Bug#919234: [Pkg-freeradius-maintainers] Bug#919234: ttls fails with tls 1.3, enabled by default

2022-10-13 Thread Rafael Varela Pet 



We have detected a number of issues in the Eduroam service with the 
latest Windows 11 22H2 that are related with the newly 
enabled-by-default usage of TLS v1.3 for EAP-TTLS and PEAP. This 
problems have been detected by other Eduroam providers:


https://lists.geant.org/sympa/arc/cat-users/2022-10/msg00040.html

It seems that only the newest Freeradius v3.0.26 and v3.2.0+ support TLS 
v1.3 correctly and since Windows 11 22H2 has now enabled TLS v1.3 by 
default also for EAP-TTLS and PEAP, the issue started emerging and 
diffusing quickly as the Windows update started being rolled out to users.


So this is becoming a big issue for those Eduroam providers that run 
Freeradius on Debian and it would be great to have the 3.0.26 necessary 
patches migrated to the stable package.


Thanks in advance.

Kind regards,
--
Rafael Varela Pet
Subdirector de Infraestructuras
Área de Tecnoloxías da Información e Comunicacións

Universidade de Santiago de Compostela
15782 Santiago de Compostela
https://www.usc.gal/atic

Bug#919234: [Pkg-freeradius-maintainers] Bug#919234: ttls fails with tls 1.3, enabled by default

2019-01-14 Thread Sam Hartman 
control: forwarded -1
https://github.com/FreeRADIUS/freeradius-server/issues/2385

I'll try to get a patch for this if we don't hear something interesting
from upstream soon.
I think I'm in a better position than most in Debian to write such a
patch.
However I'm fairly busy.

Bug#919234: [Pkg-freeradius-maintainers] Bug#919234: ttls fails with tls 1.3, enabled by default

2019-01-13 Thread Michael Stapelberg 
I have no time to look into this. Can you send a patch please?

On Sun, Jan 13, 2019 at 11:33 PM Sam Hartman  wrote:

> package: freeradius
> severity: important
> version: 3.0.17+dfsg-1
> justification: regression that totally breaks connectivity
> tags: upstream
>
>
> I've cc'd Kurt because he requested openssl 1.3 test results a while
> back.
>
> While writing automated tests for moonshot-gss-eap, I discovered that
> by default freeradius will not constrain  the version of TLS in use
> (probably good), but that its ttls implementation fails with TLS 1.3.
> Things work fine if I explicitly set the max TLS version to 1.2.
>
> Based on the errors I suspect that  the issue had to deal with the
> handling of the ttls TLS session ticket used by TTLS for fast
> reauthentication.
> My suspicion (and recollection from the spec) is that ttls knows more
> about session internals than it should.
>
> As a quick fix, I think the ttls code should limit the maximum TLS
> version to 1.2 until the code can be fixed to work with 1.3.
>
>
> Please do not limit all freeradius uses of TLS to 1.2: in particular I'd
> really like to be able to use tls 1.3 with radsec.
> Also, I strongly recommend making this change in code not in config
> files.  People tend not to update their configs once they get one
> working.
>
> To reproduce, grab the moonshot-gss-eap sources.
> Comment out the TLS_MAX_VERSION on line 366 of
> debian/tests/freeradius/eap and then rerun autopkgtest on the resulting
> source package.
>
> ___
> Pkg-freeradius-maintainers mailing list
> pkg-freeradius-maintain...@alioth-lists.debian.net
>
> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-freeradius-maintainers
>


-- 
Best regards,
Michael