Univention Bugzilla – Bug 55763
Update default minimal radius version with next radius update
Last modified: 2024-03-08 10:59:13 CET
+++ This bug was initially created as a clone of Bug #55247 +++ Bug #55247 (commit a645629f2a25c6e8d66977b5f693fd494cf4d249) created a UCR variable, which per default limits the tls version to 1.2. When radius updates and properly supports tls 1.3 the default value for this variable should be updated. This issue should always have the next minor release as target-milestone until it is applied. diff --git a/services/univention-radius/debian/univention-radius.univention-config-registry-variables b/services/univention-radius/debian/univention-radius.univention-config-registry-variables index 5cd0531220b..3d62ca1762b 100644 --- a/services/univention-radius/debian/univention-radius.univention-config-registry-variables +++ b/services/univention-radius/debian/univention-radius.univention-config-registry-variables @@ -56,7 +56,7 @@ Categories=service-radius Description[de]=Spezifiziert die maximale TLS-Version, die von Radius genutzt wird. Description[en]=Specifies the maximum TLS version which is used by radius. Type=str -Default=1.2 +Default=1.3 Categories=service-radius [freeradius/auth/helper/ntlm/debug]
upstream issue, https://github.com/FreeRADIUS/freeradius-server/issues/2385, we have to identify the fix and see in which Debian release it is implemented.
analysis for UCS 5.2: UCS 5.2 (debian bookworm) uses openssl 3.0.9-1 and FreeRadius 3.2.1+dfsg-4. according to the windows-support page linked in the original bug FreeRadius 3.x is still affected. Link: https://support.microsoft.com/de-de/topic/windows-10-ger%C3%A4te-k%C3%B6nnen-sich-nicht-mit-einer-802-1-x-umgebung-verbinden-179ef277-e6ef-8ea3-cb0e-11a6b80fa955 since the support is uncertain, testing probably can't find everything, and the big impact we (me and fbest) decided that we re evaluate this in a later release, e.g. UCS 5.3 or UCS 6.
I found https://github.com/FreeRADIUS/freeradius-server/pull/3516 https://github.com/FreeRADIUS/freeradius-server/issues/4983#issuecomment-1534165025 says `3.2.2 supports OpenSSL3 and TLS 1.3.` The release notes mention: https://github.com/FreeRADIUS/freeradius-server/releases/tag/release_3_0_20 > Note that tls_min_version/tls_max_version also support "1.3". Since there is no standard yet for EAP with TLS 1.3, it will not work. https://github.com/FreeRADIUS/freeradius-server/releases/tag/release_3_0_23 > Added many warning messages about using TLS 1.3 with EAP. In short, don't use it. Microsoft will support it in fall 2021. https://github.com/FreeRADIUS/freeradius-server/releases/tag/release_3_0_26 > Support PEAP and TTLS with TLS 1.3. This has been tested with wpa_supplicant and Windows 11. https://github.com/FreeRADIUS/freeradius-server/releases/tag/release_3_2_2 > Make TTLS+MS-CHAP work with TLS 1.3. Fixes https://github.com/FreeRADIUS/freeradius-server/issues/4878. So it seems we just need at least `3.0.26`. So this is a UCS 5.2 topic.
Needs to be tested with Windows 11 and 10 clients.
(In reply to Arvid Requate from comment #5) > Needs to be tested with Windows 11 and 10 clients. OK. My thought was, that we will just change the default of max-tls-version (from 1.2) to 1.3 as Windows 11 support it (from the release notes). If customers still use Windows 10 and that would not work they can set the UCR variable back to 1.2. If we document this carefully, would you think this approach is OK?
(In reply to Florian Best from comment #6) > My thought was, that we will just change the default of max-tls-version > (from 1.2) to 1.3 as Windows 11 support it (from the release notes). > If customers still use Windows 10 and that would not work they can set the > UCR variable back to 1.2. > If we document this carefully, would you think this approach is OK? Yes, OK. Make the software secure by default and document how to change the value in case a domain has problems. We do have a dedicated section "Radius / Configuration" in the manual.
OK: the default was to use TLS 1.3 OK: TLS 1.2 for Win10 support can be activated via UCR variable freeradius/conf/tls-max-version=1.2 OK: documentation was added OK: changelog entry and release notes
univention-radius (9.0.4) a001eec29487 | Bug #55763: Reenable Radius TLS v1.3 by default