Bug 55763 – Update default minimal radius version with next radius update

Bug 55763 - Update default minimal radius version with next radius update


Summary:	Update default minimal radius version with next radius update

Status:	VERIFIED FIXED

Product:	UCS
Classification:	Unclassified
Component:	Radius
Version:	UCS 5.0
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 5.2
Assigned To:	Maximilian Janßen
QA Contact:	Florian Best

URL:	https://github.com/FreeRADIUS/freerad...
Keywords:

Depends on:	55247
Blocks:
	Show dependency tree / graph

Reported:	2023-02-27 14:09 CET by Maximilian Janßen
Modified:	2024-03-08 10:59 CET (History)
CC List:	3 users (show)

See Also:
What kind of report is it?:	Development Internal
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Maximilian Janßen

2023-02-27 14:09:17 CET

+++ This bug was initially created as a clone of Bug #55247 +++

Bug #55247 (commit a645629f2a25c6e8d66977b5f693fd494cf4d249) created a UCR variable, which per default limits the tls version to 1.2.

When radius updates and properly supports tls 1.3 the default value for this variable should be updated.

This issue should always have the next minor release as target-milestone until it is applied.


diff --git a/services/univention-radius/debian/univention-radius.univention-config-registry-variables b/services/univention-radius/debian/univention-radius.univention-config-registry-variables
index 5cd0531220b..3d62ca1762b 100644
--- a/services/univention-radius/debian/univention-radius.univention-config-registry-variables
+++ b/services/univention-radius/debian/univention-radius.univention-config-registry-variables
@@ -56,7 +56,7 @@ Categories=service-radius
 Description[de]=Spezifiziert die maximale TLS-Version, die von Radius genutzt wird.
 Description[en]=Specifies the maximum TLS version which is used by radius.
 Type=str
-Default=1.2
+Default=1.3
 Categories=service-radius

 [freeradius/auth/helper/ntlm/debug]

Comment 1 Florian Best

2023-02-27 15:52:45 CET

upstream issue, https://github.com/FreeRADIUS/freeradius-server/issues/2385, we have to identify the fix and see in which Debian release it is implemented.

Comment 3 Maximilian Janßen

2023-09-21 11:12:37 CEST

analysis for UCS 5.2:

UCS 5.2 (debian bookworm) uses openssl 3.0.9-1 and FreeRadius 3.2.1+dfsg-4.

according to the windows-support page linked in the original bug FreeRadius 3.x is still affected. Link: https://support.microsoft.com/de-de/topic/windows-10-ger%C3%A4te-k%C3%B6nnen-sich-nicht-mit-einer-802-1-x-umgebung-verbinden-179ef277-e6ef-8ea3-cb0e-11a6b80fa955

since the support is uncertain, testing probably can't find everything, and the big impact we (me and fbest) decided that we re evaluate this in a later release, e.g. UCS 5.3 or UCS 6.

Comment 4 Florian Best

2023-09-21 14:18:18 CEST

I found https://github.com/FreeRADIUS/freeradius-server/pull/3516
https://github.com/FreeRADIUS/freeradius-server/issues/4983#issuecomment-1534165025 says `3.2.2 supports OpenSSL3 and TLS 1.3.`

The release notes mention:

https://github.com/FreeRADIUS/freeradius-server/releases/tag/release_3_0_20
> Note that tls_min_version/tls_max_version also support "1.3". Since there is no standard yet for EAP with TLS 1.3, it will not work.

https://github.com/FreeRADIUS/freeradius-server/releases/tag/release_3_0_23
> Added many warning messages about using TLS 1.3 with EAP. In short, don't use it. Microsoft will support it in fall 2021.

https://github.com/FreeRADIUS/freeradius-server/releases/tag/release_3_0_26
> Support PEAP and TTLS with TLS 1.3. This has been tested with wpa_supplicant and Windows 11.

https://github.com/FreeRADIUS/freeradius-server/releases/tag/release_3_2_2
> Make TTLS+MS-CHAP work with TLS 1.3. Fixes https://github.com/FreeRADIUS/freeradius-server/issues/4878.

So it seems we just need at least `3.0.26`. So this is a UCS 5.2 topic.

Comment 5 Arvid Requate

2023-09-22 13:00:54 CEST

Needs to be tested with Windows 11 and 10 clients.

Comment 6 Florian Best

2023-09-22 13:09:17 CEST

(In reply to Arvid Requate from comment #5)
> Needs to be tested with Windows 11 and 10 clients.
OK.

My thought was, that we will just change the default of max-tls-version (from 1.2) to 1.3 as Windows 11 support it (from the release notes).
If customers still use Windows 10 and that would not work they can set the UCR variable back to 1.2.
If we document this carefully, would you think this approach is OK?

Comment 7 Dirk Wiesenthal

2023-11-08 15:44:08 CET

(In reply to Florian Best from comment #6)
> My thought was, that we will just change the default of max-tls-version
> (from 1.2) to 1.3 as Windows 11 support it (from the release notes).
> If customers still use Windows 10 and that would not work they can set the
> UCR variable back to 1.2.
> If we document this carefully, would you think this approach is OK?

Yes, OK. Make the software secure by default and document how to change the value in case a domain has problems. We do have a dedicated section "Radius / Configuration" in the manual.

Comment 8 Florian Best

2024-02-09 13:31:17 CET

OK: the default was to use TLS 1.3
OK: TLS 1.2 for Win10 support can be activated via UCR variable freeradius/conf/tls-max-version=1.2
OK: documentation was added
OK: changelog entry and release notes

Comment 9 Florian Best

2024-03-08 10:59:13 CET

univention-radius (9.0.4)
a001eec29487 | Bug #55763: Reenable Radius TLS v1.3 by default