Web lists-archives.com

Re: WPA error: TLS Alert write:fatal:protocol version




Hi,

On Tue, Oct 02, 2018 at 04:08:41PM +0200, Pétùr wrote:
> On debian sid, I have the following error when trying to connect to a WPA2 Entreprise network (PEAP + MSCHAPv2) with :
> 
> Tue Oct  2 14:07:43 2018 : Error: TLS Alert write:fatal:protocol version
> Tue Oct  2 14:07:43 2018 : Error: rlm_eap: SSL error error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
> Tue Oct  2 14:07:43 2018 : Error: SSL: SSL_read failed in a system call (-1), TLS session fails.
> Tue Oct  2 14:07:43 2018 : Auth: Login incorrect (TLS Alert write:fatal:protocol version): [login@xxxxxxxxxxxxxxxx]

OpenSSL 1.1.1, and pretty much everything using it, is now disabling TLS 1.1
by default. That's probably what you see here, and it means that your RADIUS
server supports only deprecated TLS versions.

You can enable TLS 1.1 in your wpa_supplicant config, but the real fix is to
enable TLS 1.2 on your RADIUS server. That has been enabled by default in
freeradius in Debian since at least jessie, to give you an idea of how
outdated the setup is ;).

-nik

Attachment: signature.asc
Description: PGP signature