Description of problem: wpa_supplicant on F29 w openssl 1.1.1 tries to use tls 1.3. FreeRadius on F29 with openssl 1.1.1 does not work. It only gets part way through authenticating then fails. Windows and Android continue to work. Some of this may also be fixed in freeradius 3.0.16/17 Version-Release number of selected component (if applicable): openssl-1.1.1-3.fc29.x86_64 wpa_supplicant-2.6-17.fc29.x86_64 freeradius-3.0.15-18.fc29.x86_64
It is possible this is a library mismatch. I don't think 1.1.0 and 1.1.1 of OpenSSL are completely ABI compatible. I don't remember where I may have seen this. If I am wrong, ok. Either way, things are broken with WPA2 Enterprise TTLS or PEAP. This is a wpa_supplicant F29 vs. anything else problem. FreeRadius in the last version in F28 still worked. # rpm -q wpa_supplicant --requires | grep ssl libssl.so.1.1()(64bit) libssl.so.1.1(OPENSSL_1_1_0)(64bit) # ldd /usr/sbin/wpa_supplicant | grep ssl libssl.so.1.1 => /lib64/libssl.so.1.1 (0x00007fcf269d3000) # rpm -qf /lib64/libssl.so.1.1 openssl-libs-1.1.1-3.fc29.x86_64 # ldd /usr/sbin/wpa_supplicant | grep ssl libssl.so.1.1 => /lib64/libssl.so.1.1 (0x00007f24ee359000) # ldd /usr/sbin/radiusd | grep ssl libssl.so.1.1 => /lib64/libssl.so.1.1 (0x00007fa5cb58f000) # rpm -q freeradius --requires | grep ssl libssl.so.1.1()(64bit) libssl.so.1.1(OPENSSL_1_1_0)(64bit) openssl >= 1:1.1.1 Why are both ssl versions required by freeradius?
This is fixed by FreeRadius 3.0.17 with tls_max_version = "1.2" in the eap module configuration. I have compiled this with a slightly modified freeradius.spec and the update source tar.bz2. I know the right fix to support TLS v1.3 will be a bit off, but this is a good start and gets people running again.
Created attachment 1492299 [details] 3 Changes versus 3.0.15 latest release in Fedora to get it to compile
Can confirm this. Upgrading to 3.0.17-1 from rawhide and adding tls_max_version="1.2" fixes the issue for me.
Feel free to test the update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-bcf7fd8277
freeradius-3.0.17-2.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-1bc4a63a4f
freeradius-3.0.17-2.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-bcf7fd8277
freeradius-3.0.17-2.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.
freeradius-3.0.17-2.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.