|
|
Here is the log (look for the line with "error:1417D102:SSL routines:tls_process_client_hello:unsupported
protocol") from "freeradius-wpe -s -X":
(0) Received Access-Request Id 37 from 192.168.0.254:46065 to
192.168.0.100:1812 length 139
(0) User-Name = "me"
(0) NAS-IP-Address = 192.168.0.254
(0) NAS-Port = 0
(0) Called-Station-Id = "D0-7D-0D-0F-1B-22:MyAP"
(0) Calling-Station-Id = "12-34-56-78-90-AB"
(0) Framed-MTU = 1400
(0) NAS-Port-Type = Wireless-802.11
(0) Connect-Info = "CONNECT 0Mbps 802.11"
(0) EAP-Message = 0x02000007016d65
(0) Message-Authenticator = 0xb909500b8d92f535dd010ce46c878d47
(0) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]@/ ) {
(0) if (&User-Name =~ /@[^@]@/ ) -> FALSE
(0) if (&User-Name =~ /../ ) {
(0) if (&User-Name =~ /../ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+).(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+).(.+)$/))
-> FALSE
(0) if (&User-Name =~ /.$/) {
(0) if (&User-Name =~ /.$/) -> FALSE
(0) if (&User-Name =~ /@./) {
(0) if (&User-Name =~ /@./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "me", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: Peer sent EAP Response (code 2) ID 0 length 7
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit
the rest of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0) authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_peap to process data
(0) eap_peap: Initiating new EAP-TLS session
(0) eap_peap: [eaptls start] = request
(0) eap: Sending EAP Request (code 1) ID 1 length 6
(0) eap: EAP session adding &reply:State = 0xf60008ccf601110e
(0) [eap] = handled
(0) } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0) Challenge { ... } # empty sub-section is ignored
(0) Sent Access-Challenge Id 37 from 192.168.0.100:1812 to
192.168.0.254:46065 length 0
(0) EAP-Message = 0x010100061920
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0xf60008ccf601110e4d96bfb0034242b4
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 38 from 192.168.0.254:46065 to
192.168.0.100:1812 length 260
(1) User-Name = "me"
(1) NAS-IP-Address = 192.168.0.254
(1) NAS-Port = 0
(1) Called-Station-Id = "D0-7D-0D-0F-1B-22:MyAP"
(1) Calling-Station-Id = "12-34-56-78-90-AB"
(1) Framed-MTU = 1400
(1) NAS-Port-Type = Wireless-802.11
(1) Connect-Info = "CONNECT 0Mbps 802.11"
(1) EAP-Message = 0x0201006e198000000064160[...]
(1) State = 0xf60008ccf601110e4d96bfb0034242b4
(1) Message-Authenticator = 0xc2e06b9b63ab56c6fbe401b903304705
(1) session-state: No cached attributes
(1) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
(1) authorize {
(1) policy filter_username {
(1) if (&User-Name) {
(1) if (&User-Name) -> TRUE
(1) if (&User-Name) {
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@[^@]@/ ) {
(1) if (&User-Name =~ /@[^@]@/ ) -> FALSE
(1) if (&User-Name =~ /../ ) {
(1) if (&User-Name =~ /../ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+).(.+)$/)) {
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+).(.+)$/))
-> FALSE
(1) if (&User-Name =~ /.$/) {
(1) if (&User-Name =~ /.$/) -> FALSE
(1) if (&User-Name =~ /@./) {
(1) if (&User-Name =~ /@./) -> FALSE
(1) } # if (&User-Name) = notfound
(1) } # policy filter_username = notfound
(1) [preprocess] = ok
(1) [chap] = noop
(1) [mschap] = noop
(1) [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "me", looking up realm NULL
(1) suffix: No such realm "NULL"
(1) [suffix] = noop
(1) eap: Peer sent EAP Response (code 2) ID 1 length 110
(1) eap: Continuing tunnel setup
(1) [eap] = ok
(1) } # authorize = ok
(1) Found Auth-Type = eap
(1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(1) authenticate {
(1) eap: Expiring EAP session with state 0xf60008ccf601110e
(1) eap: Finished EAP session with state 0xf60008ccf601110e
(1) eap: Previous EAP request found for state 0xf60008ccf601110e,
released from the list
(1) eap: Peer sent packet with method EAP PEAP (25)
(1) eap: Calling submodule eap_peap to process data
(1) eap_peap: Continuing EAP-TLS
(1) eap_peap: Peer indicated complete TLS record size will be 100 bytes
(1) eap_peap: Got complete TLS record (100 bytes)
(1) eap_peap: [eaptls verify] = length included
(1) eap_peap: (other): before SSL initialization
(1) eap_peap: TLS_accept: before SSL initialization
(1) eap_peap: TLS_accept: before SSL initialization
(1) eap_peap: <<< recv TLS 1.2 [length 005f]
(1) eap_peap: >>> send TLS 1.0 Alert [length 0002], fatal protocol_version
(1) eap_peap: ERROR: TLS Alert write:fatal:protocol version
tls: TLS_accept: Error in error
(1) eap_peap: ERROR: Failed in FUNCTION (SSL_read):
error:1417D102:SSL routines:tls_process_client_hello:unsupported
protocol
(1) eap_peap: ERROR: System call (I/O) error (-1)
(1) eap_peap: ERROR: TLS receive handshake failed during operation
(1) eap_peap: ERROR: [eaptls process] = fail
(1) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed
(1) eap: Sending EAP Failure (code 4) ID 1 length 4
(1) eap: Failed in EAP select
(1) [eap] = invalid
(1) } # authenticate = invalid
(1) Failed to authenticate the user
(1) Using Post-Auth-Type Reject
(1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(1) Post-Auth-Type REJECT {
(1) attr_filter.access_reject: EXPAND %{User-Name}
(1) attr_filter.access_reject: --> me
(1) attr_filter.access_reject: Matched entry DEFAULT at line 11
(1) [attr_filter.access_reject] = updated
(1) [eap] = noop
(1) policy remove_reply_message_if_eap {
(1) if (&reply:EAP-Message && &reply:Reply-Message) {
(1) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(1) else {
(1) [noop] = noop
(1) } # else = noop
(1) } # policy remove_reply_message_if_eap = noop
(1) } # Post-Auth-Type REJECT = updated
(1) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(1) Sending delayed response
(1) Sent Access-Reject Id 38 from 192.168.0.100:1812 to
192.168.0.254:46065 length 44
(1) EAP-Message = 0x04010004
(1) Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 37 with timestamp +23
(1) Cleaning up request packet ID 38 with timestamp +23 |
|
|
|
In the debian-devel discussion, the maintainer said that the old TLS versions are still supported but they are not enabled by default. The applications using OpenSSL must now call the SSL_CTX_set_min_proto_version function to re-enable TLS 1.0 and 1.1.
Whether we should do this or fork openssl, I'm not sure. It probably depends on the number of applications impacted... but I fear it's rather high. |
|
|
|
I filed a new bug on the Debian side to try to get Debian testing with TLS 1.0 and 1.1 enabled since the former discussion was vastly in favor of keeping compat in buster. https://bugs.debian.org/875423 |
|
|
|
In the mean time, I uploaded a forked openssl re-enabling TLS 1.0 and TLS 1.1 by default: version 1.1.0f-5kali1 |
|
|
|
There is now a patch for 3.0.15 and OpenSSL >= 1.1: https://trac.aircrack-ng.org/changeset/2938
It won't be necessary when 3.0.16 is released. |
|
|
|
We have freeradius-wpe 3.0.17 now so I guess it's fixed. |
|
related to
child of
duplicate of
