Re: WPA error: TLS Alert write:fatal:protocol version
- Date: Wed, 3 Oct 2018 15:58:31 +0200
- From: Pétùr <peturvilj@xxxxxxxxx>
- Subject: Re: WPA error: TLS Alert write:fatal:protocol version
Le 02/10/2018 à 17:09, Dominik George a écrit :
> On Tue, Oct 02, 2018 at 04:08:41PM +0200, Pétùr wrote:
>> On debian sid, I have the following error when trying to connect to a WPA2 Entreprise network (PEAP + MSCHAPv2) with :
>> Tue Oct 2 14:07:43 2018 : Error: TLS Alert write:fatal:protocol version
>> Tue Oct 2 14:07:43 2018 : Error: rlm_eap: SSL error error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
>> Tue Oct 2 14:07:43 2018 : Error: SSL: SSL_read failed in a system call (-1), TLS session fails.
>> Tue Oct 2 14:07:43 2018 : Auth: Login incorrect (TLS Alert write:fatal:protocol version): [login@xxxxxxxxxxxxxxxx]
> OpenSSL 1.1.1, and pretty much everything using it, is now disabling TLS 1.1
> by default. That's probably what you see here, and it means that your RADIUS
> server supports only deprecated TLS versions.
> You can enable TLS 1.1 in your wpa_supplicant config, but the real fix is to
> enable TLS 1.2 on your RADIUS server. That has been enabled by default in
> freeradius in Debian since at least jessie, to give you an idea of how
> outdated the setup is ;).
Thanks, I think the tls version is the problem.
I configured wpa_supplicant (because network-manager does not offer
option for the TLS version).
Do you know what exact option is needed by wpa_supplicant to allow TLS 1.1 ?
I tried to add "phase1="tls_disable_tlsv1_2=1"" (see below the complete
With this option, I don't have the error message but I don't have a
working connexion either.