View Issue Details

IDProjectCategoryView StatusLast Update
0004238Kali LinuxGeneral Bugpublic2018-12-14 10:58
ReporterMister_X Assigned Torhertzog  
PrioritynormalSeverityminorReproducibilityalways
Status resolvedResolutionfixed 
Product Version2017.1 
Summary0004238: FreeRADIUS-WPE fails due to OpenSSL update
Description

Current freeradius-wpe doesn't work anymore (at least with Android 6.0 client) because TLS 1.0 is not supported anymore.

It is very likely that other tools are now broken due to the update of OpenSSL not supporting TLS < 1.2 anymore.

There are no work around for now other than not using Debian testing.

Steps To Reproduce
  1. Update Kali and install freeradius-wpe
  2. Set-up Access point to use (free)radius server
  3. Connect (Android 6.0) client
Additional Information

Freeradius is working on fixing the issue. They've fixed it in the development 4.0 branch and might be working on porting it to the 3.x next week depending on how busy they are.

Here are 2 links with other issues related to OpenSSL in Debian:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871918
https://lists.debian.org/debian-devel/2017/08/msg00166.html

Relationships

related to 0005158 assignedrhertzog Support old ciphers and old crypto protocols in various tools 

Activities

Mister_X

Mister_X

2017-09-10 21:31

reporter   ~0007282

Last edited: 2017-09-11 09:06

Here is the log (look for the line with "error:1417D102:SSL routines:tls_process_client_hello:unsupported
protocol") from "freeradius-wpe -s -X":

(0) Received Access-Request Id 37 from 192.168.0.254:46065 to
192.168.0.100:1812 length 139
(0) User-Name = "me"
(0) NAS-IP-Address = 192.168.0.254
(0) NAS-Port = 0
(0) Called-Station-Id = "D0-7D-0D-0F-1B-22:MyAP"
(0) Calling-Station-Id = "12-34-56-78-90-AB"
(0) Framed-MTU = 1400
(0) NAS-Port-Type = Wireless-802.11
(0) Connect-Info = "CONNECT 0Mbps 802.11"
(0) EAP-Message = 0x02000007016d65
(0) Message-Authenticator = 0xb909500b8d92f535dd010ce46c878d47
(0) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]@/ ) {
(0) if (&User-Name =~ /@[^@]
@/ ) -> FALSE
(0) if (&User-Name =~ /../ ) {
(0) if (&User-Name =~ /../ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+).(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+).(.+)$/))
-> FALSE
(0) if (&User-Name =~ /.$/) {
(0) if (&User-Name =~ /.$/) -> FALSE
(0) if (&User-Name =~ /@./) {
(0) if (&User-Name =~ /@./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "me", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: Peer sent EAP Response (code 2) ID 0 length 7
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit
the rest of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0) authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_peap to process data
(0) eap_peap: Initiating new EAP-TLS session
(0) eap_peap: [eaptls start] = request
(0) eap: Sending EAP Request (code 1) ID 1 length 6
(0) eap: EAP session adding &reply:State = 0xf60008ccf601110e
(0) [eap] = handled
(0) } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0) Challenge { ... } # empty sub-section is ignored
(0) Sent Access-Challenge Id 37 from 192.168.0.100:1812 to
192.168.0.254:46065 length 0
(0) EAP-Message = 0x010100061920
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0xf60008ccf601110e4d96bfb0034242b4
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 38 from 192.168.0.254:46065 to
192.168.0.100:1812 length 260
(1) User-Name = "me"
(1) NAS-IP-Address = 192.168.0.254
(1) NAS-Port = 0
(1) Called-Station-Id = "D0-7D-0D-0F-1B-22:MyAP"
(1) Calling-Station-Id = "12-34-56-78-90-AB"
(1) Framed-MTU = 1400
(1) NAS-Port-Type = Wireless-802.11
(1) Connect-Info = "CONNECT 0Mbps 802.11"
(1) EAP-Message = 0x0201006e198000000064160[...]
(1) State = 0xf60008ccf601110e4d96bfb0034242b4
(1) Message-Authenticator = 0xc2e06b9b63ab56c6fbe401b903304705
(1) session-state: No cached attributes
(1) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
(1) authorize {
(1) policy filter_username {
(1) if (&User-Name) {
(1) if (&User-Name) -> TRUE
(1) if (&User-Name) {
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@[^@]@/ ) {
(1) if (&User-Name =~ /@[^@]
@/ ) -> FALSE
(1) if (&User-Name =~ /../ ) {
(1) if (&User-Name =~ /../ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+).(.+)$/)) {
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+).(.+)$/))
-> FALSE
(1) if (&User-Name =~ /.$/) {
(1) if (&User-Name =~ /.$/) -> FALSE
(1) if (&User-Name =~ /@./) {
(1) if (&User-Name =~ /@./) -> FALSE
(1) } # if (&User-Name) = notfound
(1) } # policy filter_username = notfound
(1) [preprocess] = ok
(1) [chap] = noop
(1) [mschap] = noop
(1) [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "me", looking up realm NULL
(1) suffix: No such realm "NULL"
(1) [suffix] = noop
(1) eap: Peer sent EAP Response (code 2) ID 1 length 110
(1) eap: Continuing tunnel setup
(1) [eap] = ok
(1) } # authorize = ok
(1) Found Auth-Type = eap
(1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(1) authenticate {
(1) eap: Expiring EAP session with state 0xf60008ccf601110e
(1) eap: Finished EAP session with state 0xf60008ccf601110e
(1) eap: Previous EAP request found for state 0xf60008ccf601110e,
released from the list
(1) eap: Peer sent packet with method EAP PEAP (25)
(1) eap: Calling submodule eap_peap to process data
(1) eap_peap: Continuing EAP-TLS
(1) eap_peap: Peer indicated complete TLS record size will be 100 bytes
(1) eap_peap: Got complete TLS record (100 bytes)
(1) eap_peap: [eaptls verify] = length included
(1) eap_peap: (other): before SSL initialization
(1) eap_peap: TLS_accept: before SSL initialization
(1) eap_peap: TLS_accept: before SSL initialization
(1) eap_peap: <<< recv TLS 1.2 [length 005f]
(1) eap_peap: >>> send TLS 1.0 Alert [length 0002], fatal protocol_version
(1) eap_peap: ERROR: TLS Alert write:fatal:protocol version
tls: TLS_accept: Error in error
(1) eap_peap: ERROR: Failed in FUNCTION (SSL_read):
error:1417D102:SSL routines:tls_process_client_hello:unsupported
protocol
(1) eap_peap: ERROR: System call (I/O) error (-1)
(1) eap_peap: ERROR: TLS receive handshake failed during operation
(1) eap_peap: ERROR: [eaptls process] = fail
(1) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed
(1) eap: Sending EAP Failure (code 4) ID 1 length 4
(1) eap: Failed in EAP select
(1) [eap] = invalid
(1) } # authenticate = invalid
(1) Failed to authenticate the user
(1) Using Post-Auth-Type Reject
(1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(1) Post-Auth-Type REJECT {
(1) attr_filter.access_reject: EXPAND %{User-Name}
(1) attr_filter.access_reject: --> me
(1) attr_filter.access_reject: Matched entry DEFAULT at line 11
(1) [attr_filter.access_reject] = updated
(1) [eap] = noop
(1) policy remove_reply_message_if_eap {
(1) if (&reply:EAP-Message && &reply:Reply-Message) {
(1) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(1) else {
(1) [noop] = noop
(1) } # else = noop
(1) } # policy remove_reply_message_if_eap = noop
(1) } # Post-Auth-Type REJECT = updated
(1) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(1) Sending delayed response
(1) Sent Access-Reject Id 38 from 192.168.0.100:1812 to
192.168.0.254:46065 length 44
(1) EAP-Message = 0x04010004
(1) Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 37 with timestamp +23
(1) Cleaning up request packet ID 38 with timestamp +23

rhertzog

rhertzog

2017-09-11 09:05

administrator   ~0007287

In the debian-devel discussion, the maintainer said that the old TLS versions are still supported but they are not enabled by default. The applications using OpenSSL must now call the SSL_CTX_set_min_proto_version function to re-enable TLS 1.0 and 1.1.

Whether we should do this or fork openssl, I'm not sure. It probably depends on the number of applications impacted... but I fear it's rather high.

rhertzog

rhertzog

2017-09-11 09:51

administrator   ~0007289

I filed a new bug on the Debian side to try to get Debian testing with TLS 1.0 and 1.1 enabled since the former discussion was vastly in favor of keeping compat in buster. https://bugs.debian.org/875423

rhertzog

rhertzog

2017-09-11 13:22

administrator   ~0007292

Last edited: 2017-09-11 13:24

In the mean time, I uploaded a forked openssl re-enabling TLS 1.0 and TLS 1.1 by default: version 1.1.0f-5kali1

Mister_X

Mister_X

2017-10-25 21:23

reporter   ~0007561

There is now a patch for 3.0.15 and OpenSSL >= 1.1: https://trac.aircrack-ng.org/changeset/2938

It won't be necessary when 3.0.16 is released.

rhertzog

rhertzog

2018-07-27 10:34

administrator   ~0009396

We have freeradius-wpe 3.0.17 now so I guess it's fixed.

Issue History

Date Modified Username Field Change
2017-09-10 21:31 Mister_X New Issue
2017-09-10 21:31 Mister_X Note Added: 0007282
2017-09-11 08:56 rhertzog Assigned To => rhertzog
2017-09-11 08:56 rhertzog Status new => assigned
2017-09-11 09:05 rhertzog Note Added: 0007287
2017-09-11 09:06 rhertzog Note Edited: 0007282
2017-09-11 09:51 rhertzog Note Added: 0007289
2017-09-11 13:22 rhertzog Note Added: 0007292
2017-09-11 13:24 rhertzog Note Edited: 0007292
2017-10-25 21:23 Mister_X Note Added: 0007561
2018-06-22 06:19 g0tmi1k Severity major => minor
2018-07-27 10:34 rhertzog Status assigned => resolved
2018-07-27 10:34 rhertzog Resolution open => fixed
2018-07-27 10:34 rhertzog Note Added: 0009396
2018-12-14 10:58 rhertzog Relationship added related to 0005158