[Pkg-freeradius-maintainers] Bug#919234: Bug#919234: ttls fails with tls 1.3, enabled by default
Michael Stapelberg
stapelberg at debian.org
Mon Jan 14 07:31:58 GMT 2019
I have no time to look into this. Can you send a patch please?
On Sun, Jan 13, 2019 at 11:33 PM Sam Hartman <hartmans at debian.org> wrote:
> package: freeradius
> severity: important
> version: 3.0.17+dfsg-1
> justification: regression that totally breaks connectivity
> tags: upstream
>
>
> I've cc'd Kurt because he requested openssl 1.3 test results a while
> back.
>
> While writing automated tests for moonshot-gss-eap, I discovered that
> by default freeradius will not constrain the version of TLS in use
> (probably good), but that its ttls implementation fails with TLS 1.3.
> Things work fine if I explicitly set the max TLS version to 1.2.
>
> Based on the errors I suspect that the issue had to deal with the
> handling of the ttls TLS session ticket used by TTLS for fast
> reauthentication.
> My suspicion (and recollection from the spec) is that ttls knows more
> about session internals than it should.
>
> As a quick fix, I think the ttls code should limit the maximum TLS
> version to 1.2 until the code can be fixed to work with 1.3.
>
>
> Please do not limit all freeradius uses of TLS to 1.2: in particular I'd
> really like to be able to use tls 1.3 with radsec.
> Also, I strongly recommend making this change in code not in config
> files. People tend not to update their configs once they get one
> working.
>
> To reproduce, grab the moonshot-gss-eap sources.
> Comment out the TLS_MAX_VERSION on line 366 of
> debian/tests/freeradius/eap and then rerun autopkgtest on the resulting
> source package.
>
> _______________________________________________
> Pkg-freeradius-maintainers mailing list
> Pkg-freeradius-maintainers at alioth-lists.debian.net
>
> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-freeradius-maintainers
>
--
Best regards,
Michael
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeradius-maintainers/attachments/20190114/f4828c8c/attachment.html>
More information about the Pkg-freeradius-maintainers
mailing list