Re: [RADIATOR] Forcing Radsec connections to use specific TLS version

Thu, 20 Feb 2020 10:12:24 -0800 

On 20.2.2020 14.55, Stefan Paetow wrote:


<ServerRADSEC>



     TLS_Protocols TLSv1.2



</ServerRADSEC>

I understand TLS_Protocols overrides UseTLS, but I then see these messages:

Thu Feb 20 12:46:41 2020: ERR: StreamTLS server error (<other server 
IP>:37206): -1, 1, 8720,
Thu Feb 20 12:46:41 2020: ERR: StreamTLS server error (<other server 
IP>:37204): -1, 1, 8720,
Thu Feb 20 12:46:41 2020: ERR: StreamTLS server error (<other server 
IP>:37200): -1, 1, 8720,

Is that the other server saying "Sorry, I don't understand", or is this an 
error on my side that my server can't create a TLS 1.2 connection?



I think this is the former. I took a look at what happens with wireshark 
and the result was TCP connection shutdown immediately from the server 
side. There was no TLS alert or anything before TCP disconnect. 
Radiator's TLS was provided by OpenSSL 1.1.1d.


A quick way to test the above is with OpenSSL:

% openssl s_client -connect 127.0.0.1:2083 -tls1_1


With -tls1_2 it goes a bit further with the negotiation. Another option 
is to use goodies/radsec-client.cfg and test with various client side 
options.



When I disable TLS_Protocols (by commenting it out), all returns to normal.

Am I misunderstanding the documentation?



I think the config is correct. Now when I looked at the logging more 
closely, I noticed it could log more detailed error too. I'll see that 
this gets updated and then you can see something like this in the logs:



Thu Feb 20 19:35:33 2020: ERR: StreamTLS server error (127.0.0.1 port 
63624): -1, 1, 20, 38048: 1 - error:14209102:SSL 
routines:tls_early_post_process_client_hello:unsupported protocol



Thu Feb 20 19:35:44 2020: ERR: StreamTLS server error (127.0.0.1 port 
63625): -1, 1, 27, 38048: 1 - error:1417C0C7:SSL 
routines:tls_process_client_certificate:peer did not return a certificate



It's a minor fix, so it should be in soon. I'll let you know when that 
happens.


Thanks,
Heikki

--
Heikki Vatiainen <[email protected]>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory,
EAP, TLS, TTLS, PEAP, WiMAX, RSA, Vasco, Yubikey, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc.
_______________________________________________
radiator mailing list
[email protected]
https://lists.open.com.au/mailman/listinfo/radiator






















					Reply via email to