On 03.03.2020 16:03, Alfred Arnold wrote:
Hi,
Alfred, I'd like to say "thanks" once more.
I tried with newer ciphers and version 1.2 - and now freeradius
(3.0.16) indeed sends me the second
"challenge". So, it's a huge progress.
Indeed, the capture now looks like an EAP-TLS negotiation should go
on. The server accepted the client hello, an prepared its message
flight of messages. Among them is the server's Certificate message,
which is quite huge, and so they cannot be sent in one packet. Your
client would next send an empty EAP-TLS message, thereby acknowledging
reception of this message fragment. The server would then send the
next fragment of these messages. Since the overall length of the
message flight is 3137, and FreeRADUIS decided to send ~1000 bytes per
fragment, expect another two of those 'ping-pongs' to happen until
your client is able to reassemble and process the server's messages.
Yes, this is what I'm adding to my script now.
However it still complains on the unknown TLS version. I attach the
server log and the packet capture, just in case.
Well, no idea where the version 0x0304 is coming from. One would
probably have to look into the FreeRADIUS sources, or ask on the
proper FreeRADIUS mailing lists for assistance. My personal "wild
guess" is that this is some sort of 'internal default' as long as the
the EAP-TLS module hasn't yet decided about the used protocol version.
I wouldn't bother about this too much if you're interested in other
things.
There's however one other thing I wanted to mention: The Random value
your clients sends in the Client Hello is not that random...there is
the time stamp in the first four bytes, but the remaining 28 bytes are
all-zero - they should contain data from a cryptographically safe
random number generator.
Thank you :-) Yes, I set it to zeroes as it was easier to read the
packet with this big zeroed part (and also I wanted to be sure in
absence of "0304"). Thanks for the reminder - I'll put there some output
from /dev/urandom.
Best regards
Alfred Arnold
Have a lovely day!
--
Thanks and regards,
Irina Ilina-Sidorova
