WPA error: TLS Alert write:fatal:protocol version

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

WPA error: TLS Alert write:fatal:protocol version

Pétùr
On debian sid, I have the following error when trying to connect to a WPA2 Entreprise network (PEAP + MSCHAPv2) with :

Tue Oct  2 14:07:43 2018 : Error: TLS Alert write:fatal:protocol version
Tue Oct  2 14:07:43 2018 : Error: rlm_eap: SSL error error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
Tue Oct  2 14:07:43 2018 : Error: SSL: SSL_read failed in a system call (-1), TLS session fails.
Tue Oct  2 14:07:43 2018 : Auth: Login incorrect (TLS Alert write:fatal:protocol version): [[hidden email]]

It is probably a bug with a package. I tried to downgrade openssl and libgnutls-openssl27 without any change.

Any idea?

Pétùr

Reply | Threaded
Open this post in threaded view
|

Re: WPA error: TLS Alert write:fatal:protocol version

Dominik George-7
Hi,

On Tue, Oct 02, 2018 at 04:08:41PM +0200, Pétùr wrote:
> On debian sid, I have the following error when trying to connect to a WPA2 Entreprise network (PEAP + MSCHAPv2) with :
>
> Tue Oct  2 14:07:43 2018 : Error: TLS Alert write:fatal:protocol version
> Tue Oct  2 14:07:43 2018 : Error: rlm_eap: SSL error error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
> Tue Oct  2 14:07:43 2018 : Error: SSL: SSL_read failed in a system call (-1), TLS session fails.
> Tue Oct  2 14:07:43 2018 : Auth: Login incorrect (TLS Alert write:fatal:protocol version): [[hidden email]]

OpenSSL 1.1.1, and pretty much everything using it, is now disabling TLS 1.1
by default. That's probably what you see here, and it means that your RADIUS
server supports only deprecated TLS versions.

You can enable TLS 1.1 in your wpa_supplicant config, but the real fix is to
enable TLS 1.2 on your RADIUS server. That has been enabled by default in
freeradius in Debian since at least jessie, to give you an idea of how
outdated the setup is ;).

-nik

signature.asc (919 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: WPA error: TLS Alert write:fatal:protocol version

Pétùr
Le 02/10/2018 à 17:09, Dominik George a écrit :

> On Tue, Oct 02, 2018 at 04:08:41PM +0200, Pétùr wrote:
>> On debian sid, I have the following error when trying to connect to a WPA2 Entreprise network (PEAP + MSCHAPv2) with :
>>
>> Tue Oct  2 14:07:43 2018 : Error: TLS Alert write:fatal:protocol version
>> Tue Oct  2 14:07:43 2018 : Error: rlm_eap: SSL error error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
>> Tue Oct  2 14:07:43 2018 : Error: SSL: SSL_read failed in a system call (-1), TLS session fails.
>> Tue Oct  2 14:07:43 2018 : Auth: Login incorrect (TLS Alert write:fatal:protocol version): [[hidden email]]
> OpenSSL 1.1.1, and pretty much everything using it, is now disabling TLS 1.1
> by default. That's probably what you see here, and it means that your RADIUS
> server supports only deprecated TLS versions.
>
> You can enable TLS 1.1 in your wpa_supplicant config, but the real fix is to
> enable TLS 1.2 on your RADIUS server. That has been enabled by default in
> freeradius in Debian since at least jessie, to give you an idea of how
> outdated the setup is ;).

Thanks, I think the tls version is the problem.

I configured wpa_supplicant (because network-manager does not offer
option for the TLS version).

Do you know what exact option is needed by wpa_supplicant to allow TLS 1.1 ?

I tried to add "phase1="tls_disable_tlsv1_2=1"" (see below the complete
wpa_supplicant configuration.

With this option, I don't have the error message but I don't have a
working connexion either.


/etc/wpa_supplicant/wpa_supplicant.conf

network={
  ssid="University network"
  key_mgmt=WPA-EAP
  pairwise=CCMP
  group=CCMP TKIP
  eap=PEAP
  ca_cert="/home/petur/.cat_installer/ca.pem"
  identity="[hidden email]"
  domain_suffix_match="radius.university.com"
  phase1="tls_disable_tlsv1_2=1"
  phase2="auth=MSCHAPV2"
  password="xxxxxxx"
  anonymous_identity="[hidden email]"
}


Pétùr

Reply | Threaded
Open this post in threaded view
|

Re: WPA error: TLS Alert write:fatal:protocol version

Dominik George-7
Hi,

>I tried to add "phase1="tls_disable_tlsv1_2=1"" (see below the complete
>wpa_supplicant configuration.

That leaves you with only TLS 1.3, then ;).

You probably want to set tls_disable_tlsv1_1=0 instead, but I did not try (because please update the RADIUS server).

Cheers,
Nik

Reply | Threaded
Open this post in threaded view
|

WPA error: TLS Alert write:fatal:protocol version

Pétùr
Le 03/10/2018 à 16:35, Dominik George a écrit :
>
>> I tried to add "phase1="tls_disable_tlsv1_2=1"" (see below the complete
>> wpa_supplicant configuration.
> That leaves you with only TLS 1.3, then ;).

Ok :-)

> You probably want to set tls_disable_tlsv1_1=0 instead, but I did not try (because please update the RADIUS server).

I tried this. With tls_disable_tlsv1_1=0 I have the alert (with no
working connexion):

SSL: SSL3 alert: write (local SSL3 detected an error):fatal:protocol version
OpenSSL: openssl_handshake - SSL_connect error:1425F102:SSL
routines:ssl_choose_client_version:unsupported protocol
wlp3s0: CTRL-EVENT-EAP-FAILURE EAP authentication failed

Anyway, it seems the TLS version is not the issue here. Indeed, I tried
also to downgrade openssl to the stable version (I use sid). After that,
wpa_supplicant can connect.

So the problem is a bug from openssl 1.1.1-1. I didn't see this before
because network-manager was not able to connect the first time I tried
to downgrade openssl. But wpa_supplicant does and now network-manager
does so I probably misconfigured nm the first time.

Thanks for the help