Merge pull request #6773 from inverse-inc/fix/6766

Fix/6766
inverse-inc · Dec 24, 2021 · 41240c6 · 41240c6
2 parents 9620a50 + a5803cf
commit 41240c6
Show file tree

Hide file tree

Showing 7 changed files with 49 additions and 12 deletions.
diff --git a/conf/radiusd/eap.conf.example b/conf/radiusd/eap.conf.example
@@ -268,11 +268,8 @@ eap [% key -%] {
         # in "man 1 ciphers".
         cipher_list = "[% eap.$key.tls.$tls.cipher_list %]"
 
-        # Work-arounds for OpenSSL nonsense
-        # OpenSSL 1.0.1f and 1.0.1g do not calculate
-        # the EAP keys correctly.  The fix is to upgrade
-        # OpenSSL, or disable TLS 1.2 here. 
-#       disable_tlsv1_2 = no
+        tls_min_version = "[% eap.$key.tls.$tls.tls_min_version %]"
+        tls_max_version = "[% eap.$key.tls.$tls.tls_max_version %]"
 
         #
 

diff --git a/conf/radiusd/tls.conf.defaults b/conf/radiusd/tls.conf.defaults
@@ -4,7 +4,8 @@ dh_file = ${certdir}/dh
 ca_path = ${cadir}
 cipher_list = DEFAULT
 ecdh_curve = prime256v1
-disable_tlsv1_2 = yes
+tls_min_version = 1.2
+tls_max_version = 1.2
 ocsp=default
 
 [tls-eap-fast]
@@ -13,5 +14,6 @@ dh_file = ${certdir}/dh
 ca_path = ${cadir}
 cipher_list = ALL:!EXPORT:!eNULL:!SSLv2
 ecdh_curve = prime256v1
-disable_tlsv1_2 = yes
+tls_min_version = 1.2
+tls_max_version = 1.2
 ocsp=default
diff --git a/docs/PacketFence_Upgrade_Guide.asciidoc b/docs/PacketFence_Upgrade_Guide.asciidoc
@@ -1681,6 +1681,14 @@ The `pf-maint.pl` script used to get maintenance patches has been deprecated. Yo
 
 The WMI scan engines have been deprecated. If you previously used these scan engines, you should migrate to other scan engines.
 
+=== TLS 1.0 and 1.1 are disabled by default in FreeRADIUS
+
+TLS 1.0 and TLS 1.1 are now disabled by default. If you still have supplicants
+using theses protocols, you should move to TLS 1.2. If it's not possible, you
+can adjust `TLS Minimum version` in _Configuration -> System configuration ->
+RADIUS -> TLS profiles_.
+
+
 == Upgrading from a version prior to 11.1.0
 
 

diff --git a/html/pfappserver/lib/pfappserver/Form/Config/Radiusd/TLSProfile.pm b/html/pfappserver/lib/pfappserver/Form/Config/Radiusd/TLSProfile.pm
@@ -15,6 +15,7 @@ use warnings;
 use HTML::FormHandler::Moose;
 use pf::ConfigStore::Radiusd::OCSPProfile;
 use pf::ConfigStore::SSLCertificate;
+use pf::radius::constants;
 extends 'pfappserver::Base::Form';
 with qw(pfappserver::Base::Form::Role::Help);
 ## Definition
@@ -59,6 +60,17 @@ has_field disable_tlsv1_2 => (
         default         => 'no',
 );
 
+has_field tls_min_version => (
+    type => 'Select',
+    options_method => \&options_tls_version,
+);
+
+has_field tls_max_version => (
+    type => 'Select',
+    options_method => \&options_tls_version,
+);
+
+
 sub options_certificate_profile {
     return  map { { value => $_, label => $_ } } @{pf::ConfigStore::SSLCertificate->new->readAllIds};
 }
@@ -67,6 +79,10 @@ sub options_ocsp {
     return  map { { value => $_, label => $_ } } @{pf::ConfigStore::Radiusd::OCSPProfile->new->readAllIds};
 }
 
+sub options_tls_version {
+    return map { { value => $_, label => $_ } } @{RADIUS::TLS_VERSIONS};
+}
+
 =head1 AUTHOR
 
 Inverse inc. <info@inverse.ca>

diff --git a/html/pfappserver/root/src/views/Configuration/radius/tls/_components/TheForm.vue b/html/pfappserver/root/src/views/Configuration/radius/tls/_components/TheForm.vue
@@ -30,8 +30,12 @@
       :column-label="$i18n.t('ECDH Curve')"
     />
 
-    <form-group-disable-tlsv12 namespace="disable_tlsv1_2"
-      :column-label="$i18n.t('Disable TLSv1.2')"
+    <form-group-tls-min-version namespace="tls_min_version"
+      :column-label="$i18n.t('TLS Minimum version')"
+    />
+
+    <form-group-tls-max-version namespace="tls_max_version"
+      :column-label="$i18n.t('TLS Maximum version')"
     />
 
     <form-group-ocsp namespace="ocsp"
@@ -52,7 +56,8 @@ import {
   FormGroupCaPath,
   FormGroupCipherList,
   FormGroupEcdhCurve,
-  FormGroupDisableTlsv12,
+  FormGroupTlsMinVersion,
+  FormGroupTlsMaxVersion,
   FormGroupOcsp
 } from './'
 
@@ -65,7 +70,8 @@ const components = {
   FormGroupCaPath,
   FormGroupCipherList,
   FormGroupEcdhCurve,
-  FormGroupDisableTlsv12,
+  FormGroupTlsMinVersion,
+  FormGroupTlsMaxVersion,
   FormGroupOcsp
 }
 

diff --git a/html/pfappserver/root/src/views/Configuration/radius/tls/_components/index.js b/html/pfappserver/root/src/views/Configuration/radius/tls/_components/index.js
@@ -20,7 +20,8 @@ export {
   BaseFormGroupInput              as FormGroupCaPath,
   BaseFormGroupInput              as FormGroupCipherList,
   BaseFormGroupInput              as FormGroupEcdhCurve,
-  BaseFormGroupToggleNoYesDefault as FormGroupDisableTlsv12,
+  BaseFormGroupChosenOne          as FormGroupTlsMinVersion,
+  BaseFormGroupChosenOne          as FormGroupTlsMaxVersion,
   BaseFormGroupChosenOne          as FormGroupOcsp,
 
   BaseViewCollectionItem          as BaseView,

diff --git a/lib/pf/radius/constants.pm b/lib/pf/radius/constants.pm
@@ -160,6 +160,13 @@ Readonly::Hash our %NAS_port_type => (
     36 => "PPPoEoQinQ",
 );
 
+=item TLS Versions
+
+Define all the TLS versions we can use
+
+=cut
+
+Readonly::Array our @TLS_VERSIONS => qw(1.0 1.1 1.2 1.3);
 
 package ACCOUNTING;