Re: Since upgrade to OpenBSD 7.5 the FreeRADIUS EAP authentication no longer works

Wed, 17 Apr 2024 07:03:55 -0700 

On 17/04/2024 16:19, Stuart Henderson wrote:
> On 2024-04-17, Federico Giannici <giann...@neomedia.it> wrote:
>> Since we upgraded from OpenBSD amd64 7.3 to 7.5 (passing through 7.4) 
>> the FreeRadius EAP authentication no longer works!
>>
>> We are using a custom version of FreeRadius (because we had to do some 
>> little changes and a module of our own), and everything worked correctly 
>> for many years.
>>
>> Now, with 7.5, it gives the following errors for EAP authentications 
>> (everything else is OK):
>>
>> Apr 14 11:29:24 Eldarion radiusd[73262]: TLS Alert write:fatal:protocol 
>> version
>> Apr 14 11:29:24 Eldarion radiusd[73262]:     TLS_accept: error in SSLv3 
>> read client hello B
>> Apr 14 11:29:24 Eldarion radiusd[73262]: rlm_eap: SSL error 
>> error:1402610B:SSL routines:ACCEPT_SR_CLNT_HELLO:wrong version number
>> Apr 14 11:29:24 Eldarion radiusd[73262]: SSL: SSL_read failed in a 
>> system call (-1), TLS session fails.
>> Apr 14 11:29:24 Eldarion radiusd[73262]: Login incorrect (TLS Alert 
>> write:fatal:protocol version): [anonym...@myisp.com/<via Auth-Type = 
>> EAP>] (from client wdsl_neomedia nas 10.10.215.101 port 0 cli 
>> FC-EC-DA-2A-F5-7F service wdsl-neomedia)
>>
>> I guess that the new LibreSSL version have some new restricted 
>> requirements. And we CANNOT change the client's OpenSSL version or certs 
>> (they are Ubiquiti devices).
>>
>> Some time ago (I think upgrading to 7.3) we had to add 
>> "SSL_CTX_set_security_level( ctx, 0 );" to make it work. So we already 
>> have set Security Level to 0.
>>
>> Is there something else we can do to make LibreSSL accept everything it 
>> accepted in previous release?
> This is most likely because of:
>
> https://www.openbsd.org/74.html
> "Disabled TLSv1.0 and TLSv1.1 in libssl so that they may no longer be 
> selected for use."
>
> I don't think there's anything simple you can do to reenable it.


One idea if you have old devices that cannot upgrade to a newer SSL/TLS 
protocol would be to run some kind of proxy between the client and the radius 
server (stunnel?)

Don't know how well this plays with EAP.
Maybe this will only work with EAP-TTLS ?

Another idea, since you run your own custom freeradius, is to recompile it and 
link with another openssl library that has old SSL/TLS enabled.

G

Reply via email to