Hi,I saw the following in your log:Code: [Select] tls-config tls-common { ... <snip> ... cipher_list = "DEFAULT" cipher_server_preference = no ecdh_curve = "prime256v1" tls_max_version = "1.2" tls_min_version = "1.0" ... <snip> ... }tls: In order to use TLS 1.0 and/or TLS 1.1, you likely need to set: cipher_list = "DEFAULT@SECLEVEL=1"Your cipher_list is set to "DEFAULT" not to "DEFAULT@SECLEVEL=1"KH
tls-config tls-common { ... <snip> ... cipher_list = "DEFAULT" cipher_server_preference = no ecdh_curve = "prime256v1" tls_max_version = "1.2" tls_min_version = "1.0" ... <snip> ... }tls: In order to use TLS 1.0 and/or TLS 1.1, you likely need to set: cipher_list = "DEFAULT@SECLEVEL=1"
(12) eap_peap: ERROR: (TLS) Alert read:fatal:access denied(12) eap_peap: ERROR: (TLS) Error in fragmentation logic - code 1(12) eap_peap: ERROR: (TLS) Failed reading application data from OpenSSL: error:14094419:SSL routines:ssl3_read_bytes:tlsv1 alert access denied(12) eap_peap: ERROR: [eaptls process] = fail(12) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed
(2) eap: Expiring EAP session with state 0x6988124468ed0b5d(2) eap: Finished EAP session with state 0x6988124468ed0b5d(2) eap: Previous EAP request found for state 0x6988124468ed0b5d, released from the list(2) eap: Peer sent packet with method EAP PEAP (25)(2) eap: Calling submodule eap_peap to process data(2) eap_peap: (TLS) EAP Peer says that the final record size will be 162 bytes(2) eap_peap: (TLS) EAP Got all data (162 bytes)(2) eap_peap: (TLS) Handshake state - before SSL initialization(2) eap_peap: (TLS) Handshake state - Server before SSL initialization(2) eap_peap: (TLS) Handshake state - Server before SSL initialization(2) eap_peap: (TLS) recv TLS 1.3 Handshake, ClientHello (2) eap_peap: (TLS) send TLS 1.2 Alert, fatal handshake_failure (2) eap_peap: ERROR: (TLS) Alert write:fatal:handshake failure(2) eap_peap: ERROR: (TLS) Server : Error in error(2) eap_peap: ERROR: (TLS) Failed reading from OpenSSL: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher(2) eap_peap: ERROR: (TLS) System call (I/O) error (-1)(2) eap_peap: ERROR: (TLS) EAP Receive handshake failed during operation(2) eap_peap: ERROR: [eaptls process] = fail(2) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed
...(2) eap_peap: (TLS) recv TLS 1.3 Handshake, ClientHello(2) eap_peap: (TLS) send TLS 1.2 Alert, fatal handshake_failure(2) eap_peap: ERROR: (TLS) Alert write:fatal:handshake failure...
tls_max_version = "1.2"
Code: [Select]...(2) eap_peap: (TLS) recv TLS 1.3 Handshake, ClientHello(2) eap_peap: (TLS) send TLS 1.2 Alert, fatal handshake_failure(2) eap_peap: ERROR: (TLS) Alert write:fatal:handshake failure...Why is a ClientHello for TLS 1.3 answered with TLS 1.2?Maybe because you setCode: [Select]tls_max_version = "1.2"This can't work, imho...
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! FORCING MAXIMUM TLS VERSION TO TLS 1.2 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! There is no standard for using this EAP method with TLS 1.3!! Please set tls_max_version = "1.2"!! FreeRADIUS only supports TLS 1.3 for special builds of wpa_supplicant and Windows!! This limitation is likely to change in late 2021.!! If you are using this version of FreeRADIUS after 2021, you will probably need to upgrade!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
So which client is sending this ClientHello with TLS 1.3?
https://forum.opnsense.org/index.php?topic=18235.0http://lists.freeradius.org/pipermail/freeradius-users/2020-November/099072.html
Wrong forum? ;-)