Re: OpenSSL reports wrong TLS version to FreeRADIUS

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

Alfred, I'd like to say "thanks" once more.

I tried with newer ciphers and version 1.2 - and now freeradius (3.0.16) indeed sends me the second
"challenge". So, it's a huge progress.

Indeed, the capture now looks like an EAP-TLS negotiation should go on. The server accepted the client hello, an prepared its message flight of messages. Among them is the server's Certificate message, which is quite huge, and so they cannot be sent in one packet. Your client would next send an empty EAP-TLS message, thereby acknowledging reception of this message fragment. The server would then send the next fragment of these messages. Since the overall length of the message flight is 3137, and FreeRADUIS decided to send ~1000 bytes per fragment, expect another two of those 'ping-pongs' to happen until your client is able to reassemble and process the server's messages.

However it still complains on the unknown TLS version. I attach the server log and the packet capture, just in case.

Well, no idea where the version 0x0304 is coming from. One would probably have to look into the FreeRADIUS sources, or ask on the proper FreeRADIUS mailing lists for assistance. My personal "wild guess" is that this is some sort of 'internal default' as long as the the EAP-TLS module hasn't yet decided about the used protocol version. I wouldn't bother about this too much if you're interested in other things.

There's however one other thing I wanted to mention: The Random value your clients sends in the Client Hello is not that random...there is the time stamp in the first four bytes, but the remaining 28 bytes are all-zero - they should contain data from a cryptographically safe random number generator.

Best regards

Alfred Arnold

--
Alfred Arnold                   E-Mail: alfred@xxxxxxxxxxxxxxxxxxx
Computer Club at the            http://john.ccac.rwth-aachen.de:8000/alf/
Technical University            Phone: +49-241-406526
of Aachen




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux