Web lists-archives.com

Re: WPA error: TLS Alert write:fatal:protocol version




Le 02/10/2018 à 17:09, Dominik George a écrit :
> On Tue, Oct 02, 2018 at 04:08:41PM +0200, Pétùr wrote:
>> On debian sid, I have the following error when trying to connect to a WPA2 Entreprise network (PEAP + MSCHAPv2) with :
>>
>> Tue Oct  2 14:07:43 2018 : Error: TLS Alert write:fatal:protocol version
>> Tue Oct  2 14:07:43 2018 : Error: rlm_eap: SSL error error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
>> Tue Oct  2 14:07:43 2018 : Error: SSL: SSL_read failed in a system call (-1), TLS session fails.
>> Tue Oct  2 14:07:43 2018 : Auth: Login incorrect (TLS Alert write:fatal:protocol version): [login@xxxxxxxxxxxxxxxx]
> OpenSSL 1.1.1, and pretty much everything using it, is now disabling TLS 1.1
> by default. That's probably what you see here, and it means that your RADIUS
> server supports only deprecated TLS versions.
> 
> You can enable TLS 1.1 in your wpa_supplicant config, but the real fix is to
> enable TLS 1.2 on your RADIUS server. That has been enabled by default in
> freeradius in Debian since at least jessie, to give you an idea of how
> outdated the setup is ;).

Thanks, I think the tls version is the problem.

I configured wpa_supplicant (because network-manager does not offer
option for the TLS version).

Do you know what exact option is needed by wpa_supplicant to allow TLS 1.1 ?

I tried to add "phase1="tls_disable_tlsv1_2=1"" (see below the complete
wpa_supplicant configuration.

With this option, I don't have the error message but I don't have a
working connexion either.


/etc/wpa_supplicant/wpa_supplicant.conf

network={
  ssid="University network"
  key_mgmt=WPA-EAP
  pairwise=CCMP
  group=CCMP TKIP
  eap=PEAP
  ca_cert="/home/petur/.cat_installer/ca.pem"
  identity="name@xxxxxxxxxxxxxx"
  domain_suffix_match="radius.university.com"
  phase1="tls_disable_tlsv1_2=1"
  phase2="auth=MSCHAPV2"
  password="xxxxxxx"
  anonymous_identity="anonymous@xxxxxxxxxxxxxx"
}


Pétùr