6:51 p.m.
Freeeadius 3.0.20 lets you specify min and max versions of TLD to use with lots of
comments saying you should disable using 1.0 & 1.1, just wandered if we could have the
same functionality, but if it’s configursbkrbin OpenSSL that’ll do
Sent from my iPhone
On 27 Nov 2019, at 17:30, Fabian Mauchle
<fabian.mauchle(a)switch.ch> wrote:
Hi Marc and Alex,
On 27.11.19, 15:09, "radsecproxy on behalf of Alex Sharaz"
<radsecproxy-bounces(a)lists.nordu.net on behalf of alex.sharaz(a)york.ac.uk> wrote:
I was also . wondering how we tell radsecproxy to only use TLS 1.2
There is no 'way to tell it'; but there should be no need to. Radsecproxy uses
whatever settings your ssl library defaults to.
I've just checked a recently set up server (FreeRadius 3.0.19 on Fedora 28, openssl
1.1.0i) talking to a radsecrpxoy (1.8.1 on RHEL 7.7, openssl 1.0.2k) using radsec
(radsecproxy is the originator/client). It is using TLSv1.2 (confirmed by wireshark).
At least with openssl 1.1.0, you can configure these defaults in openssl.cnf
(https://www.openssl.org/docs/man1.1.0/man5/config.html) Not sure about openssl 1.0.2;
it's not mentioned in the manpage of that version.
On 27.11.19, 15:00, "radsecproxy on behalf of Marc Sauer"
<radsecproxy-bounces(a)lists.nordu.net on behalf of m.sauer(a)khm.de> wrote:
When I try to start the daemon, I get the following error in the log file:
sslreadtimeout: SSL: error:14094418:SSL routines:ssl3_read_bytes:tlsv1
alert unknown ca
My certificate is definetly valid and I've configured the right
certificate chain.
When I try to connect to the federation radius server (by DFN here in
Germany) manually with openssl s_client it works, but only using tls
1.0,tls 1.1 and tls 1.2. It does not work with TLS 1.3.
Not sure if DFN federation servers already support TLS 1.3. This requires the latest
openssl 1.1.1.
But openssl should select the highest compatible version automatically.
If openssl can't verify the ca, its most likely due to missing intermediates (you
have to include those in the same .pem), or using CAcertificatePath but forgetting to hash
(eg using c_rehash) the Cas.
Any idea why this is happening? So the real problem is: It works with
all other TLS versions, but not 1.3. Is there a way to force OpenSSL lib
to use only 1.2 somehow?
This is not a TLS version issue. If it was, the error message would state it (either
incompatible version or incompatible cipher suites).
Best regards,
Fabian
--
SWITCH
Fabian Mauchle, Network Engineer
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
Phone +41 44 268 15 30, direct +41 44 268 15 39
fabian.mauchle(a)switch.ch, http://www.switch.ch