FreeRadius - error:14094419:SSL routines:ssl3_read_bytes:tlsv1 alert access deni

SnejPro · October 01, 2021, 08:22:32 PM

Quote from: KHE on October 01, 2021, 07:17:26 PM
Hi,

I saw the following in your log:
Code Select Expand
tls-config tls-common { ... <snip> ... cipher_list = "DEFAULT" cipher_server_preference = no ecdh_curve = "prime256v1" tls_max_version = "1.2" tls_min_version = "1.0" ... <snip> ... } tls: In order to use TLS 1.0 and/or TLS 1.1, you likely need to set: cipher_list = "DEFAULT@SECLEVEL=1"

Your cipher_list is set to "DEFAULT" not to "DEFAULT@SECLEVEL=1"

KH

I've tried it also with cipher_list = "DEFAULT@SECLEVEL=1". Exactly the same problem.

SnejPro · October 01, 2021, 08:25:42 PM

But now i notice that the error message changed:

First it was (see original post):

Code Select

(12) eap_peap: ERROR: (TLS) Alert read:fatal:access denied
(12) eap_peap: ERROR: (TLS) Error in fragmentation logic - code 1
(12) eap_peap: ERROR: (TLS) Failed reading application data from OpenSSL: error:14094419:SSL routines:ssl3_read_bytes:tlsv1 alert access denied
(12) eap_peap: ERROR: [eaptls process] = fail
(12) eap: ERROR: Failed continuing EAP PEAP (25) session.  EAP sub-module failed

Now it is:

Code Select

(2) eap: Expiring EAP session with state 0x6988124468ed0b5d
(2) eap: Finished EAP session with state 0x6988124468ed0b5d
(2) eap: Previous EAP request found for state 0x6988124468ed0b5d, released from the list
(2) eap: Peer sent packet with method EAP PEAP (25)
(2) eap: Calling submodule eap_peap to process data
(2) eap_peap: (TLS) EAP Peer says that the final record size will be 162 bytes
(2) eap_peap: (TLS) EAP Got all data (162 bytes)
(2) eap_peap: (TLS) Handshake state - before SSL initialization
(2) eap_peap: (TLS) Handshake state - Server before SSL initialization
(2) eap_peap: (TLS) Handshake state - Server before SSL initialization
(2) eap_peap: (TLS) recv TLS 1.3 Handshake, ClientHello 
(2) eap_peap: (TLS) send TLS 1.2 Alert, fatal handshake_failure 
(2) eap_peap: ERROR: (TLS) Alert write:fatal:handshake failure
(2) eap_peap: ERROR: (TLS) Server : Error in error
(2) eap_peap: ERROR: (TLS) Failed reading from OpenSSL: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher
(2) eap_peap: ERROR: (TLS) System call (I/O) error (-1)
(2) eap_peap: ERROR: (TLS) EAP Receive handshake failed during operation
(2) eap_peap: ERROR: [eaptls process] = fail
(2) eap: ERROR: Failed continuing EAP PEAP (25) session.  EAP sub-module failed

chemlud · October 01, 2021, 08:57:52 PM

Code Select

...
(2) eap_peap: (TLS) recv TLS 1.3 Handshake, ClientHello
(2) eap_peap: (TLS) send TLS 1.2 Alert, fatal handshake_failure
(2) eap_peap: ERROR: (TLS) Alert write:fatal:handshake failure
...

Why is a ClientHello for TLS 1.3 answered with TLS 1.2?

Maybe because you set

Code Select

tls_max_version = "1.2"

This can't work, imho...

SnejPro · October 01, 2021, 10:00:07 PM

Quote from: chemlud on October 01, 2021, 08:57:52 PM
Code Select Expand
... (2) eap_peap: (TLS) recv TLS 1.3 Handshake, ClientHello (2) eap_peap: (TLS) send TLS 1.2 Alert, fatal handshake_failure (2) eap_peap: ERROR: (TLS) Alert write:fatal:handshake failure ...

Why is a ClientHello for TLS 1.3 answered with TLS 1.2?

Maybe because you set

Code Select Expand
tls_max_version = "1.2"

This can't work, imho...

tls_max_version = "1.2" - This is the standard configuration of opnsense

When i set it to tls_max_version = "1.3" the follow warning is in the logs:

Code Select

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!                    FORCING MAXIMUM TLS VERSION TO TLS 1.2                  !!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!! There is no standard for using this EAP method with TLS 1.3
!! Please set tls_max_version = "1.2"
!! FreeRADIUS only supports TLS 1.3 for special builds of wpa_supplicant and Windows
!! This limitation is likely to change in late 2021.
!! If you are using this version of FreeRADIUS after 2021, you will probably need to upgrade
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

The error is always the same.

chemlud · October 01, 2021, 10:19:25 PM

So which client is sending this ClientHello with TLS 1.3?

SnejPro · October 01, 2021, 10:45:58 PM

Quote from: chemlud on October 01, 2021, 10:19:25 PM
So which client is sending this ClientHello with TLS 1.3?

I'm not sure either Windows 10 or the Bintec w2022ac

chemlud · October 01, 2021, 10:54:24 PM

https://forum.opnsense.org/index.php?topic=18235.0

http://lists.freeradius.org/pipermail/freeradius-users/2020-November/099072.html

SnejPro · October 04, 2021, 03:43:21 PM

Quote from: chemlud on October 01, 2021, 10:54:24 PM
https://forum.opnsense.org/index.php?topic=18235.0

http://lists.freeradius.org/pipermail/freeradius-users/2020-November/099072.html

Thx, that worked. But it should work without modifying the registry. I cannot edit all registries of all clients.

chemlud · October 04, 2021, 04:32:36 PM

Wrong forum? ;-)

SnejPro · October 05, 2021, 06:31:49 PM

Quote from: chemlud on October 04, 2021, 04:32:36 PM
Wrong forum? ;-)

FreeRadius-Forum or Microsoft?

chemlud · October 05, 2021, 06:39:08 PM

...would try both, but be prepared that it's "nobodies fault at all" ;-)

FreeRadius - error:14094419:SSL routines:ssl3_read_bytes:tlsv1 alert access deni

SnejPro

October 01, 2021, 08:22:32 PM #15

SnejPro

October 01, 2021, 08:25:42 PM #16

chemlud

October 01, 2021, 08:57:52 PM #17

SnejPro

October 01, 2021, 10:00:07 PM #18

chemlud

October 01, 2021, 10:19:25 PM #19

SnejPro

October 01, 2021, 10:45:58 PM #20 Last Edit: October 01, 2021, 10:50:44 PM by SnejPro

chemlud

October 01, 2021, 10:54:24 PM #21 Last Edit: October 01, 2021, 11:00:16 PM by chemlud

SnejPro

October 04, 2021, 03:43:21 PM #22

chemlud

October 04, 2021, 04:32:36 PM #23

SnejPro

October 05, 2021, 06:31:49 PM #24

chemlud

October 05, 2021, 06:39:08 PM #25