ttls fails with TLS 1.3 (openssl 1.1.1)

[hartmans]

Issue type

• Questions about the server or its usage MUST be posted to the users mailing list. If you post those issues here, they will be closed and locked. Repeat offenders will be BANNED.
• Remote security exploits MUST be sent to security@freeradius.org.

---

REMOVE THOSE WHICH DO NOT APPLY

• Defect - Non compliance with a standards document, or incorrect API usage.
• Defect - Unexpected behaviour (obvious or verified by project member).

See here for debugging instructions and how to obtain backtraces.

Defect

How to reproduce the issue

I was putting together automated tests for moonshot-gss-eap in Debian accidentally ended up running with OpenSSL 1.1.1 and without specifying either a minimum or maximum tls version in mods-available/eap.
TLS 1.3 ended up getting selected, and freeradius produced a tls session ticket that moonshot was unable to decrypt at the TLS layer.
Using TLS 1.2 worked fine.
I was several layers deep in trying to get things done, and didn't capture very good logs, but since it was writing automated tests, reproducing from the test suite is easy to do.

My suspicion is that ttls is just broken with TLS 1.3, but if you think it is more complex than that I'm happy to provide logs.
If it is broken, it would be really nice to get a patch that caps out tls at 1.2 at least for ttls. It would be best not to cap it out for other things because for example it seems like tls 1.3 would be quite helpful for radsec.

[alandekok]

It's possible to set up multiple EAP modules and/or multiple tls configurations, which lets you set tls_min_version and tls_max_version.

I'd prefer to use those as work-arounds instead of coming up with fixes specific for TTLS.

That gives a bit of breathing room, which lets us figure out why TTLS session tickets have issues with TLS 1.3.

From what I can tell, there's nothing specific in TTLS that interacts with TLS 1.3. The session tickets should just be part of the TLS exchange, and therefore completely invisible to TTLS.

[hartmans]

So, the problem with using config changes is that administrators tend to get a radius config that works and not take changes to it from their packaging. So, for someone like Debian: 1) If we include it in the config, then people will get stuck at TLS 1.2 well after it's no longer necessary. 2) Conversly, other people will upgrade and it will break because they didn't change their config. But you can certainly argue that's the problem of people foolish enough to try and package freeradius:-) Would logs be helpful here or can you already reproduce this?

[alandekok]

Any work-around involves technical debt. I'd prefer to do root cause analysis where possible.

It's possible to have a short patch to TTLS that hard-codes TLS 1.2 as the maximum version, via something like this:

#if OPENSSL_VERSION_NUMBER >= 0x10100000L
		if (!SSL_CTX_set_max_proto_version(ctx, TLS1_2_VERSION)) {
			WARN("Failed setting TLS maximum version to 1.2 for TTLS");
		}
#endif

That can be a temporary work-around.

I'd prefer to get logs, etc. to fix the underlying problem. I haven't tried reproducing it locally, and it will be a bit before I have time for that.

[hartmans]

Here's client side logs

EAP: EAP entering state IDLE
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request id=0 method=1 vendor=0 vendorMethod=0
EAP: EAP entering state IDENTITY
CTRL-EVENT-EAP-STARTED EAP authentication started
EAP: Status notification: started (param=)
EAP: EAP-Request Identity data - hexdump_ascii(len=0):
EAP: using anonymous identity - hexdump_ascii(len=9):
     40 74 65 73 74 2e 63 6f 6d                        @test.com       
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
gss_init_sec_context: The routine must be called again to complete its function/no minor
gss_accept_sec_context: The routine must be called again to complete its function/no minor
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request id=1 method=4 vendor=0 vendorMethod=0
EAP: EAP entering state GET_METHOD
EAP: configuration does not allow: vendor 0 method 4
EAP: vendor 0 method 4 not allowed
CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=4 -> NAK
EAP: Status notification: refuse proposed method (param=MD5)
EAP: Building EAP-Nak (requested type 4 vendor=0 method=0 not allowed)
EAP: allowed methods - hexdump(len=1): 15
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
gss_init_sec_context: The routine must be called again to complete its function/no minor
gss_accept_sec_context: The routine must be called again to complete its function/no minor
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request id=2 method=21 vendor=0 vendorMethod=0
EAP: EAP entering state GET_METHOD
CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21
EAP: Status notification: accept proposed method (param=TTLS)
EAP: Initialize selected EAP method: vendor 0 method 21 (TTLS)
EAP-TTLS: Phase2 type: EAP
TLS: Phase2 EAP types - hexdump(len=72): 00 00 00 00 04 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 2f 00 00 00 00 00 00 00 2e 00 00 00 00 00 00 00 30 00 00 00 00 00 00 00 33 00 00 00
TLS: using phase1 config options
CTRL-EVENT-EAP-METHOD EAP vendor 0 method 21 (TTLS) selected
EAP: EAP entering state METHOD
SSL: Received packet(len=6) - Flags 0x20
EAP-TTLS: Start (server ver=0, own ver=0)
SSL: (where=0x10 ret=0x1)
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:before SSL initialization
OpenSSL: TX ver=0x0 content_type=256 (TLS header info/)
OpenSSL: Message - hexdump(len=5): [REMOVED]
OpenSSL: TX ver=0x304 content_type=22 (handshake/client hello)
OpenSSL: Message - hexdump(len=278): [REMOVED]
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:SSLv3/TLS write client hello
SSL: (where=0x1002 ret=0xffffffff)
SSL: SSL_connect:error in SSLv3/TLS write client hello
SSL: SSL_connect - want more data
SSL: 283 bytes pending from ssl_out
SSL: 283 bytes left to be sent out (of total 283 bytes)
EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL eapRespData=0x559fcfd04f40
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
gss_init_sec_context: The routine must be called again to complete its function/no minor
gss_accept_sec_context: The routine must be called again to complete its function/no minor
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request id=3 method=21 vendor=0 vendorMethod=0
EAP: EAP entering state METHOD
SSL: Received packet(len=109) - Flags 0x80
SSL: TLS Message Length: 99
OpenSSL: RX ver=0x0 content_type=256 (TLS header info/)
OpenSSL: Message - hexdump(len=5): [REMOVED]
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:SSLv3/TLS write client hello
OpenSSL: RX ver=0x304 content_type=22 (handshake/server hello)
OpenSSL: Message - hexdump(len=88): [REMOVED]
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:SSLv3/TLS read server hello
OpenSSL: TX ver=0x0 content_type=256 (TLS header info/)
OpenSSL: Message - hexdump(len=5): [REMOVED]
OpenSSL: TX ver=0x304 content_type=20 (change cipher spec/)
OpenSSL: Message - hexdump(len=1): [REMOVED]
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:SSLv3/TLS write change cipher spec
OpenSSL: TX ver=0x0 content_type=256 (TLS header info/)
OpenSSL: Message - hexdump(len=5): [REMOVED]
OpenSSL: TX ver=0x304 content_type=22 (handshake/client hello)
OpenSSL: Message - hexdump(len=311): [REMOVED]
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:SSLv3/TLS write client hello
OpenSSL: RX ver=0x0 content_type=256 (TLS header info/)
OpenSSL: Message - hexdump(len=5): [REMOVED]
SSL: (where=0x1002 ret=0xffffffff)
SSL: SSL_connect:error in SSLv3/TLS write client hello
SSL: SSL_connect - want more data
SSL: 322 bytes pending from ssl_out
SSL: 322 bytes left to be sent out (of total 322 bytes)
EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL eapRespData=0x559fcfd067b0
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
gss_init_sec_context: The routine must be called again to complete its function/no minor
gss_accept_sec_context: The routine must be called again to complete its function/no minor
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request id=4 method=21 vendor=0 vendorMethod=0
EAP: EAP entering state METHOD
SSL: Received packet(len=1004) - Flags 0xc0
SSL: TLS Message Length: 1301
SSL: Need 307 bytes more input data
SSL: Building ACK (type=21 id=4 ver=0)
EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL eapRespData=0x559fcfc4b6f0
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
gss_init_sec_context: The routine must be called again to complete its function/no minor
gss_accept_sec_context: The routine must be called again to complete its function/no minor
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request id=5 method=21 vendor=0 vendorMethod=0
EAP: EAP entering state METHOD
SSL: Received packet(len=317) - Flags 0x80
SSL: TLS Message Length: 1301
OpenSSL: RX ver=0x0 content_type=256 (TLS header info/)
OpenSSL: Message - hexdump(len=5): [REMOVED]
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:SSLv3/TLS write client hello
OpenSSL: RX ver=0x304 content_type=22 (handshake/server hello)
OpenSSL: Message - hexdump(len=155): [REMOVED]
OpenSSL: RX ver=0x0 content_type=256 (TLS header info/)
OpenSSL: Message - hexdump(len=5): [REMOVED]
OpenSSL: RX ver=0x304 content_type=257 (?/)
OpenSSL: Message - hexdump(len=1): [REMOVED]
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:SSLv3/TLS read server hello
OpenSSL: RX ver=0x304 content_type=22 (handshake/?)
OpenSSL: Message - hexdump(len=6): [REMOVED]
OpenSSL: RX ver=0x0 content_type=256 (TLS header info/)
OpenSSL: Message - hexdump(len=5): [REMOVED]
OpenSSL: RX ver=0x304 content_type=257 (?/)
OpenSSL: Message - hexdump(len=1): [REMOVED]
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:TLSv1.3 read encrypted extensions
OpenSSL: RX ver=0x304 content_type=22 (handshake/certificate)
OpenSSL: Message - hexdump(len=731): [REMOVED]
TLS: tls_verify_cb - preverify_ok=1 err=18 (self signed certificate) ca_cert_verify=0 depth=0 buf='/CN=host'
EAP: Status notification: remote certificate verification (param=success)
TLS: tls_verify_cb - preverify_ok=1 err=18 (self signed certificate) ca_cert_verify=0 depth=0 buf='/CN=host'
EAP: Status notification: remote certificate verification (param=success)
OpenSSL: RX ver=0x0 content_type=256 (TLS header info/)
OpenSSL: Message - hexdump(len=5): [REMOVED]
OpenSSL: RX ver=0x304 content_type=257 (?/)
OpenSSL: Message - hexdump(len=1): [REMOVED]
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:SSLv3/TLS read server certificate
OpenSSL: RX ver=0x304 content_type=22 (handshake/certificate verify)
OpenSSL: Message - hexdump(len=264): [REMOVED]
OpenSSL: RX ver=0x0 content_type=256 (TLS header info/)
OpenSSL: Message - hexdump(len=5): [REMOVED]
OpenSSL: RX ver=0x304 content_type=257 (?/)
OpenSSL: Message - hexdump(len=1): [REMOVED]
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:TLSv1.3 read server certificate verify
OpenSSL: RX ver=0x304 content_type=22 (handshake/finished)
OpenSSL: Message - hexdump(len=52): [REMOVED]
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:SSLv3/TLS read finished
OpenSSL: TX ver=0x0 content_type=256 (TLS header info/)
OpenSSL: Message - hexdump(len=5): [REMOVED]
OpenSSL: TX ver=0x304 content_type=257 (?/)
OpenSSL: Message - hexdump(len=1): [REMOVED]
OpenSSL: TX ver=0x304 content_type=22 (handshake/finished)
OpenSSL: Message - hexdump(len=52): [REMOVED]
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:SSLv3/TLS write finished
SSL: (where=0x20 ret=0x1)
SSL: (where=0x1002 ret=0x1)
SSL: 74 bytes pending from ssl_out
OpenSSL: Handshake finished - resumed=0
SSL: No Application Data included
SSL: 74 bytes left to be sent out (of total 74 bytes)
EAP-TTLS: TLS done, proceed to Phase 2
EAP-TTLS: Derived key - hexdump(len=64): [REMOVED]
EAP-TTLS: Derived EMSK - hexdump(len=64): [REMOVED]
EAP-TTLS: Derived Session-Id - hexdump(len=65): 15 21 24 57 07 bc 16 9b 02 04 6f 43 0d 8a 07 78 05 37 bf a4 b5 93 9f 91 ef 87 6d 94 1d 3e fc d5 5a 71 64 59 f1 ed 7d 63 f9 46 6e 8e 6f c7 78 f1 6b 7e 5b 37 3a 17 95 fd 12 e1 2e a2 9e d1 a8 c3 ac
EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL eapRespData=0x559fcfd06ec0
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
gss_init_sec_context: The routine must be called again to complete its function/no minor
gss_accept_sec_context: The routine must be called again to complete its function/no minor
failure sending token
Sending init_sec_context token (size=81)...continue needed...
Sending init_sec_context token (size=50)...continue needed...
Sending init_sec_context token (size=42)...continue needed...
Sending init_sec_context token (size=335)...continue needed...
Sending init_sec_context token (size=374)...continue needed...
Sending init_sec_context token (size=42)...continue needed...
Sending init_sec_context token (size=116)...continue needed...
Sending init_sec_context token (size=9)...GSS-API error initializing context: Invalid credential was supplied
GSS-API error initializing context: EAP peer authentication failure
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request id=6 method=21 vendor=0 vendorMethod=0
EAP: EAP entering state METHOD
SSL: Received packet(len=168) - Flags 0x80
SSL: TLS Message Length: 158
EAP-TTLS: received 158 bytes encrypted data for Phase 2
OpenSSL: RX ver=0x0 content_type=256 (TLS header info/)
OpenSSL: Message - hexdump(len=5): [REMOVED]
OpenSSL: RX ver=0x304 content_type=257 (?/)
OpenSSL: Message - hexdump(len=1): [REMOVED]
SSL: (where=0x10 ret=0x1)
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:SSL negotiation finished successfully
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:SSL negotiation finished successfully
OpenSSL: RX ver=0x304 content_type=22 (handshake/new session ticket)
OpenSSL: Message - hexdump(len=57): [REMOVED]
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:SSLv3/TLS read server session ticket
SSL: (where=0x20 ret=0x1)
SSL: (where=0x1002 ret=0x1)
OpenSSL: RX ver=0x0 content_type=256 (TLS header info/)
OpenSSL: Message - hexdump(len=5): [REMOVED]
OpenSSL: RX ver=0x304 content_type=257 (?/)
OpenSSL: Message - hexdump(len=1): [REMOVED]
SSL: (where=0x10 ret=0x1)
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:SSL negotiation finished successfully
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:SSL negotiation finished successfully
OpenSSL: RX ver=0x304 content_type=22 (handshake/new session ticket)
OpenSSL: Message - hexdump(len=57): [REMOVED]
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:SSLv3/TLS read server session ticket
SSL: (where=0x20 ret=0x1)
SSL: (where=0x1002 ret=0x1)
OpenSSL: tls_connection_decrypt - Decryption failed - SSL_read error:00000000:lib(0):func(0):reason(0)
SSL: Failed to decrypt Phase 2 data
EAP: method process -> ignore=FALSE methodState=DONE decision=FAIL eapRespData=(nil)
EAP: EAP entering state FAILURE
CTRL-EVENT-EAP-FAILURE EAP authentication failed

[hartmans]

And here is freeradius logs from the same run:

FreeRADIUS Version 3.0.17
Copyright (C) 1999-2017 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...

...

Thread 4 got semaphore
Thread 4 handling request 1, (1 handled so far)
(1) Received Access-Request Id 0 from [::1]:49449 to [::1]:1812 length 92
(1)   User-Name = "@test.com"
(1)   GSS-Acceptor-Service-Name = "host"
(1)   GSS-Acceptor-Host-Name = "localhost"
(1)   EAP-Message = 0x020100060315
(1)   State = 0xfd36b1f7fd37b5c205ae4e5b7f137f5f
(1)   Message-Authenticator = 0xeed55cfe09994331d023be4227dc1303
(1) session-state: No cached attributes
(1) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(1)   authorize {
(1)     policy filter_username {
(1)       if (&User-Name) {
(1)       if (&User-Name)  -> TRUE
(1)       if (&User-Name)  {
(1)         if (&User-Name =~ / /) {
(1)         if (&User-Name =~ / /)  -> FALSE
(1)         if (&User-Name =~ /@[^@]*@/ ) {
(1)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(1)         if (&User-Name =~ /\.\./ ) {
(1)         if (&User-Name =~ /\.\./ )  -> FALSE
(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(1)         if (&User-Name =~ /\.$/)  {
(1)         if (&User-Name =~ /\.$/)   -> FALSE
(1)         if (&User-Name =~ /@\./)  {
(1)         if (&User-Name =~ /@\./)   -> FALSE
(1)       } # if (&User-Name)  = notfound
(1)     } # policy filter_username = notfound
(1)     [preprocess] = ok
(1)     [chap] = noop
(1)     [mschap] = noop
(1)     [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: Looking up realm "test.com" for User-Name = "@test.com"
(1) suffix: Found realm "test.com"
(1) suffix: Adding Stripped-User-Name = ""
(1) suffix: Adding Realm = "test.com"
(1) suffix: Authentication realm is LOCAL
(1)     [suffix] = ok
(1) eap: Peer sent EAP Response (code 2) ID 1 length 6
(1) eap: No EAP Start, assuming it's an on-going EAP conversation
(1)     [eap] = updated
(1)     [files] = noop
(1)     [expiration] = noop
(1)     [logintime] = noop
(1) pap: WARNING: No "known good" password found for the user.  Not setting Auth-Type
(1) pap: WARNING: Authentication will fail unless a "known good" password is available
(1)     [pap] = noop
(1)   } # authorize = updated
(1) Found Auth-Type = eap
(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(1)   authenticate {
(1) eap: Expiring EAP session with state 0xfd36b1f7fd37b5c2
(1) eap: Finished EAP session with state 0xfd36b1f7fd37b5c2
(1) eap: Previous EAP request found for state 0xfd36b1f7fd37b5c2, released from the list
(1) eap: Peer sent packet with method EAP NAK (3)
(1) eap: Found mutually acceptable type TTLS (21)
(1) eap: Calling submodule eap_ttls to process data
(1) eap_ttls: Initiating new EAP-TLS session
(1) eap_ttls: [eaptls start] = request
(1) eap: Sending EAP Request (code 1) ID 2 length 6
(1) eap: EAP session adding &reply:State = 0xfd36b1f7fc34a4c2
(1)     [eap] = handled
(1)   } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(1)   Challenge { ... } # empty sub-section is ignored
(1) Sent Access-Challenge Id 0 from [::1]:1812 to [::1]:49449 length 0
(1)   EAP-Message = 0x010200061520
(1)   Message-Authenticator = 0x00000000000000000000000000000000
(1)   State = 0xfd36b1f7fc34a4c205ae4e5b7f137f5f
(1) Finished request
Thread 4 waiting to be assigned a request
(1) Cleaning up request packet ID 0 with timestamp +1
Waking up in 0.3 seconds.
Thread 3 got semaphore
Thread 3 handling request 2, (1 handled so far)
(2) Received Access-Request Id 0 from [::1]:49449 to [::1]:1812 length 377
(2)   User-Name = "@test.com"
(2)   GSS-Acceptor-Service-Name = "host"
(2)   GSS-Acceptor-Host-Name = "localhost"
(2)   EAP-Message = 0x020201211500160301011601000112030321245707bc169b02046f430d8a07780537bfa4b5939f91ef876d941d3efcd55a206d1c359d5884213fb078bd75115b6bc2970165f89b53ce782ee6ffca4094df69003e130213031301c02cc030009fcca9cca8ccaac02bc02f009ec024c028006bc023c02700
(2)   State = 0xfd36b1f7fc34a4c205ae4e5b7f137f5f
(2)   Message-Authenticator = 0x6d8e180a381ade76c9387fdf0d3c4499
(2) session-state: No cached attributes
(2) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(2)   authorize {
(2)     policy filter_username {
(2)       if (&User-Name) {
(2)       if (&User-Name)  -> TRUE
(2)       if (&User-Name)  {
(2)         if (&User-Name =~ / /) {
(2)         if (&User-Name =~ / /)  -> FALSE
(2)         if (&User-Name =~ /@[^@]*@/ ) {
(2)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(2)         if (&User-Name =~ /\.\./ ) {
(2)         if (&User-Name =~ /\.\./ )  -> FALSE
(2)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(2)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(2)         if (&User-Name =~ /\.$/)  {
(2)         if (&User-Name =~ /\.$/)   -> FALSE
(2)         if (&User-Name =~ /@\./)  {
(2)         if (&User-Name =~ /@\./)   -> FALSE
(2)       } # if (&User-Name)  = notfound
(2)     } # policy filter_username = notfound
(2)     [preprocess] = ok
(2)     [chap] = noop
(2)     [mschap] = noop
(2)     [digest] = noop
(2) suffix: Checking for suffix after "@"
(2) suffix: Looking up realm "test.com" for User-Name = "@test.com"
(2) suffix: Found realm "test.com"
(2) suffix: Adding Stripped-User-Name = ""
(2) suffix: Adding Realm = "test.com"
(2) suffix: Authentication realm is LOCAL
(2)     [suffix] = ok
(2) eap: Peer sent EAP Response (code 2) ID 2 length 289
(2) eap: Continuing tunnel setup
(2)     [eap] = ok
(2)   } # authorize = ok
(2) Found Auth-Type = eap
(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(2)   authenticate {
(2) eap: Expiring EAP session with state 0xfd36b1f7fc34a4c2
(2) eap: Finished EAP session with state 0xfd36b1f7fc34a4c2
(2) eap: Previous EAP request found for state 0xfd36b1f7fc34a4c2, released from the list
(2) eap: Peer sent packet with method EAP TTLS (21)
(2) eap: Calling submodule eap_ttls to process data
(2) eap_ttls: Authenticate
(2) eap_ttls: Continuing EAP-TLS
(2) eap_ttls: [eaptls verify] = ok
(2) eap_ttls: Done initial handshake
(2) eap_ttls: (other): before SSL initialization
(2) eap_ttls: TLS_accept: before SSL initialization
(2) eap_ttls: TLS_accept: before SSL initialization
(2) eap_ttls: <<< recv UNKNOWN TLS VERSION ?0304? [length 0116] 
(2) eap_ttls: TLS_accept: SSLv3/TLS read client hello
(2) eap_ttls: >>> send UNKNOWN TLS VERSION ?0304? [length 0058] 
(2) eap_ttls: TLS_accept: SSLv3/TLS write server hello
(2) eap_ttls: >>> send UNKNOWN TLS VERSION ?0304? [length 0001] 
(2) eap_ttls: TLS_accept: SSLv3/TLS write change cipher spec
(2) eap_ttls: TLS_accept: TLSv1.3 early data
(2) eap_ttls: TLS_accept: Need to read more data: TLSv1.3 early data
(2) eap_ttls: In SSL Handshake Phase
(2) eap_ttls: In SSL Accept mode
(2) eap_ttls: [eaptls process] = handled
(2) eap: Sending EAP Request (code 1) ID 3 length 109
(2) eap: EAP session adding &reply:State = 0xfd36b1f7ff35a4c2
(2)     [eap] = handled
(2)   } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(2)   Challenge { ... } # empty sub-section is ignored
(2) Sent Access-Challenge Id 0 from [::1]:1812 to [::1]:49449 length 0
(2)   EAP-Message = 0x0103006d1580000000631603030058020000540303cf21ad74e59a6111be1d8c021e65b891c2a211167abb8c5e079e09e2c8a8339c206d1c359d5884213fb078bd75115b6bc2970165f89b53ce782ee6ffca4094df69130200000c002b00020304003300020017140303000101
(2)   Message-Authenticator = 0x00000000000000000000000000000000
(2)   State = 0xfd36b1f7ff35a4c205ae4e5b7f137f5f
(2) Finished request
Thread 3 waiting to be assigned a request
(2) Cleaning up request packet ID 0 with timestamp +1
Waking up in 0.3 seconds.
Thread 2 got semaphore
Thread 2 handling request 3, (1 handled so far)
(3) Received Access-Request Id 0 from [::1]:49449 to [::1]:1812 length 416
(3)   User-Name = "@test.com"
(3)   GSS-Acceptor-Service-Name = "host"
(3)   GSS-Acceptor-Host-Name = "localhost"
(3)   EAP-Message = 0x020301481500140303000101160303013701000133030321245707bc169b02046f430d8a07780537bfa4b5939f91ef876d941d3efcd55a206d1c359d5884213fb078bd75115b6bc2970165f89b53ce782ee6ffca4094df69003e130213031301c02cc030009fcca9cca8ccaac02bc02f009ec024c02800
(3)   State = 0xfd36b1f7ff35a4c205ae4e5b7f137f5f
(3)   Message-Authenticator = 0x41dcecf726c2cb089ce7c815b0c2f444
(3) session-state: No cached attributes
(3) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(3)   authorize {
(3)     policy filter_username {
(3)       if (&User-Name) {
(3)       if (&User-Name)  -> TRUE
(3)       if (&User-Name)  {
(3)         if (&User-Name =~ / /) {
(3)         if (&User-Name =~ / /)  -> FALSE
(3)         if (&User-Name =~ /@[^@]*@/ ) {
(3)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(3)         if (&User-Name =~ /\.\./ ) {
(3)         if (&User-Name =~ /\.\./ )  -> FALSE
(3)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(3)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(3)         if (&User-Name =~ /\.$/)  {
(3)         if (&User-Name =~ /\.$/)   -> FALSE
(3)         if (&User-Name =~ /@\./)  {
(3)         if (&User-Name =~ /@\./)   -> FALSE
(3)       } # if (&User-Name)  = notfound
(3)     } # policy filter_username = notfound
(3)     [preprocess] = ok
(3)     [chap] = noop
(3)     [mschap] = noop
(3)     [digest] = noop
(3) suffix: Checking for suffix after "@"
(3) suffix: Looking up realm "test.com" for User-Name = "@test.com"
(3) suffix: Found realm "test.com"
(3) suffix: Adding Stripped-User-Name = ""
(3) suffix: Adding Realm = "test.com"
(3) suffix: Authentication realm is LOCAL
(3)     [suffix] = ok
(3) eap: Peer sent EAP Response (code 2) ID 3 length 328
(3) eap: Continuing tunnel setup
(3)     [eap] = ok
(3)   } # authorize = ok
(3) Found Auth-Type = eap
(3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(3)   authenticate {
(3) eap: Expiring EAP session with state 0xfd36b1f7ff35a4c2
(3) eap: Finished EAP session with state 0xfd36b1f7ff35a4c2
(3) eap: Previous EAP request found for state 0xfd36b1f7ff35a4c2, released from the list
(3) eap: Peer sent packet with method EAP TTLS (21)
(3) eap: Calling submodule eap_ttls to process data
(3) eap_ttls: Authenticate
(3) eap_ttls: Continuing EAP-TLS
(3) eap_ttls: [eaptls verify] = ok
(3) eap_ttls: Done initial handshake
(3) eap_ttls: TLS_accept: TLSv1.3 early data
(3) eap_ttls: <<< recv UNKNOWN TLS VERSION ?0304? [length 0137] 
(3) eap_ttls: TLS_accept: SSLv3/TLS read client hello
(3) eap_ttls: >>> send UNKNOWN TLS VERSION ?0304? [length 009b] 
(3) eap_ttls: TLS_accept: SSLv3/TLS write server hello
(3) eap_ttls: >>> send UNKNOWN TLS VERSION ?0304? [length 0001] 
(3) eap_ttls: >>> send UNKNOWN TLS VERSION ?0304? [length 0006] 
(3) eap_ttls: TLS_accept: TLSv1.3 write encrypted extensions
(3) eap_ttls: >>> send UNKNOWN TLS VERSION ?0304? [length 0001] 
(3) eap_ttls: >>> send UNKNOWN TLS VERSION ?0304? [length 02db] 
(3) eap_ttls: TLS_accept: SSLv3/TLS write certificate
(3) eap_ttls: >>> send UNKNOWN TLS VERSION ?0304? [length 0001] 
(3) eap_ttls: >>> send UNKNOWN TLS VERSION ?0304? [length 0108] 
(3) eap_ttls: TLS_accept: TLSv1.3 write server certificate verify
(3) eap_ttls: >>> send UNKNOWN TLS VERSION ?0304? [length 0001] 
(3) eap_ttls: >>> send UNKNOWN TLS VERSION ?0304? [length 0034] 
(3) eap_ttls: TLS_accept: SSLv3/TLS write finished
(3) eap_ttls: TLS_accept: TLSv1.3 early data
(3) eap_ttls: TLS_accept: Need to read more data: TLSv1.3 early data
(3) eap_ttls: In SSL Handshake Phase
(3) eap_ttls: In SSL Accept mode
(3) eap_ttls: [eaptls process] = handled
(3) eap: Sending EAP Request (code 1) ID 4 length 1004
(3) eap: EAP session adding &reply:State = 0xfd36b1f7fe32a4c2
(3)     [eap] = handled
(3)   } # authenticate = handled
(3) Using Post-Auth-Type Challenge
(3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(3)   Challenge { ... } # empty sub-section is ignored
(3) Sent Access-Challenge Id 0 from [::1]:1812 to [::1]:49449 length 0
(3)   EAP-Message = 0x010403ec15c000000515160303009b020000970303716459f1ed7d63f9466e8e6fc778f16b7e5b373a1795fd12e12ea29ed1a8c3ac206d1c359d5884213fb078bd75115b6bc2970165f89b53ce782ee6ffca4094df69130200004f002b00020304003300450017004104b0c469bc5617b4e53fd212aeee
(3)   Message-Authenticator = 0x00000000000000000000000000000000
(3)   State = 0xfd36b1f7fe32a4c205ae4e5b7f137f5f
(3) Finished request
Thread 2 waiting to be assigned a request
(3) Cleaning up request packet ID 0 with timestamp +1
Waking up in 0.3 seconds.
Thread 1 got semaphore
Thread 1 handling request 4, (1 handled so far)
(4) Received Access-Request Id 0 from [::1]:49449 to [::1]:1812 length 92
(4)   User-Name = "@test.com"
(4)   GSS-Acceptor-Service-Name = "host"
(4)   GSS-Acceptor-Host-Name = "localhost"
(4)   EAP-Message = 0x020400061500
(4)   State = 0xfd36b1f7fe32a4c205ae4e5b7f137f5f
(4)   Message-Authenticator = 0x801f80954e5e06dd0f234414056870a9
(4) session-state: No cached attributes
(4) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(4)   authorize {
(4)     policy filter_username {
(4)       if (&User-Name) {
(4)       if (&User-Name)  -> TRUE
(4)       if (&User-Name)  {
(4)         if (&User-Name =~ / /) {
(4)         if (&User-Name =~ / /)  -> FALSE
(4)         if (&User-Name =~ /@[^@]*@/ ) {
(4)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(4)         if (&User-Name =~ /\.\./ ) {
(4)         if (&User-Name =~ /\.\./ )  -> FALSE
(4)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(4)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(4)         if (&User-Name =~ /\.$/)  {
(4)         if (&User-Name =~ /\.$/)   -> FALSE
(4)         if (&User-Name =~ /@\./)  {
(4)         if (&User-Name =~ /@\./)   -> FALSE
(4)       } # if (&User-Name)  = notfound
(4)     } # policy filter_username = notfound
(4)     [preprocess] = ok
(4)     [chap] = noop
(4)     [mschap] = noop
(4)     [digest] = noop
(4) suffix: Checking for suffix after "@"
(4) suffix: Looking up realm "test.com" for User-Name = "@test.com"
(4) suffix: Found realm "test.com"
(4) suffix: Adding Stripped-User-Name = ""
(4) suffix: Adding Realm = "test.com"
(4) suffix: Authentication realm is LOCAL
(4)     [suffix] = ok
(4) eap: Peer sent EAP Response (code 2) ID 4 length 6
(4) eap: Continuing tunnel setup
(4)     [eap] = ok
(4)   } # authorize = ok
(4) Found Auth-Type = eap
(4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(4)   authenticate {
(4) eap: Expiring EAP session with state 0xfd36b1f7fe32a4c2
(4) eap: Finished EAP session with state 0xfd36b1f7fe32a4c2
(4) eap: Previous EAP request found for state 0xfd36b1f7fe32a4c2, released from the list
(4) eap: Peer sent packet with method EAP TTLS (21)
(4) eap: Calling submodule eap_ttls to process data
(4) eap_ttls: Authenticate
(4) eap_ttls: Continuing EAP-TLS
(4) eap_ttls: Peer ACKed our handshake fragment
(4) eap_ttls: [eaptls verify] = request
(4) eap_ttls: [eaptls process] = handled
(4) eap: Sending EAP Request (code 1) ID 5 length 317
(4) eap: EAP session adding &reply:State = 0xfd36b1f7f933a4c2
(4)     [eap] = handled
(4)   } # authenticate = handled
(4) Using Post-Auth-Type Challenge
(4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(4)   Challenge { ... } # empty sub-section is ignored
(4) Sent Access-Challenge Id 0 from [::1]:1812 to [::1]:49449 length 0
(4)   EAP-Message = 0x0105013d15800000051599b64d3136a68c221dc7fd990b97ff5e49419315069f43d4bbfa3c9fd62669a9f6f0551ed9776f5415186f03129ffe83e450589b3f7d5978f00509e7a1131f66f383173416819d57bb911842a0faa0f57c088f3bb519bdd5adaba1dfa4a6b587eea9ed988022f4d5bbcd8ae411
(4)   Message-Authenticator = 0x00000000000000000000000000000000
(4)   State = 0xfd36b1f7f933a4c205ae4e5b7f137f5f
(4) Finished request
Thread 1 waiting to be assigned a request
(4) Cleaning up request packet ID 0 with timestamp +1
Waking up in 0.3 seconds.
Thread 5 got semaphore
Thread 5 handling request 5, (2 handled so far)
(5) Received Access-Request Id 0 from [::1]:49449 to [::1]:1812 length 166
(5)   User-Name = "@test.com"
(5)   GSS-Acceptor-Service-Name = "host"
(5)   GSS-Acceptor-Host-Name = "localhost"
(5)   EAP-Message = 0x0205005015001703030045b06ae2402a7c36af3fc98ea1a26822b394174f1601174c695d841f75081f0e4af284ca2e08ba9020b0f320acee0b7afd14b6797f794efb258ce58e385b5629f39934271b17
(5)   State = 0xfd36b1f7f933a4c205ae4e5b7f137f5f
(5)   Message-Authenticator = 0x44eae8eea81f9658dc7980263cf5a05c
(5) session-state: No cached attributes
(5) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(5)   authorize {
(5)     policy filter_username {
(5)       if (&User-Name) {
(5)       if (&User-Name)  -> TRUE
(5)       if (&User-Name)  {
(5)         if (&User-Name =~ / /) {
(5)         if (&User-Name =~ / /)  -> FALSE
(5)         if (&User-Name =~ /@[^@]*@/ ) {
(5)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(5)         if (&User-Name =~ /\.\./ ) {
(5)         if (&User-Name =~ /\.\./ )  -> FALSE
(5)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(5)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(5)         if (&User-Name =~ /\.$/)  {
(5)         if (&User-Name =~ /\.$/)   -> FALSE
(5)         if (&User-Name =~ /@\./)  {
(5)         if (&User-Name =~ /@\./)   -> FALSE
(5)       } # if (&User-Name)  = notfound
(5)     } # policy filter_username = notfound
(5)     [preprocess] = ok
(5)     [chap] = noop
(5)     [mschap] = noop
(5)     [digest] = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: Looking up realm "test.com" for User-Name = "@test.com"
(5) suffix: Found realm "test.com"
(5) suffix: Adding Stripped-User-Name = ""
(5) suffix: Adding Realm = "test.com"
(5) suffix: Authentication realm is LOCAL
(5)     [suffix] = ok
(5) eap: Peer sent EAP Response (code 2) ID 5 length 80
(5) eap: Continuing tunnel setup
(5)     [eap] = ok
(5)   } # authorize = ok
(5) Found Auth-Type = eap
(5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(5)   authenticate {
(5) eap: Expiring EAP session with state 0xfd36b1f7f933a4c2
(5) eap: Finished EAP session with state 0xfd36b1f7f933a4c2
(5) eap: Previous EAP request found for state 0xfd36b1f7f933a4c2, released from the list
(5) eap: Peer sent packet with method EAP TTLS (21)
(5) eap: Calling submodule eap_ttls to process data
(5) eap_ttls: Authenticate
(5) eap_ttls: Continuing EAP-TLS
(5) eap_ttls: [eaptls verify] = ok
(5) eap_ttls: Done initial handshake
(5) eap_ttls: <<< recv UNKNOWN TLS VERSION ?0304? [length 0001] 
(5) eap_ttls: TLS_accept: TLSv1.3 early data
(5) eap_ttls: <<< recv UNKNOWN TLS VERSION ?0304? [length 0034] 
(5) eap_ttls: TLS_accept: SSLv3/TLS read finished
(5) eap_ttls: (other): SSLv3/TLS write session ticket
(5) eap_ttls: (other): SSLv3/TLS write session ticket
(5) eap_ttls: >>> send UNKNOWN TLS VERSION ?0304? [length 0001] 
(5) eap_ttls: >>> send UNKNOWN TLS VERSION ?0304? [length 0039] 
(5) eap_ttls: TLS_accept: SSLv3/TLS write session ticket
(5) eap_ttls: (other): SSLv3/TLS write session ticket
(5) eap_ttls: (other): SSLv3/TLS write session ticket
(5) eap_ttls: >>> send UNKNOWN TLS VERSION ?0304? [length 0001] 
(5) eap_ttls: >>> send UNKNOWN TLS VERSION ?0304? [length 0039] 
(5) eap_ttls: TLS_accept: SSLv3/TLS write session ticket
(5) eap_ttls: (other): SSL negotiation finished successfully
(5) eap_ttls: SSL Connection Established
(5) eap_ttls: [eaptls process] = handled
(5) eap: Sending EAP Request (code 1) ID 6 length 168
(5) eap: EAP session adding &reply:State = 0xfd36b1f7f830a4c2
(5)     [eap] = handled
(5)   } # authenticate = handled
(5) Using Post-Auth-Type Challenge
(5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(5)   Challenge { ... } # empty sub-section is ignored
(5) Sent Access-Challenge Id 0 from [::1]:1812 to [::1]:49449 length 0
(5)   EAP-Message = 0x010600a815800000009e170303004ad8d5fd42ec032a6a657460275abc980fdb56b33e314a309da58ba9df8f7c0cbf659437715f7bd3e899af6ccd6c4f8d3345abb0471cc6a5e1f7377cc8dd6c3f0f04454fc1cda7e3deff89170303004ad02c8ff7ec2d10e5bc0dab38c4d83ead1a5535edefcd60551e
(5)   Message-Authenticator = 0x00000000000000000000000000000000
(5)   State = 0xfd36b1f7f830a4c205ae4e5b7f137f5f
(5) Finished request
Thread 5 waiting to be assigned a request
Waking up in 4.6 seconds.

[alandekok]

FreeRADIUS Version 3.0.17

It may be due to the issue fixed in commit fd803c9. 3.0.17 sometimes complained that TLS 1.3 was unknown, and refused to do TLS 1.3 at all. That patch should fix it.

Try the v3.0.x branch from git. If that works, then the fix is already been triaged and done.

Otherwise, I'll have to find some time to work on this.

[arr2036]

To enable TLS1.3 in eapol_test add this inside network block:

phase1="tls_disable_tlsv1_3=0"

[arr2036]

FWIW in version 4 the server appears to complete negotiation successfully, as in v3.0.x (albeit without the cosmetic issues), and it's still the supplicant (eapol_test) that experiences the error.

(69,63)  Tue Jan 15 15:49:44 2019 : Debug :   eap - <<< recv TLS 1.3, inner_content_type[length 1]
(69,63)  Tue Jan 15 15:49:44 2019 : Debug :   eap - Handshake state [TRCC] - Server SSLv3/TLS read client certificate
(69,63)  Tue Jan 15 15:49:44 2019 : Debug :   eap - <<< recv TLS 1.3, handshake[length 264], certificate_verify
(69,63)  Tue Jan 15 15:49:44 2019 : Debug :   eap - <<< recv TLS 1.3, inner_content_type[length 1]
(69,63)  Tue Jan 15 15:49:44 2019 : Debug :   eap - Handshake state [TRCV] - Server SSLv3/TLS read certificate verify
(69,63)  Tue Jan 15 15:49:44 2019 : Debug :   eap - <<< recv TLS 1.3, handshake[length 52], finished
(69,63)  Tue Jan 15 15:49:44 2019 : Debug :   eap - Handshake state [TRFIN] - Server SSLv3/TLS read finished
(69,63)  Tue Jan 15 15:49:44 2019 : Debug :   eap - Handshake state [TWST] - SSLv3/TLS write session ticket
(69,63)  Tue Jan 15 15:49:44 2019 : Debug :   eap - Handshake state [TWST] - SSLv3/TLS write session ticket
(69,63)  Tue Jan 15 15:49:44 2019 : Debug :   eap - >>> send TLS 1.3, inner_content_type[length 1]
(69,63)  Tue Jan 15 15:49:44 2019 : Debug :   eap - >>> send TLS 1.3, handshake[length 57], new_session_ticket
(69,63)  Tue Jan 15 15:49:44 2019 : Debug :   eap - Handshake state [TWST] - Server SSLv3/TLS write session ticket
(69,63)  Tue Jan 15 15:49:44 2019 : Debug :   eap - Handshake state [TWST] - SSLv3/TLS write session ticket
(69,63)  Tue Jan 15 15:49:44 2019 : Debug :   eap - Handshake state [TWST] - SSLv3/TLS write session ticket
(69,63)  Tue Jan 15 15:49:44 2019 : Debug :   eap - >>> send TLS 1.3, inner_content_type[length 1]
(69,63)  Tue Jan 15 15:49:44 2019 : Debug :   eap - >>> send TLS 1.3, handshake[length 57], new_session_ticket
(69,63)  Tue Jan 15 15:49:44 2019 : Debug :   eap - Handshake state [TWST] - Server SSLv3/TLS write session ticket
(69,63)  Tue Jan 15 15:49:44 2019 : Debug :   eap - Handshake state [SSLOK] - SSL negotiation finished successfully
(69,63)  Tue Jan 15 15:49:44 2019 : Debug :   eap - Cipher suite: TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD

EAP: EAP entering state RECEIVED
EAP: Received EAP-Request id=169 method=13 vendor=0 vendorMethod=0
EAP: EAP entering state METHOD
TLS - SSL error: error:14231044:SSL routines:tls13_hkdf_expand:internal error
SSL: TLS errors detected
EAP: method process -> ignore=TRUE methodState=MAY_CONT decision=COND_SUCC eapRespData=0x0
EAP: EAP entering state DISCARD
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RECEIVE
EAPOL test timed out
EAPOL: EAP key not available
EAPOL: EAP Session-Id not available
WPA: Clear old PMK and PTK
EAP: deinitialize previously used EAP method (13, TLS) at EAP deinit
ENGINE: engine deinit
MPPE keys OK: 0  mismatch: 1
FAILURE

[arr2036]

Looks like that error is popping up in TOR as well, again with OpenSSL 1.1.1a and TLS 1.3

[arr2036]

Seems to be a fair few conditions that'll generate that error: https://github.com/openssl/openssl/blob/master/ssl/tls13_enc.c#L28

[arr2036]

Only option would be to do a build of OpenSSL with debugging symbols, and trace through tls13_hkdf_expand to see where it fails.

[hartmans]

>>>> "Arran" == Arran Cudbard-Bell ***@***.***> writes:

Arran> Looks like that error is popping up in TOR as well, again Arran> with OpenSSL 1.1.1a and TLS 1.3 TOR and EAP have one significant factor in common that most tls apps do not have: They both have a TLS maximum record size that can be significantly different than the path MTU. I have no idea if this is related.

[arr2036]

Hmm, good point.

Busy today/tomorrow speaking at a conference but will look at this some more on Friday. I'd like to get TLS 1.3 working in FR 4 at least.

[arr2036]

Using wpa_supplicant HEAD, TLS 1.3 is now functional for EAP-TLS with/without session tickets, and EAP-TTLS without session tickets. The remaining issues are with wpa_supplicant.

[arr2036]

Description of technical issue in wpa_supplicant and suggested code fixes is available here: http://lists.infradead.org/pipermail/hostap/2019-January/039418.html

[arr2036]

Fix is pending publication of a document that describes how TTLS and PEAP should function with TLS 1.3.

[fredericve]

This document?

We ran into this because ubuntu bionic clients got updated to openssl version 1.1.1.

[arr2036]

No, that only describes the fix for EAP-TLS, which was already addressed. EAP-TLS is easy because there's no application data that needs to be sent across once the TLS tunnel is established. I think @alandekok is working on something for the other methods. wpa_supplicant should not attempt TLS > 1.2 with EAP-TTLS or EAP-PEAP even with newer versions of OpenSSL. There's no standard for this, it's essentially undefined behaviour. If they are (please provide evidence of this), then you should report this on the hostapd list.

[fredericve]

It seems wpa_supplicant does attempt TLS 1.3. When we recompile openssl with 1.3 disabled, authentication works fine.

[arr2036]

The last time I read though that area of the wpa_supplicant config, there was a note saying it was disabled by default.

https://w1.fi/cgit/hostap/plain/wpa_supplicant/wpa_supplicant.conf

# tls_disable_tlsv1_3=1 - disable use of TLSv1.3 (a workaround for AAA servers
#	that have issues interoperating with updated TLS version)
# tls_disable_tlsv1_3=0 - enable TLSv1.3 (experimental - disabled by default)

I guess it's possible that you may be using an older version of the wpa_supplicant code that doesn't explicitly disable TLS 1.3. In fact... I think I remember running into this issue when I was testing TLS 1.3 compatibility a few months ago.

[arr2036]

Just checked - We explicitly disabled TLS 1.3 in the v3.0.x branch as of the 3.0.18 release back in February. So the issue here is Ubuntu dropped OpenSSL 1.1.1 into Bionic, enabling TLS 1.3, but didn't apply patches to either FreeRADIUS or wpa_supplicant to deal with TLS 1.3.

Your issue is with Ubuntu's packages, not with FreeRADIUS or wpa_supplicant.

[fredericve]

You're absolutely right. Found this launchpad bug but it is also applicable to Ubuntu Bionic since openssl 1.1.1 landed in bionic-updates

[alandekok]

@fredericve

The document in question for TTLS is this: https://tools.ietf.org/html/draft-dekok-emu-tls-eap-types-00

Since 3.0.16, you can set min/max TLS versions in mods-enabled/eap, via:

	#	tls_min_version = "1.0"
	#	tls_max_version = "1.2"

Though the documentation says you can only use 1.0, 1.1, and 1.2, it will also accept 1.3.

There are a few overlapping issues here.

The first issue is that EAP and TLS 1.3 is not yet standardized. So there are no compliant implementations, and no one should be using TLS 1.3 with any EAP method. Which makes most of this discussion moot. "Don't use it, it's unfinished" is a perfectly good response to a bug report of "it doesn't work".

The next issue is that we didn't make provisions for enabling/disabling newer TLS version until we released 3.0.16. The reason is simple: there wasn't a need for it, and TLS 1.3 was "on the horizon".

The final is that the distributions are terrible about upgrading to newer releases of FreeRADIUS. They're often years behind the official releases, with only minor patches. But the TLS patches are ones that are required in this case.

We supply pre-built packages for FreeRADIUS on http://packages.networkradius.com. Your choices are:

1. build FreeRADIUS yourself from source
2. use the pre-build packages from http://packages.networkradius.com
3. Convince the distributions to fix their packages to disable TLS 1.3 in their older versions of FreeRADIUS until such time as the specifications have been published.

[arr2036]

@alandekok ah, ok, yes, looks like there's support for calling SSL_CTX_set_max_proto_version and SSL_CTX_set_min_proto_version, with OpenSSL >= 1.1.0. Thanks for posting on launchpad. I tried, but got errors trying to login with my newly created and validated account.

[metalefty]

This helped me a lot. Thank you for summarizing the background. Restricting TLS version up to 1.2 worked for me.

tls_max_version = "1.2"

[alandekok]

Closing this as it's not a bug. The feature is not yet standardized, and therefore is not yet implemented. This feature is being tracked elsewhere.

[spaceone]

Closing this as it's not a bug. The feature is not yet standardized, and therefore is not yet implemented. This feature is being tracked elsewhere.

where is it tracked?

[alandekok]

@spaceone If you look at the dates, this PR is from over three years ago. Since then, the relevant RFCs have been published, and FreeRADIUS has had multiple releases which document that it does TLS 1.3.

[spaceone]

@spaceone If you look at the dates, this PR is from over three years ago. Since then, the relevant RFCs have been published, and FreeRADIUS has had multiple releases which document that it does TLS 1.3.

OK, i found #3516
#4983 (comment) says 3.2.2 supports OpenSSL3 and TLS 1.3.
The releases are:

https://github.com/FreeRADIUS/freeradius-server/releases/tag/release_3_0_20

Note that tls_min_version/tls_max_version also support "1.3". Since there is no standard yet for EAP with TLS 1.3, it will not work.

https://github.com/FreeRADIUS/freeradius-server/releases/tag/release_3_0_23

Added many warning messages about using TLS 1.3 with EAP. In short, don't use it. Microsoft will support it in fall 2021.

https://github.com/FreeRADIUS/freeradius-server/releases/tag/release_3_0_26

Support PEAP and TTLS with TLS 1.3. This has been tested with wpa_supplicant and Windows 11.

https://github.com/FreeRADIUS/freeradius-server/releases/tag/release_3_2_2

Make TTLS+MS-CHAP work with TLS 1.3. Fixes #4878.

So it seems I just need 3.0.26. Thanks.