Freeeadius 3.0.20 lets you specify min and max versions of TLD to use with lots of comments saying you should disable using 1.0 & 1.1, just wandered if we could have the same functionality, but if it’s configursbkrbin OpenSSL that’ll do
Sent from my iPhone
On 27 Nov 2019, at 17:30, Fabian Mauchle fabian.mauchle@switch.ch wrote:
Hi Marc and Alex,
On 27.11.19, 15:09, "radsecproxy on behalf of Alex Sharaz" <radsecproxy-bounces@lists.nordu.net on behalf of alex.sharaz@york.ac.uk> wrote: I was also . wondering how we tell radsecproxy to only use TLS 1.2
There is no 'way to tell it'; but there should be no need to. Radsecproxy uses whatever settings your ssl library defaults to. I've just checked a recently set up server (FreeRadius 3.0.19 on Fedora 28, openssl 1.1.0i) talking to a radsecrpxoy (1.8.1 on RHEL 7.7, openssl 1.0.2k) using radsec (radsecproxy is the originator/client). It is using TLSv1.2 (confirmed by wireshark).
At least with openssl 1.1.0, you can configure these defaults in openssl.cnf (https://www.openssl.org/docs/man1.1.0/man5/config.html). Not sure about openssl 1.0.2; it's not mentioned in the manpage of that version.
On 27.11.19, 15:00, "radsecproxy on behalf of Marc Sauer" <radsecproxy-bounces@lists.nordu.net on behalf of m.sauer@khm.de> wrote: When I try to start the daemon, I get the following error in the log file:
sslreadtimeout: SSL: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
My certificate is definetly valid and I've configured the right certificate chain.
When I try to connect to the federation radius server (by DFN here in Germany) manually with openssl s_client it works, but only using tls 1.0,tls 1.1 and tls 1.2. It does not work with TLS 1.3.
Not sure if DFN federation servers already support TLS 1.3. This requires the latest openssl 1.1.1. But openssl should select the highest compatible version automatically. If openssl can't verify the ca, its most likely due to missing intermediates (you have to include those in the same .pem), or using CAcertificatePath but forgetting to hash (eg using c_rehash) the Cas.
Any idea why this is happening? So the real problem is: It works with all other TLS versions, but not 1.3. Is there a way to force OpenSSL lib to use only 1.2 somehow?
This is not a TLS version issue. If it was, the error message would state it (either incompatible version or incompatible cipher suites).
Best regards, Fabian
-- SWITCH Fabian Mauchle, Network Engineer Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland Phone +41 44 268 15 30, direct +41 44 268 15 39 fabian.mauchle@switch.ch, http://www.switch.ch