Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1012330: freeradius: After upgrade to 3.2.0+dfsg-1 some (older?) client stop connect
765 views
Skip to first unread message
Kamil Jonca
Jun 4, 2022, 7:10:03 AM6/4/22
to
Package: freeradius
Version: 3.2.0+dfsg-1
Severity: important
X-Debbugs-Cc: kjo...@poczta.onet.pl
When upgraded to new version I found that some clients cannot connect.
In logs I have:
Sat Jun 4 12:44:50 2022 : Debug: (2) eap1: Expiring EAP session with state 0xab52c2e6aa35db5e
Sat Jun 4 12:44:50 2022 : Debug: (2) eap1: Finished EAP session with state 0xab52c2e6aa35db5e
Sat Jun 4 12:44:50 2022 : Debug: (2) eap1: Previous EAP request found for state 0xab52c2e6aa35db5e, released from the list
Sat Jun 4 12:44:50 2022 : Debug: (2) eap1: Peer sent packet with method EAP PEAP (25)
Sat Jun 4 12:44:50 2022 : Debug: (2) eap1: Calling submodule eap_peap to process data
Sat Jun 4 12:44:50 2022 : Debug: (2) eap_peap: (TLS) EAP Continuing ...
Sat Jun 4 12:44:50 2022 : Debug: (2) eap_peap: (TLS) EAP Peer sent flags --L
Sat Jun 4 12:44:50 2022 : Debug: (2) eap_peap: (TLS) EAP Peer says that the final record size will be 195 bytes
Sat Jun 4 12:44:50 2022 : Debug: (2) eap_peap: (TLS) EAP Got all data (195 bytes)
Sat Jun 4 12:44:50 2022 : Debug: (2) eap_peap: (TLS) EAP Verification says length included
Sat Jun 4 12:44:50 2022 : Debug: (2) eap_peap: (TLS) Handshake state [PINIT] - before SSL initialization (0)
Sat Jun 4 12:44:50 2022 : Debug: (2) eap_peap: (TLS) Handshake state [PINIT] - Server before SSL initialization (0)
Sat Jun 4 12:44:50 2022 : Debug: (2) eap_peap: (TLS) Handshake state [PINIT] - Server before SSL initialization (0)
Sat Jun 4 12:44:50 2022 : Debug: (2) eap_peap: (TLS) recv TLS 1.3 Handshake, ClientHello
Sat Jun 4 12:44:50 2022 : Debug: (2) eap_peap: (TLS) send TLS 1.0 Alert, fatal internal_error
Sat Jun 4 12:44:50 2022 : ERROR: (2) eap_peap: (TLS) Alert write:fatal:internal error
Sat Jun 4 12:44:50 2022 : ERROR: (2) eap_peap: (TLS) Server : Error in error
Sat Jun 4 12:44:50 2022 : ERROR: (2) eap_peap: (TLS) Failed reading from OpenSSL: ../ssl/t1_lib.c[3331]:error:0A000076:SSL routines::no suitable signature algorithm
Sat Jun 4 12:44:50 2022 : ERROR: (2) eap_peap: (TLS) System call (I/O) error (-1)
Sat Jun 4 12:44:50 2022 : ERROR: (2) eap_peap: (TLS) EAP Receive handshake failed during operation
Sat Jun 4 12:44:50 2022 : ERROR: (2) eap_peap: [eaptls process] = fail
Sat Jun 4 12:44:50 2022 : ERROR: (2) eap1: Failed continuing EAP PEAP (25) session. EAP sub-module failed
I played with
cipher_list =
tls_min_version= ..
tls_max_version = ...
in /etc/freeradius/3.0/mods-enabled/eap
file but without success...
before upgrade there were
cipher_list = "DEFAULT:TLSv1.0"
tls_min_version= 1.0
downgrading to 3.0.25 resolves the issue.
-- System Information:
Debian Release: bookworm/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.17.0-2-amd64 (SMP w/12 CPU threads; PREEMPT)
Locale: LANG=pl_PL.UTF-8, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages freeradius depends on:
ii freeradius-common 3.0.25+dfsg-1.1
ii freeradius-config 3.0.25+dfsg-1.1
ii libc6 2.33-7
ii libcrypt1 1:4.4.27-1.1
ii libct4 1.3.6-1.1
ii libfreeradius3 3.2.0+dfsg-1
ii libgdbm6 1.23-1
ii libjson-c5 0.16-1
ii libpam0g 1.4.0-13
ii libperl5.34 5.34.0-4
ii libreadline8 8.1.2-1.2
ii libsqlite3-0 3.38.5-1
ii libssl3 3.0.3-5
ii libsystemd0 251.1-1
ii libtalloc2 2.3.3-4
ii libwbclient0 2:4.16.1+dfsg-4
ii lsb-base 11.2
Versions of packages freeradius recommends:
ii freeradius-utils 3.2.0+dfsg-1
Versions of packages freeradius suggests:
pn freeradius-krb5 <none>
ii freeradius-ldap 3.2.0+dfsg-1
pn freeradius-mysql <none>
ii freeradius-postgresql 3.2.0+dfsg-1
pn freeradius-python3 <none>
pn snmp <none>
-- Configuration Files:
/etc/default/freeradius changed [not included]
/etc/logrotate.d/freeradius changed [not included]
-- no debconf information
Version: 3.2.0+dfsg-1
Severity: important
X-Debbugs-Cc: kjo...@poczta.onet.pl
When upgraded to new version I found that some clients cannot connect.
In logs I have:
Sat Jun 4 12:44:50 2022 : Debug: (2) eap1: Expiring EAP session with state 0xab52c2e6aa35db5e
Sat Jun 4 12:44:50 2022 : Debug: (2) eap1: Finished EAP session with state 0xab52c2e6aa35db5e
Sat Jun 4 12:44:50 2022 : Debug: (2) eap1: Previous EAP request found for state 0xab52c2e6aa35db5e, released from the list
Sat Jun 4 12:44:50 2022 : Debug: (2) eap1: Peer sent packet with method EAP PEAP (25)
Sat Jun 4 12:44:50 2022 : Debug: (2) eap1: Calling submodule eap_peap to process data
Sat Jun 4 12:44:50 2022 : Debug: (2) eap_peap: (TLS) EAP Continuing ...
Sat Jun 4 12:44:50 2022 : Debug: (2) eap_peap: (TLS) EAP Peer sent flags --L
Sat Jun 4 12:44:50 2022 : Debug: (2) eap_peap: (TLS) EAP Peer says that the final record size will be 195 bytes
Sat Jun 4 12:44:50 2022 : Debug: (2) eap_peap: (TLS) EAP Got all data (195 bytes)
Sat Jun 4 12:44:50 2022 : Debug: (2) eap_peap: (TLS) EAP Verification says length included
Sat Jun 4 12:44:50 2022 : Debug: (2) eap_peap: (TLS) Handshake state [PINIT] - before SSL initialization (0)
Sat Jun 4 12:44:50 2022 : Debug: (2) eap_peap: (TLS) Handshake state [PINIT] - Server before SSL initialization (0)
Sat Jun 4 12:44:50 2022 : Debug: (2) eap_peap: (TLS) Handshake state [PINIT] - Server before SSL initialization (0)
Sat Jun 4 12:44:50 2022 : Debug: (2) eap_peap: (TLS) recv TLS 1.3 Handshake, ClientHello
Sat Jun 4 12:44:50 2022 : Debug: (2) eap_peap: (TLS) send TLS 1.0 Alert, fatal internal_error
Sat Jun 4 12:44:50 2022 : ERROR: (2) eap_peap: (TLS) Alert write:fatal:internal error
Sat Jun 4 12:44:50 2022 : ERROR: (2) eap_peap: (TLS) Server : Error in error
Sat Jun 4 12:44:50 2022 : ERROR: (2) eap_peap: (TLS) Failed reading from OpenSSL: ../ssl/t1_lib.c[3331]:error:0A000076:SSL routines::no suitable signature algorithm
Sat Jun 4 12:44:50 2022 : ERROR: (2) eap_peap: (TLS) System call (I/O) error (-1)
Sat Jun 4 12:44:50 2022 : ERROR: (2) eap_peap: (TLS) EAP Receive handshake failed during operation
Sat Jun 4 12:44:50 2022 : ERROR: (2) eap_peap: [eaptls process] = fail
Sat Jun 4 12:44:50 2022 : ERROR: (2) eap1: Failed continuing EAP PEAP (25) session. EAP sub-module failed
I played with
cipher_list =
tls_min_version= ..
tls_max_version = ...
in /etc/freeradius/3.0/mods-enabled/eap
file but without success...
before upgrade there were
cipher_list = "DEFAULT:TLSv1.0"
tls_min_version= 1.0
downgrading to 3.0.25 resolves the issue.
-- System Information:
Debian Release: bookworm/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.17.0-2-amd64 (SMP w/12 CPU threads; PREEMPT)
Locale: LANG=pl_PL.UTF-8, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages freeradius depends on:
ii freeradius-common 3.0.25+dfsg-1.1
ii freeradius-config 3.0.25+dfsg-1.1
ii libc6 2.33-7
ii libcrypt1 1:4.4.27-1.1
ii libct4 1.3.6-1.1
ii libfreeradius3 3.2.0+dfsg-1
ii libgdbm6 1.23-1
ii libjson-c5 0.16-1
ii libpam0g 1.4.0-13
ii libperl5.34 5.34.0-4
ii libreadline8 8.1.2-1.2
ii libsqlite3-0 3.38.5-1
ii libssl3 3.0.3-5
ii libsystemd0 251.1-1
ii libtalloc2 2.3.3-4
ii libwbclient0 2:4.16.1+dfsg-4
ii lsb-base 11.2
Versions of packages freeradius recommends:
ii freeradius-utils 3.2.0+dfsg-1
Versions of packages freeradius suggests:
pn freeradius-krb5 <none>
ii freeradius-ldap 3.2.0+dfsg-1
pn freeradius-mysql <none>
ii freeradius-postgresql 3.2.0+dfsg-1
pn freeradius-python3 <none>
pn snmp <none>
-- Configuration Files:
/etc/default/freeradius changed [not included]
/etc/logrotate.d/freeradius changed [not included]
-- no debconf information
Kamil Jońca
Jun 4, 2022, 8:20:03 AM6/4/22
to
After taking look into sources I set:
and this seems to work
cipher_list = "DEFAULT@SECLEVEL=1:TLSv1@SECLEVEL=0"
tls_min_version= 1.0
tls_max_version = 1.2
but, to be honest, I do not know how secure is such configuration.
KJ
--
http://stopstopnop.pl/stop_stopnop.pl_o_nas.html
and this seems to work
cipher_list = "DEFAULT@SECLEVEL=1:TLSv1@SECLEVEL=0"
tls_min_version= 1.0
tls_max_version = 1.2
but, to be honest, I do not know how secure is such configuration.
KJ
--
http://stopstopnop.pl/stop_stopnop.pl_o_nas.html
Kamil Jońca
Jun 4, 2022, 1:50:03 PM6/4/22
to
based on
%diff <(openssl ciphers -s -v 'TLSv1@SECLEVEL=1') <(openssl ciphers -s -v 'TLSv1@SECLEVEL=0')
5a6
> AECDH-AES256-SHA TLSv1 Kx=ECDH Au=None Enc=AES(256) Mac=SHA1
7a9,12
> AECDH-AES128-SHA TLSv1 Kx=ECDH Au=None Enc=AES(128) Mac=SHA1
> ECDHE-ECDSA-NULL-SHA TLSv1 Kx=ECDH Au=ECDSA Enc=None Mac=SHA1
> ECDHE-RSA-NULL-SHA TLSv1 Kx=ECDH Au=RSA Enc=None Mac=SHA1
> AECDH-NULL-SHA TLSv1 Kx=ECDH Au=None Enc=None Mac=SHA1
I configured:
==========
cipher_list = "AECDH-AES256-SHA:AECDH-AES128-SHA:TLSv1.0:DEFAULT"
tls_min_version= 1.0
tls_max_version = 1.3
==========
And this also seems to work.
KJ
--
http://stopstopnop.pl/stop_stopnop.pl_o_nas.html
%diff <(openssl ciphers -s -v 'TLSv1@SECLEVEL=1') <(openssl ciphers -s -v 'TLSv1@SECLEVEL=0')
5a6
> AECDH-AES256-SHA TLSv1 Kx=ECDH Au=None Enc=AES(256) Mac=SHA1
7a9,12
> AECDH-AES128-SHA TLSv1 Kx=ECDH Au=None Enc=AES(128) Mac=SHA1
> ECDHE-ECDSA-NULL-SHA TLSv1 Kx=ECDH Au=ECDSA Enc=None Mac=SHA1
> ECDHE-RSA-NULL-SHA TLSv1 Kx=ECDH Au=RSA Enc=None Mac=SHA1
> AECDH-NULL-SHA TLSv1 Kx=ECDH Au=None Enc=None Mac=SHA1
I configured:
==========
cipher_list = "AECDH-AES256-SHA:AECDH-AES128-SHA:TLSv1.0:DEFAULT"
tls_min_version= 1.0
tls_max_version = 1.3
==========
And this also seems to work.
KJ
--
http://stopstopnop.pl/stop_stopnop.pl_o_nas.html
Kamil Jońca
Jun 4, 2022, 2:50:03 PM6/4/22
to
previously I paste wrong cipher_list, should be:
cipher_list = "AECDH-AES256-SHA@SECLEVEL=0:AECDH-AES128-SHA@SECLEVEL=0:TLSv1.0:DEFAULT"
--
http://stopstopnop.pl/stop_stopnop.pl_o_nas.html
cipher_list = "AECDH-AES256-SHA@SECLEVEL=0:AECDH-AES128-SHA@SECLEVEL=0:TLSv1.0:DEFAULT"
--
http://stopstopnop.pl/stop_stopnop.pl_o_nas.html
0 new messages