On Sun, Oct 29, 2017 at 02:46:33PM -0600, Thomas d'Otreppe wrote: > Using HostAPd 2.6, compiled with OpenSSL 1.1 (1.1.0f-5) and Android > 6.0 as client, EAP authentication fails with: > SSL: SSL3 alert: write (local SSL3 detected an error):fatal:protocol version > OpenSSL: openssl_handshake - SSL_connect error:1417D102:SSL > routines:tls_process_client_hello:unsupported protocol > A similar issue affected Freeradius: > http://freeradius.1045715.n5.nabble.com/FreeRADIUS-3-0-15-fails-to-respond-with-TLS-1-0-Debian-testing-td5747111.html That talks about Debian OpenSSL package disallowing use of TLS v1.0. In other words, this sounds like a security policy choice and expected behavior to reject a client that does not support enabled protocol versions. Please note that OpenSSL 1.1.0f itself does support TLS v1.0 and when built with default options, v1.0 seems to be enabled as well. > The solution was to use SSL_CTX_set_max_proto_version and > SSL_CTX_set_min_proto_version as you can see on > https://github.com/FreeRADIUS/freeradius-server/commits/v3.0.x/src/main/tls.c > (anything on or after September 8 2017). I'm not sure I'd call that a solution.. At best, that sounds like a workaround that explicitly ignored distro security policy for TLS. You cannot both have a policy that mandates TLS v1.0 to be disabled for everything in the system and have client devices that do not support anything else than TLS v1.0. -- Jouni Malinen PGP id EFC895FA _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
