Bug #55247: disable tls v3 for radius

We are currently using freeradius version 3.0.17, which wasn't developed with full tls v3 support. The behaviour for eap and tls v3 was still undefined. The problem is that our openssl version 1.1.1 does negotiate tls v3, so we need to explicitly disable it in freeradius. FreeRADIUS/freeradius-server#2385 This commit adds a UCR variable: "freeradius/conf/tls_max_version" with the default value "1.2".
univention · Feb 21, 2023 · 5f48b1e · 5f48b1e
1 parent 9fbdce4
commit 5f48b1e
Show file tree

Hide file tree

Showing 6 changed files with 33 additions and 3 deletions.
diff --git a/doc/errata/staging/univention-radius.yaml b/doc/errata/staging/univention-radius.yaml
@@ -0,0 +1,13 @@
+product: ucs
+release: "5.0"
+version: [3]
+scope: ucs_5.0-0-errata5.0-3
+src: services/univention-radius
+fix:
+desc: |
+ This update addresses the following issues:
+ * The maximum TLS version has been changed to 1.2
+   in order to prevent issues with Windows 10 and 11
+   clients. The maximum TLS version can be specified via the UCR
+   variable `freeradius/conf/tls-max-version`.
+bug: [55247]
diff --git a/services/univention-radius/conffiles/etc/freeradius/3.0/mods-available/eap b/services/univention-radius/conffiles/etc/freeradius/3.0/mods-available/eap
@@ -354,7 +354,11 @@ else:
 		#
 #		disable_tlsv1_2 = no
 
-		#
+		# Disable tls v3 since it is not yet supported
+		# https://github.com/FreeRADIUS/freeradius-server/issues/2385
+@!@
+print('\t\ttls_max_version = %s' % configRegistry.get('freeradius/conf/tls-max-version', '1.2'))
+@!@
 
 		#
 		#  Elliptical cryptography configuration

diff --git a/services/univention-radius/debian/changelog b/services/univention-radius/debian/changelog
@@ -1,3 +1,9 @@
+univention-radius (7.0.5-2) unstable; urgency=medium
+
+  * Bug #55247: disable tls v3 for radius
+
+ -- Maximilian Janßen <janssen@univention.de>  Tue, 14 Feb 2023 12:53:35 +0100
+
 univention-radius (7.0.5-1) unstable; urgency=medium
 
   * Bug #31771: migrate tabs to spaces

diff --git a/services/univention-radius/debian/univention-radius.univention-config-registry b/services/univention-radius/debian/univention-radius.univention-config-registry
@@ -39,6 +39,7 @@ Variables: freeradius/conf/private/key/secret/file
 Variables: freeradius/conf/private/key/file
 Variables: freeradius/conf/certificate/file
 Variables: freeradius/conf/ca/file
+Variables: freeradius/conf/tls-max-version
 
 Type: file
 File: etc/freeradius/3.0/mods-available/ldap

diff --git a/services/univention-radius/debian/univention-radius.univention-config-registry-variables b/services/univention-radius/debian/univention-radius.univention-config-registry-variables
@@ -52,6 +52,13 @@ Type=bool
 Default=true
 Categories=service-radius
 
+[freeradius/conf/tls-max-version]
+Description[de]=Setze ein oberes Limit für die TLS version, die von radius genutzt wird
+Description[en]=Set a upper limit for the TLS version used for radius
+Type=str
+Default=1.2
+Categories=service-radius
+
 [freeradius/auth/helper/ntlm/debug]
 Description[de]=Debuglevel für die RADIUS-NTLM-Authentifizierung. Mögliche Werte: 0-4 (0: nur Fehlermeldungen bis 4: alle Debugausgaben).
 Description[en]=Debuglevel for the RADIUS NTLM authentication. Possible values: 0-4 (0: only error messages to 4: all debug statements).

diff --git a/test/ucs-test/tests/45_radius/14_eap_tlsv3 b/test/ucs-test/tests/45_radius/14_eap_tlsv3
@@ -10,7 +10,6 @@ import subprocess
 from tempfile import NamedTemporaryFile
 
 import univention.testing.udm as udm_test
-import univention.testing.utils as utils
 
 UNIVENTION_CACERT = "/etc/univention/ssl/ucsCA/CAcert.pem"
 DEFAULT_CACERT = "/etc/default/cacert"
@@ -53,7 +52,7 @@ def eap_test(username, password, ca_cert):
             '1812',
             '-s',
             'testing123',
-            '-r0'
+            '-r0',
         ])