Dear everyone,I'm looking for your pointers to help me to debug&solve the issue I have.
I try to implement an auth exchange with the RADIUS, requesting EAP-TLS. At this moment I only need to get to the phase when server responds with Access-Challenge with server certificate (so, 2 packets from NAD and 2 from the server). To generate NAD-side packets I use python3 with scapy.
Freeradius (3.0.16, 3.0.20) was set up to use EAP-TLS for test user auth. First access-request from the NAD side is responded with Access-Challenge from the server. So far so good.
But when I send the second packet, I receive an Access-Reject. Suprisingly, the server reports I'm using unsupported TLS version ?0304? (which corresponds to TLS1.3). Why "surprizingly"? Well, because I use earlier TLS version, and it is well visible (AVP "Eap-Message" - EAP section - TLS part has "0301", that corresponds to TLS1.0, handshake version also set to TLS1.0 (0x0301)).
I also checked in Wireshark (captured both on the server machine and "NAD" machine - same results) - the packet is correctly dissected by latest wireshark (no errors reported) and has TLS1.0 inside.
OpenSSL is already at the newest version (1.1.1-1ubuntu2.1~18.04.5).After a discussion in freeradius maillist, I got to know that freeradius receives all the TLS-related information from the OpenSSL. I attach the packet exchange for the reference, the packet in question is packet#3.
I'd like to understand, how does OpenSSL get to the idea of "0304" version, if there is no such a byte sequence in the packet...
My question is: how OpenSSL determines the TLS version? How to debug it? -- Have a great day! Irina Ilina-Sidorova
Attachment:
test.pcapng
Description: Binary data
