New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[defect]: Radsec home server openssl "Client : Error in SSLv3/TLS write client hello" #5310
Comments
Please try this patch, and run with Please post the debug output here. I may not have time to look at this in more detail for a week or so. |
Moin, Thankks for the quick response. Testing with your debug patch applied and executing $ /usr/sbin/freeradius -d /home/haegar/freeradius-testing/ -sf -l stdout -xxx Skipped the startup messages, they are similar to the bug report itself. Messages from freeradius when client requests come in: Thu Mar 14 22:01:05 2024 : Debug: (0) Received Access-Request Id 115 from 127.0.0.1:59607 to 127.0.0.1:3812 length 78 The messages from your debug patch only appear way after the TLS client hello errors were already reported. (And strangely freeradius reported "Sent Access-Request Id 115 ...", when clearly due to the TLS establishing error the request has not been sent to the server yet). Greetings, |
What type of defect/bug is this?
Unexpected behaviour (obvious or verified by project member)
How can the issue be reproduced?
Setup is freeradius 3.2 git 66e6389 listening on udp port, and trying to forward all requests received there via radsec/tcp+tls to homeserver.
The setup in a slightly more complex config than in this reproduction is used for forward authentication from devices which can't do tls radius (aka switches) via such radius proxies encrypted over the internet to our datacenter.
Establishing connection to tls homeserver fails with "ERROR: (0) (TLS) RADIUS/TLS - Client : Error in SSLv3/TLS write client hello". Same setup works with freeradius 3.2.1, and works "sometimes" with 3.2.3 release, where it sometimes breaks with slightly different ssl error messages, and sometimes seems to work - was unable to figure out a scheme, so I tried with the latest git snapshot I am reporting about here.
Both radsec server (tested with freeradius 3.2.1 and with radiator) and this freeradius client use a custom private CA, which generated the server and client certificates.
Accessing the radsec server via openssl s_client also works just fine and establishes the ssl connection.
This problem may be similar to #5308, but I don't listen for TLS connections, and don't get assertion failed or crashes - just the outbound TLS connection fails to get established.
Tried both
tls_min_version = "1.2"
tls_max_version = "1.2"
(where freeradius tries to use tls 1.2)
and
tls_min_version = "1.2"
tls_max_version = "1.3"
where it tries to use tls 1.3 fail in absolutely the same way.
Log output from the FreeRADIUS daemon
Relevant log output from client utilities
The client output it relatively useless, just showing that it tries to send the auth requests three times, and then receives the reject sent by freeradius because of "Auth: (0) Login incorrect (Failing proxied request for user "test", due to lack of any response from home server 172.16.9.102 port 2083): [test] (from client caradius-world4 port 23)"
$ radtest -d /home/haegar/freeradius-testing/ -t pap test test 127.0.0.1:3812 23 test123
Sent Access-Request Id 82 from 0.0.0.0:97dc to 127.0.0.1:3812 length 74
User-Name = "test"
User-Password = "test"
NAS-IP-Address = 127.0.1.1
NAS-Port = 23
Message-Authenticator = 0x00
Cleartext-Password = "test"
Sent Access-Request Id 82 from 0.0.0.0:97dc to 127.0.0.1:3812 length 74
User-Name = "test"
User-Password = "test"
NAS-IP-Address = 127.0.1.1
NAS-Port = 23
Message-Authenticator = 0x00
Cleartext-Password = "test"
Sent Access-Request Id 82 from 0.0.0.0:97dc to 127.0.0.1:3812 length 74
User-Name = "test"
User-Password = "test"
NAS-IP-Address = 127.0.1.1
NAS-Port = 23
Message-Authenticator = 0x00
Cleartext-Password = "test"
Received Access-Reject Id 82 from 127.0.0.1:ee4 to 127.0.0.1:38876 length 20
(0) -: Expected Access-Accept got Access-Reject
radclient: Received reply to request we did not send. (id=82 socket 3)
Backtrace from LLDB or GDB
The text was updated successfully, but these errors were encountered: