堆栈内存溢出
  简体   繁体   English

如何在 FreeRADIUS 中强制使用 TLS 1.3?

[英]How to force TLS 1.3 in FreeRADIUS?

 原文  2022-11-29 22:06:57       openssl/ freeradius/ radius/ tls1.3

问题描述

I'm trying to experiment some with TLS 1.3.我正在尝试使用 TLS 1.3 进行一些实验。

I have a CA setup, server & client certs generated & distributed, and I can connect successfully using these certs with openssl s_server & s_client:我有一个 CA 设置、生成和分发的服务器和客户端证书,我可以使用这些证书与 openssl s_server 和 s_client 成功连接:

TLS 1.2: TLS 1.2:

...
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: FFE0AFA10151E6E6F836F84E35D3D84F61F1811DD29B3E5F72F322A5E2529600
    Session-ID-ctx: 
...
    Start Time: 1669758448
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---

TLS 1.3: TLS 1.3:

---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: F23B37793041E458A77B180FED47B43DF02378C4A25F505A6C4942C5A195EF4E
    Session-ID-ctx: 
...
    Start Time: 1669758331
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---

Okay cool, so OpenSSL works, on to RADIUS/EAP-TLS.好的,很酷,所以 OpenSSL 工作,到 RADIUS/EAP-TLS。

These are the same certs I'm using for the RADIUS server, and for EAP-TLS authentication.这些是我用于 RADIUS 服务器和 EAP-TLS 身份验证的相同证书。 In the eap.conf file, I have:eap.conf文件中,我有:

...
        tls_min_version = "1.2"
        tls_max_version = "1.2"
...

and everything works fine.一切正常。 If I set max_version only to 1.3, it still succeeds, but when I set both min & max version to 1.3, the handshake fails and the client is rejected.如果我只将 max_version 设置为 1.3,它仍然会成功,但是当我将最小和最大版本都设置为 1.3 时,握手失败并且客户端被拒绝。 I looked at the debug messages and noticed something specifically in this excerpt:我查看了调试消息并注意到这段摘录中的一些特别内容:

(1) Found Auth-Type = eap
(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(1)   authenticate {
(1) eap: Expiring EAP session with state 0x1d55cef11de3c377
(1) eap: Finished EAP session with state 0x1d55cef11de3c377
(1) eap: Previous EAP request found for state 0x1d55cef11de3c377, released from the list
(1) eap: Peer sent packet with method EAP TLS (13)
(1) eap: Calling submodule eap_tls to process data
(1) eap_tls: (TLS) EAP Got final fragment (184 bytes)
(1) eap_tls: WARNING: (TLS) EAP Total received record fragments (184 bytes), does not equal expected expected data length (0 bytes)
(1) eap_tls: (TLS) EAP Done initial handshake
(1) eap_tls: (TLS) Handshake state - before SSL initialization
(1) eap_tls: (TLS) Handshake state - Server before SSL initialization
(1) eap_tls: (TLS) Handshake state - Server before SSL initialization
(1) eap_tls: (TLS) recv TLS 1.3 Handshake, ClientHello
(1) eap_tls: (TLS) send TLS 1.2 Alert, fatal protocol_version
(1) eap_tls: ERROR: (TLS) Alert write:fatal:protocol version
(1) eap_tls: ERROR: (TLS) Server : Error in error
(1) eap_tls: ERROR: (TLS) Failed reading from OpenSSL: error:0A000102:SSL routines::unsupported protocol
(1) eap_tls: ERROR: (TLS) System call (I/O) error (-1)
(1) eap_tls: ERROR: (TLS) EAP Receive handshake failed during operation
(1) eap_tls: ERROR: [eaptls process] = fail
(1) eap: ERROR: Failed continuing EAP TLS (13) session.  EAP sub-module failed
(1) eap: Sending EAP Failure (code 4) ID 182 length 4
(1) eap: Failed in EAP select
(1)     [eap] = invalid
(1)   } # authenticate = invalid
(1) Failed to authenticate the user
(1) Using Post-Auth-Type Reject

Specifically from these 2 lines:具体来自这两行:

(1) eap_tls: (TLS) recv TLS 1.3 Handshake, ClientHello (1) eap_tls: (TLS) recv TLS 1.3 握手,ClientHello
(1) eap_tls: (TLS) send TLS 1.2 Alert, fatal protocol_version (1) eap_tls: (TLS) 发送 TLS 1.2 Alert, fatal protocol_version

It seems the client is sending a TLS 1.3 handshake in the Client Hello, but the server is falling back to TLS 1.2 and failing.客户端似乎在 Client Hello 中发送了 TLS 1.3 握手,但服务器正在回退到 TLS 1.2 并失败。

What am I missing to force TLS 1.3 from the server side?从服务器端强制 TLS 1.3 我缺少什么? I was under the impresson that just setting the tls_min_version and tls_max_version in the eap.conf file was sufficient to change the version of TLS used server-side.我的印象是,只需在eap.conf文件中设置 tls_min_version 和 tls_max_version 就足以更改服务器端使用的 TLS 版本。

The freeradius docs give very limited info on EAP-TLS 1.3, and are not so clear about anything other than the fact that it will probably not work. freeradius 文档提供了关于 EAP-TLS 1.3 的非常有限的信息,并且除了它可能不起作用之外的任何事情都不太清楚。 Even if it doesn't end up working though, I'm interested to see what happens, but am having some trouble with this part.即使最终无法正常工作,我也很想看看会发生什么,但是这部分遇到了一些麻烦。

1 个解决方案

解决方案1
 0 已采纳  2022-12-01 20:00:38

Eventually figured this out.最终想通了这一点。

Despite these debug output & error messages heavily suggesting otherwise, as the FreeRADIUS guys have been indicating for some time now - this is a client-side issue.尽管这些调试 output 和错误消息强烈暗示并非如此,正如 FreeRADIUS 人员已经指出了一段时间 - 这是一个客户端问题。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何在 openSSl 1.1.1 中禁用 TLS1.3 - How to disable TLS1.3 in openSSl 1.1.1 如何使用 openssl 执行 TLS 1.3 PSK? - How to do TLS 1.3 PSK using openssl? 如何使 OpenSSL C 服务器只支持 TLS 1.3? - How to make OpenSSL C server only support TLS 1.3? 如何在 C/C++ 中使用 OpenSSL 创建 TLS 1.3 CertificateVerify 消息? - How to create a TLS 1.3 CertificateVerify message with OpenSSL in C/C++? 如何使用 tls 1.3 制作 ssl 证书? - How do you make an ssl certificate with tls 1.3? TLS 1.3 的 SSL 握手失败 - SSL handshake failure with TLS 1.3 在Apache中启用TLS1.3 - Enabling TLS1.3 in Apache 在 OpenSSL 恢复 TLS 1.3 session - Resuming a TLS 1.3 session in OpenSSL 如何强制“OpenConnect”客户端使用 TLS 1.0 - How to force 'OpenConnect' client to use TLS 1.0 curl --tlsv1.3, OpenSSL 是在没有 TLS 1.3 支持的情况下构建的 - curl --tlsv1.3, OpenSSL was built without TLS 1.3 support
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM