On 24.10.2022 18.25, Cassidy B. Larson wrote:
We are using the "EAPTLS_Protocols TLSv1.3" currently in all of our
AuthBy's for good measure. However, the TLS handshake appears to not
use TLSv1.3 outbound for the establishment, and instead tries TLSv1.2
which fails.
See these two debug lines:
DEBUG: AuthSQL EAP-TTLS TLS handshake: Direction*IN, Version: TLS 1.3*,
Record content: (22) Handshake, message type: (1) ClientHello
DEBUG: AuthSQL EAP-TTLS TLS handshake: Direction *OUT, Version: TLS
1.2*, Record content: (21) Alert, level: (2) fatal, description: (70)
protocol version
Would it be possible to run tcpdump to get capture from the ClientHello
that Radiator rejects? The ClientHello might have a combination of
parameters that don't work with TLSv1.3.
My testing with Radiator-4.26-24.tgz and its demo certificates was
successful with eapol_test that requires TLSv1.3.
I tested with the following:
- FreeBSD 13.1
- pkg install p5-Net-SSLeay-1.92
- eapol_test compiled on the host
eapol_test compilation
++++++++++++++++++++++
Clone it from https://w1.fi/cvs.html and then do this:
freebsd% git checkout hostap_2_10
HEAD is now at cff80b4f7 Preparations for v2.10 release
freebsd% cd wpa_supplicant
freebsd% cp defconfig .config
Then patch with the diff at the bottom of this message and compile with
this (note needs pkg install gmake):
freebsd% gmake eapol_test
Testing with eapol_test
+++++++++++++++++++++++
When you have compiled eapol_test, run it with something like this:
./eapol_test -p 1645 -s mysecret -c eapol-eap-ttls.conf
Where eapol-eap-ttls.conf looks something like this:
network={
phase1="tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1
tls_disable_tlsv1_2=1 tls_disable_tlsv1_3=0"
ssid="ttls-ssid"
key_mgmt=WPA-EAP
eap=TTLS
anonymous_identity="mikem-anon"
identity="mikem"
password="fred"
ca_cert="certificates/demoCA/cacert.pem"
phase2="auth=PAP"
eap_workaround=0
}
Radiator configuration is goodies/eap_ttls.cfg with EAPTLS_Protocols
forced to TLSv1.3 with no other remarkable changes.
With the above EAP-TTLS/PAP works fine.
Here's the .config patch to get eapol_test compiled with FreeBSD 13.1:
--- defconfig 2022-10-25 17:59:13.262031000 +0000
+++ .config 2022-10-25 20:00:19.057923000 +0000
@@ -29,7 +29,7 @@
CONFIG_DRIVER_WEXT=y
# Driver interface for Linux drivers using the nl80211 kernel interface
-CONFIG_DRIVER_NL80211=y
+#CONFIG_DRIVER_NL80211=y
# QCA vendor extensions to nl80211
#CONFIG_DRIVER_NL80211_QCA=y
@@ -77,7 +77,7 @@
#CONFIG_DRIVER_MACSEC_QCA=y
# Driver interface for Linux MACsec drivers
-CONFIG_DRIVER_MACSEC_LINUX=y
+#CONFIG_DRIVER_MACSEC_LINUX=y
# Driver interface for the Broadcom RoboSwitch family
#CONFIG_DRIVER_ROBOSWITCH=y
@@ -246,7 +246,7 @@
#CONFIG_NO_WPA_PASSPHRASE=y
# Simultaneous Authentication of Equals (SAE), WPA3-Personal
-CONFIG_SAE=y
+#CONFIG_SAE=y
# Disable scan result processing (ap_scan=1) to save code size by
about 1 kB.
# This can be used if ap_scan=1 mode is never enabled.
@@ -303,6 +303,7 @@
# ndis = Windows NDISUIO (note: requires CONFIG_USE_NDISUIO=y)
# none = Empty template
#CONFIG_L2_PACKET=linux
+CONFIG_L2_PACKET=none
# Disable Linux packet socket workaround applicable for station interface
# in a bridge for EAPOL frames. This should be uncommented only if the
kernel
@@ -363,7 +364,7 @@
# Add support for new DBus control interface
# (fi.w1.wpa_supplicant1)
-CONFIG_CTRL_IFACE_DBUS_NEW=y
+#CONFIG_CTRL_IFACE_DBUS_NEW=y
# Add introspection support for new DBus control interface
CONFIG_CTRL_IFACE_DBUS_INTRO=y
--
Heikki Vatiainen
OSC, makers of Radiator
Visit radiatorsoftware.com for Radiator AAA server software
_______________________________________________
radiator mailing list
radiator@lists.open.com.au
https://lists.open.com.au/mailman/listinfo/radiator