2017-09-23 00:17 UTC

View Issue Details Jump to Notes ]
IDProjectCategoryView StatusLast Update
0004238Kali Linux[All Projects] General Bugpublic2017-09-11 13:24
ReporterMister_X 
Assigned Torhertzog 
PrioritynormalSeveritymajorReproducibilityalways
StatusassignedResolutionopen 
Product Version2017.1 
Target VersionFixed in Version 
Summary0004238: FreeRADIUS-WPE fails due to OpenSSL update
DescriptionCurrent freeradius-wpe doesn't work anymore (at least with Android 6.0 client) because TLS 1.0 is not supported anymore.

It is very likely that other tools are now broken due to the update of OpenSSL not supporting TLS < 1.2 anymore.

There are no work around for now other than not using Debian testing.
Steps To Reproduce1. Update Kali and install freeradius-wpe
2. Set-up Access point to use (free)radius server
3. Connect (Android 6.0) client
Additional InformationFreeradius is working on fixing the issue. They've fixed it in the development 4.0 branch and might be working on porting it to the 3.x next week depending on how busy they are.

Here are 2 links with other issues related to OpenSSL in Debian:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871918
https://lists.debian.org/debian-devel/2017/08/msg00166.html
Attached Files

-Relationships
+Relationships

-Notes

~0007282

Mister_X (reporter)

Last edited: 2017-09-11 09:06

View 2 revisions

Here is the log (look for the line with "error:1417D102:SSL routines:tls_process_client_hello:unsupported
protocol") from "freeradius-wpe -s -X":

(0) Received Access-Request Id 37 from 192.168.0.254:46065 to
192.168.0.100:1812 length 139
(0) User-Name = "me"
(0) NAS-IP-Address = 192.168.0.254
(0) NAS-Port = 0
(0) Called-Station-Id = "D0-7D-0D-0F-1B-22:MyAP"
(0) Calling-Station-Id = "12-34-56-78-90-AB"
(0) Framed-MTU = 1400
(0) NAS-Port-Type = Wireless-802.11
(0) Connect-Info = "CONNECT 0Mbps 802.11"
(0) EAP-Message = 0x02000007016d65
(0) Message-Authenticator = 0xb909500b8d92f535dd010ce46c878d47
(0) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
  -> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /@\./) {
(0) if (&User-Name =~ /@\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "me", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: Peer sent EAP Response (code 2) ID 0 length 7
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit
the rest of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0) authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_peap to process data
(0) eap_peap: Initiating new EAP-TLS session
(0) eap_peap: [eaptls start] = request
(0) eap: Sending EAP Request (code 1) ID 1 length 6
(0) eap: EAP session adding &reply:State = 0xf60008ccf601110e
(0) [eap] = handled
(0) } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0) Challenge { ... } # empty sub-section is ignored
(0) Sent Access-Challenge Id 37 from 192.168.0.100:1812 to
192.168.0.254:46065 length 0
(0) EAP-Message = 0x010100061920
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0xf60008ccf601110e4d96bfb0034242b4
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 38 from 192.168.0.254:46065 to
192.168.0.100:1812 length 260
(1) User-Name = "me"
(1) NAS-IP-Address = 192.168.0.254
(1) NAS-Port = 0
(1) Called-Station-Id = "D0-7D-0D-0F-1B-22:MyAP"
(1) Calling-Station-Id = "12-34-56-78-90-AB"
(1) Framed-MTU = 1400
(1) NAS-Port-Type = Wireless-802.11
(1) Connect-Info = "CONNECT 0Mbps 802.11"
(1) EAP-Message = 0x0201006e198000000064160[...]
(1) State = 0xf60008ccf601110e4d96bfb0034242b4
(1) Message-Authenticator = 0xc2e06b9b63ab56c6fbe401b903304705
(1) session-state: No cached attributes
(1) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
(1) authorize {
(1) policy filter_username {
(1) if (&User-Name) {
(1) if (&User-Name) -> TRUE
(1) if (&User-Name) {
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@[^@]*@/ ) {
(1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(1) if (&User-Name =~ /\.\./ ) {
(1) if (&User-Name =~ /\.\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
  -> FALSE
(1) if (&User-Name =~ /\.$/) {
(1) if (&User-Name =~ /\.$/) -> FALSE
(1) if (&User-Name =~ /@\./) {
(1) if (&User-Name =~ /@\./) -> FALSE
(1) } # if (&User-Name) = notfound
(1) } # policy filter_username = notfound
(1) [preprocess] = ok
(1) [chap] = noop
(1) [mschap] = noop
(1) [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "me", looking up realm NULL
(1) suffix: No such realm "NULL"
(1) [suffix] = noop
(1) eap: Peer sent EAP Response (code 2) ID 1 length 110
(1) eap: Continuing tunnel setup
(1) [eap] = ok
(1) } # authorize = ok
(1) Found Auth-Type = eap
(1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(1) authenticate {
(1) eap: Expiring EAP session with state 0xf60008ccf601110e
(1) eap: Finished EAP session with state 0xf60008ccf601110e
(1) eap: Previous EAP request found for state 0xf60008ccf601110e,
released from the list
(1) eap: Peer sent packet with method EAP PEAP (25)
(1) eap: Calling submodule eap_peap to process data
(1) eap_peap: Continuing EAP-TLS
(1) eap_peap: Peer indicated complete TLS record size will be 100 bytes
(1) eap_peap: Got complete TLS record (100 bytes)
(1) eap_peap: [eaptls verify] = length included
(1) eap_peap: (other): before SSL initialization
(1) eap_peap: TLS_accept: before SSL initialization
(1) eap_peap: TLS_accept: before SSL initialization
(1) eap_peap: <<< recv TLS 1.2 [length 005f]
(1) eap_peap: >>> send TLS 1.0 Alert [length 0002], fatal protocol_version
(1) eap_peap: ERROR: TLS Alert write:fatal:protocol version
tls: TLS_accept: Error in error
(1) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read):
error:1417D102:SSL routines:tls_process_client_hello:unsupported
protocol
(1) eap_peap: ERROR: System call (I/O) error (-1)
(1) eap_peap: ERROR: TLS receive handshake failed during operation
(1) eap_peap: ERROR: [eaptls process] = fail
(1) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed
(1) eap: Sending EAP Failure (code 4) ID 1 length 4
(1) eap: Failed in EAP select
(1) [eap] = invalid
(1) } # authenticate = invalid
(1) Failed to authenticate the user
(1) Using Post-Auth-Type Reject
(1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(1) Post-Auth-Type REJECT {
(1) attr_filter.access_reject: EXPAND %{User-Name}
(1) attr_filter.access_reject: --> me
(1) attr_filter.access_reject: Matched entry DEFAULT at line 11
(1) [attr_filter.access_reject] = updated
(1) [eap] = noop
(1) policy remove_reply_message_if_eap {
(1) if (&reply:EAP-Message && &reply:Reply-Message) {
(1) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(1) else {
(1) [noop] = noop
(1) } # else = noop
(1) } # policy remove_reply_message_if_eap = noop
(1) } # Post-Auth-Type REJECT = updated
(1) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(1) Sending delayed response
(1) Sent Access-Reject Id 38 from 192.168.0.100:1812 to
192.168.0.254:46065 length 44
(1) EAP-Message = 0x04010004
(1) Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 37 with timestamp +23
(1) Cleaning up request packet ID 38 with timestamp +23

~0007287

rhertzog (administrator)

In the debian-devel discussion, the maintainer said that the old TLS versions are still supported but they are not enabled by default. The applications using OpenSSL must now call the SSL_CTX_set_min_proto_version function to re-enable TLS 1.0 and 1.1.

Whether we should do this or fork openssl, I'm not sure. It probably depends on the number of applications impacted... but I fear it's rather high.

~0007289

rhertzog (administrator)

I filed a new bug on the Debian side to try to get Debian testing with TLS 1.0 and 1.1 enabled since the former discussion was vastly in favor of keeping compat in buster. https://bugs.debian.org/875423

~0007292

rhertzog (administrator)

Last edited: 2017-09-11 13:24

View 2 revisions

In the mean time, I uploaded a forked openssl re-enabling TLS 1.0 and TLS 1.1 by default: version 1.1.0f-5kali1

+Notes

-Issue History
Date Modified Username Field Change
2017-09-10 21:31 Mister_X New Issue
2017-09-10 21:31 Mister_X Note Added: 0007282
2017-09-11 08:56 rhertzog Assigned To => rhertzog
2017-09-11 08:56 rhertzog Status new => assigned
2017-09-11 09:05 rhertzog Note Added: 0007287
2017-09-11 09:06 rhertzog Note Edited: 0007282 View Revisions
2017-09-11 09:51 rhertzog Note Added: 0007289
2017-09-11 13:22 rhertzog Note Added: 0007292
2017-09-11 13:24 rhertzog Note Edited: 0007292 View Revisions
+Issue History