From 10d86b5ad9c4e1017a066a8d0f75fc85dd3df95f Mon Sep 17 00:00:00 2001 From: Durand Fabrice Date: Tue, 14 Dec 2021 10:21:51 -0500 Subject: [PATCH 1/5] Make tls_min_version and tls_max_version configureable --- conf/radiusd/eap.conf.example | 5 ++++- conf/radiusd/tls.conf.defaults | 2 ++ .../pfappserver/Form/Config/Radiusd/TLSProfile.pm | 15 +++++++++++++++ .../radius/tls/_components/TheForm.vue | 12 ++++++++++++ .../Configuration/radius/tls/_components/index.js | 2 ++ 5 files changed, 35 insertions(+), 1 deletion(-) diff --git a/conf/radiusd/eap.conf.example b/conf/radiusd/eap.conf.example index 6cf1ade9094b..ab1118494475 100644 --- a/conf/radiusd/eap.conf.example +++ b/conf/radiusd/eap.conf.example @@ -272,7 +272,10 @@ eap [% key -%] { # OpenSSL 1.0.1f and 1.0.1g do not calculate # the EAP keys correctly. The fix is to upgrade # OpenSSL, or disable TLS 1.2 here. -# disable_tlsv1_2 = no + disable_tlsv1_2 = "[% eap.$key.tls.$tls.disable_tlsv1_2 %]" + + tls_min_version = "[% eap.$key.tls.$tls.tls_min_version %]" + tls_max_version = "[% eap.$key.tls.$tls.tls_max_version %]" # diff --git a/conf/radiusd/tls.conf.defaults b/conf/radiusd/tls.conf.defaults index 819d04ddf046..3c2e1f65a914 100644 --- a/conf/radiusd/tls.conf.defaults +++ b/conf/radiusd/tls.conf.defaults @@ -5,6 +5,8 @@ ca_path = ${cadir} cipher_list = DEFAULT ecdh_curve = prime256v1 disable_tlsv1_2 = yes +tls_min_version = 1.0 +tls_max_version = 1.2 ocsp=default [tls-eap-fast] diff --git a/html/pfappserver/lib/pfappserver/Form/Config/Radiusd/TLSProfile.pm b/html/pfappserver/lib/pfappserver/Form/Config/Radiusd/TLSProfile.pm index 5cc4720fa273..ae4fff2db04e 100644 --- a/html/pfappserver/lib/pfappserver/Form/Config/Radiusd/TLSProfile.pm +++ b/html/pfappserver/lib/pfappserver/Form/Config/Radiusd/TLSProfile.pm @@ -59,6 +59,17 @@ has_field disable_tlsv1_2 => ( default => 'no', ); +has_field tls_min_version => ( + type => 'Select', + options_method => \&options_tls_version, +); + +has_field tls_max_version => ( + type => 'Select', + options_method => \&options_tls_version, +); + + sub options_certificate_profile { return map { { value => $_, label => $_ } } @{pf::ConfigStore::SSLCertificate->new->readAllIds}; } @@ -67,6 +78,10 @@ sub options_ocsp { return map { { value => $_, label => $_ } } @{pf::ConfigStore::Radiusd::OCSPProfile->new->readAllIds}; } +sub options_tls_version { + return map { { value => $_, label => $_ } } qw(1.0 1.1 1.2 1.3); +} + =head1 AUTHOR Inverse inc. diff --git a/html/pfappserver/root/src/views/Configuration/radius/tls/_components/TheForm.vue b/html/pfappserver/root/src/views/Configuration/radius/tls/_components/TheForm.vue index 6880a7287720..98d4fa32e047 100644 --- a/html/pfappserver/root/src/views/Configuration/radius/tls/_components/TheForm.vue +++ b/html/pfappserver/root/src/views/Configuration/radius/tls/_components/TheForm.vue @@ -34,6 +34,14 @@ :column-label="$i18n.t('Disable TLSv1.2')" /> + + + + @@ -53,6 +61,8 @@ import { FormGroupCipherList, FormGroupEcdhCurve, FormGroupDisableTlsv12, + FormGroupTlsMinVersion, + FormGroupTlsMaxVersion, FormGroupOcsp } from './' @@ -66,6 +76,8 @@ const components = { FormGroupCipherList, FormGroupEcdhCurve, FormGroupDisableTlsv12, + FormGroupTlsMinVersion, + FormGroupTlsMaxVersion, FormGroupOcsp } diff --git a/html/pfappserver/root/src/views/Configuration/radius/tls/_components/index.js b/html/pfappserver/root/src/views/Configuration/radius/tls/_components/index.js index e8337670099b..c796f24cddf9 100644 --- a/html/pfappserver/root/src/views/Configuration/radius/tls/_components/index.js +++ b/html/pfappserver/root/src/views/Configuration/radius/tls/_components/index.js @@ -21,6 +21,8 @@ export { BaseFormGroupInput as FormGroupCipherList, BaseFormGroupInput as FormGroupEcdhCurve, BaseFormGroupToggleNoYesDefault as FormGroupDisableTlsv12, + BaseFormGroupChosenOne as FormGroupTlsMinVersion, + BaseFormGroupChosenOne as FormGroupTlsMaxVersion, BaseFormGroupChosenOne as FormGroupOcsp, BaseViewCollectionItem as BaseView, From fd6b81899fe8f2b7fbd7d044c207fc473d4855ef Mon Sep 17 00:00:00 2001 From: Durand Fabrice Date: Tue, 14 Dec 2021 10:35:54 -0500 Subject: [PATCH 2/5] Deprecate disable_tlsv1_2 --- conf/radiusd/eap.conf.example | 6 ------ conf/radiusd/tls.conf.defaults | 2 -- .../views/Configuration/radius/tls/_components/TheForm.vue | 6 ------ .../src/views/Configuration/radius/tls/_components/index.js | 1 - 4 files changed, 15 deletions(-) diff --git a/conf/radiusd/eap.conf.example b/conf/radiusd/eap.conf.example index ab1118494475..8b2cd6ee440b 100644 --- a/conf/radiusd/eap.conf.example +++ b/conf/radiusd/eap.conf.example @@ -268,12 +268,6 @@ eap [% key -%] { # in "man 1 ciphers". cipher_list = "[% eap.$key.tls.$tls.cipher_list %]" - # Work-arounds for OpenSSL nonsense - # OpenSSL 1.0.1f and 1.0.1g do not calculate - # the EAP keys correctly. The fix is to upgrade - # OpenSSL, or disable TLS 1.2 here. - disable_tlsv1_2 = "[% eap.$key.tls.$tls.disable_tlsv1_2 %]" - tls_min_version = "[% eap.$key.tls.$tls.tls_min_version %]" tls_max_version = "[% eap.$key.tls.$tls.tls_max_version %]" diff --git a/conf/radiusd/tls.conf.defaults b/conf/radiusd/tls.conf.defaults index 3c2e1f65a914..dab7e155b4ea 100644 --- a/conf/radiusd/tls.conf.defaults +++ b/conf/radiusd/tls.conf.defaults @@ -4,7 +4,6 @@ dh_file = ${certdir}/dh ca_path = ${cadir} cipher_list = DEFAULT ecdh_curve = prime256v1 -disable_tlsv1_2 = yes tls_min_version = 1.0 tls_max_version = 1.2 ocsp=default @@ -15,5 +14,4 @@ dh_file = ${certdir}/dh ca_path = ${cadir} cipher_list = ALL:!EXPORT:!eNULL:!SSLv2 ecdh_curve = prime256v1 -disable_tlsv1_2 = yes ocsp=default diff --git a/html/pfappserver/root/src/views/Configuration/radius/tls/_components/TheForm.vue b/html/pfappserver/root/src/views/Configuration/radius/tls/_components/TheForm.vue index 98d4fa32e047..c5c851a3b6f1 100644 --- a/html/pfappserver/root/src/views/Configuration/radius/tls/_components/TheForm.vue +++ b/html/pfappserver/root/src/views/Configuration/radius/tls/_components/TheForm.vue @@ -30,10 +30,6 @@ :column-label="$i18n.t('ECDH Curve')" /> - - @@ -60,7 +56,6 @@ import { FormGroupCaPath, FormGroupCipherList, FormGroupEcdhCurve, - FormGroupDisableTlsv12, FormGroupTlsMinVersion, FormGroupTlsMaxVersion, FormGroupOcsp @@ -75,7 +70,6 @@ const components = { FormGroupCaPath, FormGroupCipherList, FormGroupEcdhCurve, - FormGroupDisableTlsv12, FormGroupTlsMinVersion, FormGroupTlsMaxVersion, FormGroupOcsp diff --git a/html/pfappserver/root/src/views/Configuration/radius/tls/_components/index.js b/html/pfappserver/root/src/views/Configuration/radius/tls/_components/index.js index c796f24cddf9..dd0be82be3ee 100644 --- a/html/pfappserver/root/src/views/Configuration/radius/tls/_components/index.js +++ b/html/pfappserver/root/src/views/Configuration/radius/tls/_components/index.js @@ -20,7 +20,6 @@ export { BaseFormGroupInput as FormGroupCaPath, BaseFormGroupInput as FormGroupCipherList, BaseFormGroupInput as FormGroupEcdhCurve, - BaseFormGroupToggleNoYesDefault as FormGroupDisableTlsv12, BaseFormGroupChosenOne as FormGroupTlsMinVersion, BaseFormGroupChosenOne as FormGroupTlsMaxVersion, BaseFormGroupChosenOne as FormGroupOcsp, From 5123631862662f2976c4a48b1dfee9eb22669797 Mon Sep 17 00:00:00 2001 From: Durand Fabrice Date: Tue, 14 Dec 2021 10:44:46 -0500 Subject: [PATCH 3/5] Set tls version for tls-fast --- conf/radiusd/tls.conf.defaults | 2 ++ 1 file changed, 2 insertions(+) diff --git a/conf/radiusd/tls.conf.defaults b/conf/radiusd/tls.conf.defaults index dab7e155b4ea..e052bad9a8f5 100644 --- a/conf/radiusd/tls.conf.defaults +++ b/conf/radiusd/tls.conf.defaults @@ -14,4 +14,6 @@ dh_file = ${certdir}/dh ca_path = ${cadir} cipher_list = ALL:!EXPORT:!eNULL:!SSLv2 ecdh_curve = prime256v1 +tls_min_version = 1.0 +tls_max_version = 1.2 ocsp=default From 4b970767bb717f570c0c9450c538d22254070575 Mon Sep 17 00:00:00 2001 From: Durand Fabrice Date: Wed, 15 Dec 2021 09:38:07 -0500 Subject: [PATCH 4/5] Use constant and for TLS 1.2 --- conf/radiusd/tls.conf.defaults | 4 ++-- .../lib/pfappserver/Form/Config/Radiusd/TLSProfile.pm | 3 ++- lib/pf/radius/constants.pm | 7 +++++++ 3 files changed, 11 insertions(+), 3 deletions(-) diff --git a/conf/radiusd/tls.conf.defaults b/conf/radiusd/tls.conf.defaults index e052bad9a8f5..08140babffa5 100644 --- a/conf/radiusd/tls.conf.defaults +++ b/conf/radiusd/tls.conf.defaults @@ -4,7 +4,7 @@ dh_file = ${certdir}/dh ca_path = ${cadir} cipher_list = DEFAULT ecdh_curve = prime256v1 -tls_min_version = 1.0 +tls_min_version = 1.2 tls_max_version = 1.2 ocsp=default @@ -14,6 +14,6 @@ dh_file = ${certdir}/dh ca_path = ${cadir} cipher_list = ALL:!EXPORT:!eNULL:!SSLv2 ecdh_curve = prime256v1 -tls_min_version = 1.0 +tls_min_version = 1.2 tls_max_version = 1.2 ocsp=default diff --git a/html/pfappserver/lib/pfappserver/Form/Config/Radiusd/TLSProfile.pm b/html/pfappserver/lib/pfappserver/Form/Config/Radiusd/TLSProfile.pm index ae4fff2db04e..3bd78fd3faea 100644 --- a/html/pfappserver/lib/pfappserver/Form/Config/Radiusd/TLSProfile.pm +++ b/html/pfappserver/lib/pfappserver/Form/Config/Radiusd/TLSProfile.pm @@ -15,6 +15,7 @@ use warnings; use HTML::FormHandler::Moose; use pf::ConfigStore::Radiusd::OCSPProfile; use pf::ConfigStore::SSLCertificate; +use pf::radius::constants; extends 'pfappserver::Base::Form'; with qw(pfappserver::Base::Form::Role::Help); ## Definition @@ -79,7 +80,7 @@ sub options_ocsp { } sub options_tls_version { - return map { { value => $_, label => $_ } } qw(1.0 1.1 1.2 1.3); + return map { { value => $_, label => $_ } } @{RADIUS::TLS_VERSIONS}; } =head1 AUTHOR diff --git a/lib/pf/radius/constants.pm b/lib/pf/radius/constants.pm index 6f52763c6140..27d7805e9b1e 100644 --- a/lib/pf/radius/constants.pm +++ b/lib/pf/radius/constants.pm @@ -160,6 +160,13 @@ Readonly::Hash our %NAS_port_type => ( 36 => "PPPoEoQinQ", ); +=item TLS Versions + +Define all the TLS versions we can use + +=cut + +Readonly::Array our @TLS_VERSIONS => qw(1.0 1.1 1.2 1.3); package ACCOUNTING; From a5803cf94de2e1265c2f9ff188d2a5c2a9868327 Mon Sep 17 00:00:00 2001 From: nqb Date: Fri, 24 Dec 2021 11:04:58 +0100 Subject: [PATCH 5/5] add missing upgrade note --- docs/PacketFence_Upgrade_Guide.asciidoc | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/docs/PacketFence_Upgrade_Guide.asciidoc b/docs/PacketFence_Upgrade_Guide.asciidoc index 6ccd61681cd9..f76084807839 100644 --- a/docs/PacketFence_Upgrade_Guide.asciidoc +++ b/docs/PacketFence_Upgrade_Guide.asciidoc @@ -1659,6 +1659,14 @@ The `pf-maint.pl` script used to get maintenance patches has been deprecated. Yo The WMI scan engines have been deprecated. If you previously used these scan engines, you should migrate to other scan engines. +=== TLS 1.0 and 1.1 are disabled by default in FreeRADIUS + +TLS 1.0 and TLS 1.1 are now disabled by default. If you still have supplicants +using theses protocols, you should move to TLS 1.2. If it's not possible, you +can adjust `TLS Minimum version` in _Configuration -> System configuration -> +RADIUS -> TLS profiles_. + + == Upgrading from a version prior to 11.1.0