Bug 1636811

Summary: FreeRadius needs to be 3.0.17 or newer to allow wpa_supplicant from F29 to connect due to TLS 1.3 problems (tls_max_version = "1.2" also needs to be set)
Product: [Fedora] Fedora Reporter: Trever Adams <trever>
Component: freeradiusAssignee: Lubomir Rintel <lkundrak>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 29CC: andreas.bierfert, ascheel, bgalvani, blueowl, dcaratti, dcbw, john.j5live, lemenkov, lkundrak, nikolai.kondrashov
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: freeradius-3.0.17-2.fc28 freeradius-3.0.17-2.fc29 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1667841 (view as bug list) Environment:
Last Closed: 2019-01-15 01:53:05 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1667841    
Attachments:
Description Flags
3 Changes versus 3.0.15 latest release in Fedora to get it to compile none

Description Trever Adams 2018-10-07 20:56:17 UTC 
Description of problem:
wpa_supplicant on F29 w openssl 1.1.1 tries to use tls 1.3. FreeRadius on F29 with openssl 1.1.1 does not work. It only gets part way through authenticating then fails. Windows and Android continue to work.

Some of this may also be fixed in freeradius 3.0.16/17

Version-Release number of selected component (if applicable):
openssl-1.1.1-3.fc29.x86_64
wpa_supplicant-2.6-17.fc29.x86_64
freeradius-3.0.15-18.fc29.x86_64
Comment 1 Trever Adams 2018-10-08 23:00:41 UTC 
It is possible this is a library mismatch. I don't think 1.1.0 and 1.1.1 of OpenSSL are completely ABI compatible. I don't remember where I may have seen this. If I am wrong, ok. Either way, things are broken with WPA2 Enterprise TTLS or PEAP. This is a wpa_supplicant F29 vs. anything else problem. FreeRadius in the last version in F28 still worked.

# rpm -q wpa_supplicant --requires | grep ssl
libssl.so.1.1()(64bit)
libssl.so.1.1(OPENSSL_1_1_0)(64bit)
# ldd /usr/sbin/wpa_supplicant  | grep ssl
	libssl.so.1.1 => /lib64/libssl.so.1.1 (0x00007fcf269d3000)
# rpm -qf  /lib64/libssl.so.1.1
openssl-libs-1.1.1-3.fc29.x86_64
# ldd /usr/sbin/wpa_supplicant  | grep ssl
	libssl.so.1.1 => /lib64/libssl.so.1.1 (0x00007f24ee359000)


# ldd /usr/sbin/radiusd  | grep ssl
	libssl.so.1.1 => /lib64/libssl.so.1.1 (0x00007fa5cb58f000)
# rpm -q freeradius --requires | grep ssl
libssl.so.1.1()(64bit)
libssl.so.1.1(OPENSSL_1_1_0)(64bit)
openssl >= 1:1.1.1

Why are both ssl versions required by freeradius?
Comment 2 Trever Adams 2018-10-10 00:18:29 UTC 
This is fixed by FreeRadius 3.0.17 with tls_max_version = "1.2" in the eap module configuration.

I have compiled this with a slightly modified freeradius.spec and the update source tar.bz2.

I know the right fix to support TLS v1.3 will be a bit off, but this is a good start and gets people running again.
Comment 3 Trever Adams 2018-10-10 00:19:57 UTC 
Created attachment 1492299 [details]
3 Changes versus 3.0.15 latest release in Fedora to get it to compile
Comment 4 Andreas Bierfert 2018-12-03 21:12:39 UTC 
Can confirm this. Upgrading to 3.0.17-1 from rawhide and adding tls_max_version="1.2" fixes the issue for me.
Comment 5 Alex Scheel 2018-12-15 00:52:12 UTC 
Feel free to test the update here:


https://bodhi.fedoraproject.org/updates/FEDORA-2018-bcf7fd8277
Comment 6 Fedora Update System 2018-12-16 03:17:28 UTC 
freeradius-3.0.17-2.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-1bc4a63a4f
Comment 7 Fedora Update System 2018-12-16 03:57:47 UTC 
freeradius-3.0.17-2.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-bcf7fd8277
Comment 8 Fedora Update System 2019-01-15 01:53:05 UTC 
freeradius-3.0.17-2.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2019-01-15 02:33:05 UTC 
freeradius-3.0.17-2.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.