Comment 1 Jürn Brodersen 2022-10-07 13:51:54 CEST

I'm not sure they run into this problem since the last Windows update, that article is over 7 years old and that particular bug has been fixed in our freeradius version. But Microsoft might have changed the tls negotiation process in one of the last updates. I didn't investigate that further.

Fact is, we do have a problem here. The client tries to use tls v3 which is not supported by our freeradius version:

https://github.com/FreeRADIUS/freeradius-server/issues/2385

Basically our freeradius version was developed before the behavior for eap and tls v3 was defined. But our openssl version 1.1.1 has no problem negotiating tls v3. We need to disable tls v3 from within freeradius. So setting `tls_max_version = "1.2"` is the right solution. I don't thing we need to set the min_version.

Side note:
eap and tls v3 was just finalized in February 2022
https://datatracker.ietf.org/doc/rfc9190/

Comment 3 Daniel Duchon 2022-11-07 10:06:05 CET

Another Customer affected

Comment 4 Daniel Duchon 2022-11-07 12:13:25 CET

Another Customer affected.

Comment 5 Mirac Erdemiroglu 2022-11-21 08:57:33 CET

Same on 2022111821000661

Comment 7 Mirac Erdemiroglu 2023-01-18 09:49:06 CET

Maybe it will be a better choice to get an UCRV to change an set the TLS Version for freeRadius.

Comment 9 Christina Scheinig 2023-02-20 14:18:30 CET

Next school Customer, who needs a fix, and is not happy to edit the configuration manually

Comment 10 Maximilian Janßen 2023-02-24 13:49:12 CET

a65f4710565c42d7520da0ff6a8671daa947e436 | Bug #55247: test case
a645629f2a25c6e8d66977b5f693fd494cf4d249 | Bug #55247: disable tls v3 for radius
73559192080fb054d1b77503dbae1205106fcd06 | Bug #55247: yaml

- The radius TLS version can now be defined via UCR `freeradius/conf/tls-max-version`
- Set the default TLS version to 1.2
- Added test for it

Comment 11 Erik Damrose 2023-02-27 10:44:27 CET

(In reply to Maximilian Janßen from comment #10)
> - The radius TLS version can now be defined via UCR
> `freeradius/conf/tls-max-version`
> - Set the default TLS version to 1.2

How are we making sure that future UCS versions with a newer freeradius version are using TLS 1.3, that we do not by default restrict radius to an older and maybe at some point insecure TLS version?

Comment 12 Florian Best 2023-02-28 10:08:07 CET

REOPEN: the test case fails:

https://univention-dist-jenkins.k8s.knut.univention.de/job/UCS-5.0/job/UCS-5.0-3/job/AutotestUpgrade/lastCompletedBuild/SambaVersion=no-samba,Systemrolle=master/testReport/45_radius/14_eap_tlsv3/test_eap/

file /usr/share/ucs-test/45_radius/14_eap_tlsv3.py, line 37
  def test_eap(udm, ca_cert):
E       fixture 'ca_cert' not found
>       available fixtures: Client, cache, capfd, capfdbinary, caplog, capsys, capsysbinary, doctest_namespace, ldap_base, ldap_master, lo, monkeypatch, pytestconfig, rad_user, random_name, random_string, random_username, record_property, record_xml_attribute, record_xml_property, recwarn, restart_s4connector_if_present, restart_umc_server, selenium, server_role, ssp, tmp_path, tmp_path_factory, tmpdir, tmpdir_factory, ucr, ucr_session, udm, udm_session, verify_ldap_object, verify_udm_object, wait_for_replication
>       use 'pytest --fixtures [testpath]' for help on them.

/usr/share/ucs-test/45_radius/14_eap_tlsv3.py:37

Comment 13 Florian Best 2023-02-28 10:45:20 CET

(In reply to Florian Best from comment #12)
> REOPEN: the test case fails:

I fixed that.

Comment 14 Florian Best 2023-03-01 10:18:52 CET

OK: max TLS version configurable via UCRv `freeradius/conf/tls-max-version`
OK: default is set to 1.2 as Windows 10/11 require this
I don't know if setting it to 1.2 has side effects to customers/clients which currently use 1.3. 
OK: test case
OK: YAML
OK: Bug #55763 for updating the default to 1.3 when it's okay.

Comment 15 Philipp Hahn 2023-03-01 14:55:23 CET

<https://errata.software-univention.de/#/?erratum=5.0x600>