Thank you Alfred!
Yup, I used old ciphers indeed. I suspect it stops even before checking
them, but I'll add newer ones and let you know.
This is the relevant part of freeradius log, just in case:
--
(1) eap_tls: TLS_accept: before SSL initialization
(1) eap_tls: TLS_accept: before SSL initialization
(1) eap_tls: <<< recv TLS 1.3 [length 0048]
(1) eap_tls: >>> send TLS 1.0 Alert [length 0002], fatal
protocol_version
(1) eap_tls: ERROR: TLS Alert write:fatal:protocol version
tls: TLS_accept: Error in error
(1) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read):
error:14209102:SSL
routines:tls_early_post_process_client_hello:unsupported protocol
(1) eap_tls: ERROR: System call (I/O) error (-1)
(1) eap_tls: ERROR: TLS receive handshake failed during operation
(1) eap_tls: ERROR: [eaptls process] = fail
--
On 02.03.2020 14:15, Alfred Arnold wrote:
Hi,
I'd like to understand, how does OpenSSL get to the idea of "0304"
version, if there is no such a
byte sequence in the packet...
My question is: how OpenSSL determines the TLS version? How to debug
it?
I don't see any TLS 1.3 in the capture as well, but I see that your
client is using only outdated (if not to say: historic) cryptographic
algorithms: RC4, RC2 (never seen that in practice!), 3DES and DES.
And those even combined with export options to weaken key strength.
Many modern servers are configured to disallow such outdated crypto:
make your client use at least
- AES128/256 (either in CBC or GCM mode)
- TLS 1.2
- no export cipher suites
Then you might get a more positive reply from the server...
Best regards
Alfred Arnold
--
Thanks and regards,
Irina Ilina-Sidorova
