Web lists-archives.com

Re: openssl 1.1.1-1: bug?




	Hi.

On Fri, Oct 05, 2018 at 12:41:44PM +0200, Pétùr wrote:
> Hi,
> 
> I cannot connect to WPA2 Entreprise network (PEAP + MSCHAPv2) with
> openssl 1.1.1-1 (in sid today). I can connect 1.1.0f-3+deb9u2 version
> (stable).
> 
> Is it a bug in openssl 1.1.1-1 or some kind of incompatibility between
> openssl 1.1.1-1 and my radius server?

No, it's considered a feature. openssl=1.1.1-1 changelog has this
wonderful entry:

openssl (1.1.1~~pre3-1) experimental; urgency=medium

...
  * Enable system default config to enforce TLS1.2 as a minimum.

 -- Sebastian Andrzej Siewior <sebastian@xxxxxxxxxxxxx>  Wed, 21 Mar 2018 00:01:08 +0100


> The error log with the 1.1.1-1 version says:
> 
> Tue Oct  2 14:07:43 2018 : Error: TLS Alert write:fatal:protocol version
> Tue Oct  2 14:07:43 2018 : Error: rlm_eap: SSL error error:1408F10B:SSL
> routines:SSL3_GET_RECORD:wrong version number

Meaning that - if your RADIUS can only do SSLv3, and not higher (that's
what the log says) - your openssl won't use it whatever. Because
security.


You could try to file a wishlist bug against src:openssl and ask to
revert the change, but I predict that the answer would be 'fix your
RADIUS'.

Reco