Jouni Malinen <j@xxxxx> writes: > On Sun, Nov 26, 2023 at 10:52:54AM +0100, Arsen Arsenović wrote: >> I'm trying to debug a connection failure from some systems onto our >> PEAP-connected network. >> >> I've identified that the cause of the issue is that OpenSSL 3, present >> some of the systems that fail to connect, has a higher default SECLEVEL >> and/or minimum protocol version than previous versions. >> >> I have reason to suspect that our PEAP infrastructure uses severely >> outdated TLS, and so that OpenSSL is acting correctly, and would like to >> confirm this suspicion and submit an analysis and request to upgrade to >> our network administrators. >> >> Can I fetch information about the PEAP TLS session (TLS version, ciphers >> in use, ...) from wpa_supplicant? > > It is unfortunately very common for deployed RADIUS authentication > servers to use old (and in many cases, _really_ old) TLS implementations > and protocol features.. While the best way to address this would be to > update the authentication server, that is not always practical for the > users of the network to get done and as such, wpa_supplicant does allow > SELEVEL to be dropped as a workaround with the openssl_ciphers > configuration parameter. I've recovered the following logs from a failed connect attempt: OpenSSL: RX ver=0x301 content_type=256 (TLS header info/) OpenSSL: Message - hexdump(len=5): [REMOVED] SSL: (where=0x1001 ret=0x1) SSL: SSL_connect:SSLv3/TLS write client hello OpenSSL: RX ver=0x303 content_type=22 (handshake/server hello) OpenSSL: Message - hexdump(len=81): [REMOVED] OpenSSL: Server selected cipher suite 0x2f OpenSSL: TX ver=0x303 content_type=256 (TLS header info/) OpenSSL: Message - hexdump(len=5): [REMOVED] OpenSSL: TX ver=0x303 content_type=21 (alert/) OpenSSL: Message - hexdump(len=2): [REMOVED] SSL: (where=0x4008 ret=0x246) SSL: SSL3 alert: write (local SSL3 detected an error):fatal:protocol version EAP: Status notification: local TLS alert (param=protocol version) SSL: (where=0x1002 ret=0xffffffff) SSL: SSL_connect:error in error OpenSSL: openssl_handshake - SSL_connect error:0A000102:SSL routines::unsupported protocol SSL: 7 bytes pending from ssl_out SSL: Using TLS version TLSv1.2 SSL: Failed - tls_out available to report error (len=7) ... which would mean TLSv1.2 is used, I believe. I suspect the ciphersuites are too old. > The easiest way to get comprehensive information from from failed PEAP > authentication attempts is using the stdout debug facility by adding -dd > on the wpa_supplicant command line. That might be doable with > distribution specific mechanisms in some other ways as well by > configuring debug verbosity to MSGDUMP (or even DEBUG would likely be > sufficient for most needs) and record debug log into the system log > files. Indeed, I did that for the above. Thanks. Have a lovely day. -- Arsen Arsenović
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
