New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ttls fails with TLS 1.3 (openssl 1.1.1) #2385
Comments
It's possible to set up multiple EAP modules and/or multiple I'd prefer to use those as work-arounds instead of coming up with fixes specific for TTLS. That gives a bit of breathing room, which lets us figure out why TTLS session tickets have issues with TLS 1.3. From what I can tell, there's nothing specific in TTLS that interacts with TLS 1.3. The session tickets should just be part of the TLS exchange, and therefore completely invisible to TTLS. |
So, the problem with using config changes is that administrators tend to
get a radius config that works and not take changes to it from their
packaging.
So, for someone like Debian:
1) If we include it in the config, then people will get stuck at TLS 1.2
well after it's no longer necessary.
2) Conversly, other people will upgrade and it will break because they
didn't change their config.
But you can certainly argue that's the problem of people foolish enough
to try and package freeradius:-)
Would logs be helpful here or can you already reproduce this?
|
Any work-around involves technical debt. I'd prefer to do root cause analysis where possible. It's possible to have a short patch to TTLS that hard-codes TLS 1.2 as the maximum version, via something like this:
That can be a temporary work-around. I'd prefer to get logs, etc. to fix the underlying problem. I haven't tried reproducing it locally, and it will be a bit before I have time for that. |
Here's client side logs
|
And here is freeradius logs from the same run:
...
|
It may be due to the issue fixed in commit fd803c9. 3.0.17 sometimes complained that TLS 1.3 was unknown, and refused to do TLS 1.3 at all. That patch should fix it. Try the v3.0.x branch from git. If that works, then the fix is already been triaged and done. Otherwise, I'll have to find some time to work on this. |
To enable TLS1.3 in eapol_test add this inside network block:
|
FWIW in version 4 the server appears to complete negotiation successfully, as in v3.0.x (albeit without the cosmetic issues), and it's still the supplicant (eapol_test) that experiences the error.
|
Looks like that error is popping up in TOR as well, again with OpenSSL 1.1.1a and TLS 1.3 |
Seems to be a fair few conditions that'll generate that error: https://github.com/openssl/openssl/blob/master/ssl/tls13_enc.c#L28 |
Only option would be to do a build of OpenSSL with debugging symbols, and trace through tls13_hkdf_expand to see where it fails. |
>>>> "Arran" == Arran Cudbard-Bell ***@***.***> writes:
Arran> Looks like that error is popping up in TOR as well, again
Arran> with OpenSSL 1.1.1a and TLS 1.3
TOR and EAP have one significant factor in common that most tls apps do
not have:
They both have a TLS maximum record size that can be significantly
different than the path MTU.
I have no idea if this is related.
|
Hmm, good point. Busy today/tomorrow speaking at a conference but will look at this some more on Friday. I'd like to get TLS 1.3 working in FR 4 at least. |
Using wpa_supplicant HEAD, TLS 1.3 is now functional for EAP-TLS with/without session tickets, and EAP-TTLS without session tickets. The remaining issues are with wpa_supplicant. |
Description of technical issue in wpa_supplicant and suggested code fixes is available here: http://lists.infradead.org/pipermail/hostap/2019-January/039418.html |
Fix is pending publication of a document that describes how TTLS and PEAP should function with TLS 1.3. |
We ran into this because ubuntu bionic clients got updated to openssl version 1.1.1. |
No, that only describes the fix for EAP-TLS, which was already addressed. EAP-TLS is easy because there's no application data that needs to be sent across once the TLS tunnel is established. I think @alandekok is working on something for the other methods. wpa_supplicant should not attempt TLS > 1.2 with EAP-TTLS or EAP-PEAP even with newer versions of OpenSSL. There's no standard for this, it's essentially undefined behaviour. If they are (please provide evidence of this), then you should report this on the hostapd list. |
It seems wpa_supplicant does attempt TLS 1.3. When we recompile openssl with 1.3 disabled, authentication works fine. |
The last time I read though that area of the wpa_supplicant config, there was a note saying it was disabled by default. https://w1.fi/cgit/hostap/plain/wpa_supplicant/wpa_supplicant.conf
I guess it's possible that you may be using an older version of the wpa_supplicant code that doesn't explicitly disable TLS 1.3. In fact... I think I remember running into this issue when I was testing TLS 1.3 compatibility a few months ago. |
Just checked - We explicitly disabled TLS 1.3 in the v3.0.x branch as of the 3.0.18 release back in February. So the issue here is Ubuntu dropped OpenSSL 1.1.1 into Bionic, enabling TLS 1.3, but didn't apply patches to either FreeRADIUS or wpa_supplicant to deal with TLS 1.3. Your issue is with Ubuntu's packages, not with FreeRADIUS or wpa_supplicant. |
You're absolutely right. Found this launchpad bug but it is also applicable to Ubuntu Bionic since openssl 1.1.1 landed in bionic-updates |
The document in question for TTLS is this: https://tools.ietf.org/html/draft-dekok-emu-tls-eap-types-00 Since 3.0.16, you can set min/max TLS versions in
Though the documentation says you can only use There are a few overlapping issues here. The first issue is that EAP and TLS 1.3 is not yet standardized. So there are no compliant implementations, and no one should be using TLS 1.3 with any EAP method. Which makes most of this discussion moot. "Don't use it, it's unfinished" is a perfectly good response to a bug report of "it doesn't work". The next issue is that we didn't make provisions for enabling/disabling newer TLS version until we released 3.0.16. The reason is simple: there wasn't a need for it, and TLS 1.3 was "on the horizon". The final is that the distributions are terrible about upgrading to newer releases of FreeRADIUS. They're often years behind the official releases, with only minor patches. But the TLS patches are ones that are required in this case. We supply pre-built packages for FreeRADIUS on http://packages.networkradius.com. Your choices are:
|
@alandekok ah, ok, yes, looks like there's support for calling SSL_CTX_set_max_proto_version and SSL_CTX_set_min_proto_version, with OpenSSL >= 1.1.0. Thanks for posting on launchpad. I tried, but got errors trying to login with my newly created and validated account. |
This helped me a lot. Thank you for summarizing the background. Restricting TLS version up to 1.2 worked for me.
|
Closing this as it's not a bug. The feature is not yet standardized, and therefore is not yet implemented. This feature is being tracked elsewhere. |
We are currently using freeradius version 3.0.17, which wasn't developed with full tls v3 support. The behaviour for eap and tls v3 was still undefined. The problem is that our openssl version 1.1.1 does negotiate tls v3, so we need to explicitly disable it in freeradius. FreeRADIUS/freeradius-server#2385
We are currently using freeradius version 3.0.17, which wasn't developed with full tls v3 support. The behaviour for eap and tls v3 was still undefined. The problem is that our openssl version 1.1.1 does negotiate tls v3, so we need to explicitly disable it in freeradius. FreeRADIUS/freeradius-server#2385
We are currently using freeradius version 3.0.17, which wasn't developed with full tls v3 support. The behaviour for eap and tls v3 was still undefined. The problem is that our openssl version 1.1.1 does negotiate tls v3, so we need to explicitly disable it in freeradius. FreeRADIUS/freeradius-server#2385
We are currently using freeradius version 3.0.17, which wasn't developed with full tls v3 support. The behaviour for eap and tls v3 was still undefined. The problem is that our openssl version 1.1.1 does negotiate tls v3, so we need to explicitly disable it in freeradius. FreeRADIUS/freeradius-server#2385 This commit adds a UCR variable: "freeradius/conf/tls_max_version" with the default value "1.2".
We are currently using freeradius version 3.0.17, which wasn't developed with full tls v3 support. The behaviour for eap and tls v3 was still undefined. The problem is that our openssl version 1.1.1 does negotiate tls v3, so we need to explicitly disable it in freeradius. FreeRADIUS/freeradius-server#2385 This commit adds a UCR variable: "freeradius/conf/tls_max_version" with the default value "1.2".
We are currently using freeradius version 3.0.17, which wasn't developed with full tls v3 support. The behaviour for eap and tls v3 was still undefined. The problem is that our openssl version 1.1.1 does negotiate tls v3, so we need to explicitly disable it in freeradius. FreeRADIUS/freeradius-server#2385 This commit adds a UCR variable: "freeradius/conf/tls_max_version" with the default value "1.2".
We are currently using freeradius version 3.0.17, which wasn't developed with full tls v3 support. The behaviour for eap and tls v3 was still undefined. The problem is that our openssl version 1.1.1 does negotiate tls v3, so we need to explicitly disable it in freeradius. FreeRADIUS/freeradius-server#2385 This commit adds a UCR variable: "freeradius/conf/tls_max_version" with the default value "1.2".
We are currently using freeradius version 3.0.17, which wasn't developed with full tls v3 support. The behaviour for eap and tls v3 was still undefined. The problem is that our openssl version 1.1.1 does negotiate tls v3, so we need to explicitly disable it in freeradius. FreeRADIUS/freeradius-server#2385 This commit adds a UCR variable: "freeradius/conf/tls_max_version" with the default value "1.2".
We are currently using freeradius version 3.0.17, which wasn't developed with full tls v3 support. The behaviour for eap and tls v3 was still undefined. The problem is that our openssl version 1.1.1 does negotiate tls v3, so we need to explicitly disable it in freeradius. FreeRADIUS/freeradius-server#2385 This commit adds a UCR variable: "freeradius/conf/tls_max_version" with the default value "1.2".
We are currently using freeradius version 3.0.17, which wasn't developed with full tls v3 support. The behaviour for eap and tls v3 was still undefined. The problem is that our openssl version 1.1.1 does negotiate tls v3, so we need to explicitly disable it in freeradius. FreeRADIUS/freeradius-server#2385 This commit adds a UCR variable: "freeradius/conf/tls_max_version" with the default value "1.2".
We are currently using freeradius version 3.0.17, which wasn't developed with full tls v3 support. The behaviour for eap and tls v3 was still undefined. The problem is that our openssl version 1.1.1 does negotiate tls v3, so we need to explicitly disable it in freeradius. FreeRADIUS/freeradius-server#2385 This commit adds a UCR variable: "freeradius/conf/tls_max_version" with the default value "1.2".
We are currently using freeradius version 3.0.17, which wasn't developed with full tls v3 support. The behaviour for eap and tls v3 was still undefined. The problem is that our openssl version 1.1.1 does negotiate tls v3, so we need to explicitly disable it in freeradius. FreeRADIUS/freeradius-server#2385 This commit adds a UCR variable: "freeradius/conf/tls_max_version" with the default value "1.2".
We are currently using freeradius version 3.0.17, which wasn't developed with full tls v3 support. The behaviour for eap and tls v3 was still undefined. The problem is that our openssl version 1.1.1 does negotiate tls v3, so we need to explicitly disable it in freeradius. FreeRADIUS/freeradius-server#2385 This commit adds a UCR variable: "freeradius/conf/tls_max_version" with the default value "1.2".
We are currently using freeradius version 3.0.17, which wasn't developed with full tls v3 support. The behaviour for eap and tls v3 was still undefined. The problem is that our openssl version 1.1.1 does negotiate tls v3, so we need to explicitly disable it in freeradius. FreeRADIUS/freeradius-server#2385 This commit adds a UCR variable: "freeradius/conf/tls_max_version" with the default value "1.2".
where is it tracked? |
@spaceone If you look at the dates, this PR is from over three years ago. Since then, the relevant RFCs have been published, and FreeRADIUS has had multiple releases which document that it does TLS 1.3. |
OK, i found #3516 https://github.com/FreeRADIUS/freeradius-server/releases/tag/release_3_0_20
https://github.com/FreeRADIUS/freeradius-server/releases/tag/release_3_0_23
https://github.com/FreeRADIUS/freeradius-server/releases/tag/release_3_0_26
https://github.com/FreeRADIUS/freeradius-server/releases/tag/release_3_2_2
So it seems I just need |
Issue type
REMOVE THOSE WHICH DO NOT APPLY
See here for debugging instructions and how to obtain backtraces.
Defect
How to reproduce the issue
I was putting together automated tests for moonshot-gss-eap in Debian accidentally ended up running with OpenSSL 1.1.1 and without specifying either a minimum or maximum tls version in mods-available/eap.
TLS 1.3 ended up getting selected, and freeradius produced a tls session ticket that moonshot was unable to decrypt at the TLS layer.
Using TLS 1.2 worked fine.
I was several layers deep in trying to get things done, and didn't capture very good logs, but since it was writing automated tests, reproducing from the test suite is easy to do.
My suspicion is that ttls is just broken with TLS 1.3, but if you think it is more complex than that I'm happy to provide logs.
If it is broken, it would be really nice to get a patch that caps out tls at 1.2 at least for ttls. It would be best not to cap it out for other things because for example it seems like tls 1.3 would be quite helpful for radsec.
The text was updated successfully, but these errors were encountered: