HostAPd 2.6 fails EAP authentication with OpenSSL 1.1

Jouni Malinen j at w1.fi
Mon Oct 30 03:06:30 PDT 2017


On Sun, Oct 29, 2017 at 02:46:33PM -0600, Thomas d'Otreppe wrote:
> Using HostAPd 2.6, compiled with OpenSSL 1.1 (1.1.0f-5) and Android
> 6.0 as client, EAP authentication fails with:
> SSL: SSL3 alert: write (local SSL3 detected an error):fatal:protocol version
> OpenSSL: openssl_handshake - SSL_connect error:1417D102:SSL
> routines:tls_process_client_hello:unsupported protocol

> A similar issue affected Freeradius:
> http://freeradius.1045715.n5.nabble.com/FreeRADIUS-3-0-15-fails-to-respond-with-TLS-1-0-Debian-testing-td5747111.html

That talks about Debian OpenSSL package disallowing use of TLS v1.0. In
other words, this sounds like a security policy choice and expected
behavior to reject a client that does not support enabled protocol
versions. Please note that OpenSSL 1.1.0f itself does support TLS v1.0
and when built with default options, v1.0 seems to be enabled as well.

> The solution was to use SSL_CTX_set_max_proto_version and
> SSL_CTX_set_min_proto_version as you can see on
> https://github.com/FreeRADIUS/freeradius-server/commits/v3.0.x/src/main/tls.c
> (anything on or after September 8 2017).

I'm not sure I'd call that a solution.. At best, that sounds like a
workaround that explicitly ignored distro security policy for TLS. You
cannot both have a policy that mandates TLS v1.0 to be disabled for
everything in the system and have client devices that do not support
anything else than TLS v1.0.

-- 
Jouni Malinen                                            PGP id EFC895FA



More information about the Hostap mailing list