Hi Heikki, today at noon I had the change to reenable Cisco Duo and set TLS to v1.2. So far it looks good, I saw other authentication requests getting processed while AuthBy DUO waited for a user response.
I haven't grapsed so far how TLSv1.3 could cause this bug? If I understood it correctly, the underlying socket reports available data via select although none has been received so far [1]. Is that correct? How does the TLS version influence that? Best regards, Alex [1] https://metacpan.org/release/HTTP-Async/source/lib/HTTP/Async.pm#L551 T-SYSTEMS AUSTRIA GESMBH PU Cyber Security Network Architecture Operation Manager Authentication Rennweg 97-99, A-1030 Vienna +43 57057 4320 (phone) +43 676 8642 4320 (mobile) E-mail: [email protected] Internet: www.t-systems.at Blog: blog.t-systems.at Social Media: Facebook, Linkedin, Twitter BIG CHANGES START SMALL – CONSERVE RESOURCES BY NOT PRINTING EVERY E-MAIL. **************************************************************************************************************** T-Systems Austria GesmbH, Rennweg 97-99, A-1030 Vienna Commercial Court Vienna, FN 79340b **************************************************************************************************************** Notice: This transmittal and/or attachments may be privileged or confidential. It is intended solely for the addressee named above. If you received this transmittal in error, please notify us immediately by reply and delete this message and all its attachments. Thank you. **************************************************************************************************************** ________________________________ Von: radiator <[email protected]> im Auftrag von Hartmaier, Alexander <[email protected]> Gesendet: Freitag, 28. Mai 2021 09:25 An: [email protected] <[email protected]>; [email protected] <[email protected]> Betreff: Re: [RADIATOR] AuthBy DUO issue Good morning Heikki, awesome support from you as always, thank you!!! I saw that the connection to Duo is TLS 1.3 in the packet captures I've taken. Will try your suggestion and report back. Best regards, Alex T-SYSTEMS AUSTRIA GESMBH PU Cyber Security Network Architecture Operation Manager Authentication Rennweg 97-99, A-1030 Vienna +43 57057 4320 (phone) +43 676 8642 4320 (mobile) E-mail: [email protected] Internet: www.t-systems.at Blog: blog.t-systems.at Social Media: Facebook, Linkedin, Twitter BIG CHANGES START SMALL – CONSERVE RESOURCES BY NOT PRINTING EVERY E-MAIL. **************************************************************************************************************** T-Systems Austria GesmbH, Rennweg 97-99, A-1030 Vienna Commercial Court Vienna, FN 79340b **************************************************************************************************************** Notice: This transmittal and/or attachments may be privileged or confidential. It is intended solely for the addressee named above. If you received this transmittal in error, please notify us immediately by reply and delete this message and all its attachments. Thank you. **************************************************************************************************************** ________________________________ Von: radiator <[email protected]> im Auftrag von Heikki Vatiainen <[email protected]> Gesendet: Donnerstag, 27. Mai 2021 18:57 An: [email protected] <[email protected]> Betreff: Re: [RADIATOR] AuthBy DUO issue On 27.5.2021 19.36, Heikki Vatiainen wrote: > On 27.5.2021 14.58, [email protected] wrote: >> Is this a known issue? > As mentioned above, it's not. From what I know it's been used > successfully on RHEL/CentOS systems and it works for me on Mac. The problem might be TLS version related. The above don't do TLSv1.3. > I'd say this is something specific for Debian 10 because the problem is > not that hard to reproduce. This needs further investigation. If possible, can you update AuthDUO.pm sub get_ssl_opts() with the following: $ssl_opts{SSL_version} = 'TLSv1_2'; This kind of behaviour where TLS socket indicates read but there's no user data available reminded me about TLS 1.3 and how it can send keys for session resumption after TLS handshake has been done. A look at HTTPS traffic shows that there's both TLS 1.2 and 1.3 by default. Restricting TLS to 1.2 seems to make the problem go away. If you could also check this, please let me know if it changes anything. Thanks, Heikki -- Heikki Vatiainen <[email protected]> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory, EAP, TLS, TTLS, PEAP, WiMAX, RSA, Vasco, Yubikey, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc. _______________________________________________ radiator mailing list [email protected] https://lists.open.com.au/mailman/listinfo/radiator
_______________________________________________ radiator mailing list [email protected] https://lists.open.com.au/mailman/listinfo/radiator
