we had to do some > little changes and a module of our own), and everything worked correctly > for many years. > > Now, with 7.5, it gives the following errors for EAP authentications > (everything else is OK): > > Apr 14 11:29:24 Eldarion radiusd[73262]: TLS Alert write:fatal:protocol > version > Apr 14 11:29:24 Eldarion radiusd[73262]: TLS_accept: error in SSLv3 > read client hello B > Apr 14 11:29:24 Eldarion radiusd[73262]: rlm_eap: SSL error > error:1402610B:SSL routines:ACCEPT_SR_CLNT_HELLO:wrong version number > Apr 14 11:29:24 Eldarion radiusd[73262]: SSL: SSL_read failed in a > system call (-1), TLS session fails. > Apr 14 11:29:24 Eldarion radiusd[73262]: Login incorrect (TLS Alert > write:fatal:protocol version): [anonym...@myisp.com/<via Auth-Type = > EAP>] (from client wdsl_neomedia nas 10.10.215.101 port 0 cli > FC-EC-DA-2A-F5-7F service wdsl-neomedia) > > I guess that the new LibreSSL version have some new restricted > requirements. And we CANNOT change the client's OpenSSL version or certs > (they are Ubiquiti devices). > > Some time ago (I think upgrading to 7.3) we had to add > "SSL_CTX_set_security_level( ctx, 0 );" to make it work. So we already > have set Security Level to 0. > > Is there something else we can do to make LibreSSL accept everything it > accepted in previous release?
This is most likely because of: https://www.openbsd.org/74.html "Disabled TLSv1.0 and TLSv1.1 in libssl so that they may no longer be selected for use." I don't think there's anything simple you can do to reenable it.
