1636811 – FreeRadius needs to be 3.0.17 or newer to allow wpa_supplicant from F29 to connect due to TLS 1.3 problems (tls_max_version = "1.2" also needs to be set)

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1636811 - FreeRadius needs to be 3.0.17 or newer to allow wpa_supplicant from F29 to connect due to TLS 1.3 problems (tls_max_version = "1.2" also needs to be set)

Summary: FreeRadius needs to be 3.0.17 or newer to allow wpa_supplicant from F29 to co...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	freeradius
Sub Component:
Version:	29
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	urgent
Target Milestone:	---
Assignee:	Lubomir Rintel
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1667841
TreeView+	depends on / blocked

Reported:	2018-10-07 20:56 UTC by Trever Adams
Modified:	2019-01-21 09:39 UTC (History)
CC List:	10 users (show)
Fixed In Version:	freeradius-3.0.17-2.fc28 freeradius-3.0.17-2.fc29
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1667841 (view as bug list)
Environment:
Last Closed:	2019-01-15 01:53:05 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
3 Changes versus 3.0.15 latest release in Fedora to get it to compile (104.61 KB, text/x-rpm-spec) 2018-10-10 00:19 UTC, Trever Adams	no flags	Details
View All

Description Trever Adams 2018-10-07 20:56:17 UTC

Description of problem:
wpa_supplicant on F29 w openssl 1.1.1 tries to use tls 1.3. FreeRadius on F29 with openssl 1.1.1 does not work. It only gets part way through authenticating then fails. Windows and Android continue to work.

Some of this may also be fixed in freeradius 3.0.16/17

Version-Release number of selected component (if applicable):
openssl-1.1.1-3.fc29.x86_64
wpa_supplicant-2.6-17.fc29.x86_64
freeradius-3.0.15-18.fc29.x86_64

Comment 1 Trever Adams 2018-10-08 23:00:41 UTC

It is possible this is a library mismatch. I don't think 1.1.0 and 1.1.1 of OpenSSL are completely ABI compatible. I don't remember where I may have seen this. If I am wrong, ok. Either way, things are broken with WPA2 Enterprise TTLS or PEAP. This is a wpa_supplicant F29 vs. anything else problem. FreeRadius in the last version in F28 still worked.

# rpm -q wpa_supplicant --requires | grep ssl
libssl.so.1.1()(64bit)
libssl.so.1.1(OPENSSL_1_1_0)(64bit)
# ldd /usr/sbin/wpa_supplicant  | grep ssl
	libssl.so.1.1 => /lib64/libssl.so.1.1 (0x00007fcf269d3000)
# rpm -qf  /lib64/libssl.so.1.1
openssl-libs-1.1.1-3.fc29.x86_64
# ldd /usr/sbin/wpa_supplicant  | grep ssl
	libssl.so.1.1 => /lib64/libssl.so.1.1 (0x00007f24ee359000)


# ldd /usr/sbin/radiusd  | grep ssl
	libssl.so.1.1 => /lib64/libssl.so.1.1 (0x00007fa5cb58f000)
# rpm -q freeradius --requires | grep ssl
libssl.so.1.1()(64bit)
libssl.so.1.1(OPENSSL_1_1_0)(64bit)
openssl >= 1:1.1.1

Why are both ssl versions required by freeradius?

Comment 2 Trever Adams 2018-10-10 00:18:29 UTC

This is fixed by FreeRadius 3.0.17 with tls_max_version = "1.2" in the eap module configuration.

I have compiled this with a slightly modified freeradius.spec and the update source tar.bz2.

I know the right fix to support TLS v1.3 will be a bit off, but this is a good start and gets people running again.

Comment 3 Trever Adams 2018-10-10 00:19:57 UTC

Created attachment 1492299 [details]
3 Changes versus 3.0.15 latest release in Fedora to get it to compile

Comment 4 Andreas Bierfert 2018-12-03 21:12:39 UTC

Can confirm this. Upgrading to 3.0.17-1 from rawhide and adding tls_max_version="1.2" fixes the issue for me.

Comment 5 Alex Scheel 2018-12-15 00:52:12 UTC

Feel free to test the update here:


https://bodhi.fedoraproject.org/updates/FEDORA-2018-bcf7fd8277

Comment 6 Fedora Update System 2018-12-16 03:17:28 UTC

freeradius-3.0.17-2.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-1bc4a63a4f

Comment 7 Fedora Update System 2018-12-16 03:57:47 UTC

freeradius-3.0.17-2.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-bcf7fd8277

Comment 8 Fedora Update System 2019-01-15 01:53:05 UTC

freeradius-3.0.17-2.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.

Comment 9 Fedora Update System 2019-01-15 02:33:05 UTC

freeradius-3.0.17-2.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.