尽管 tls_min_version 设置已设置为 1.2,但 FreeRADIUS 仍不断抱怨 TLS 1.0/1.1

尽管 tls_min_version 设置已设置为 1.2,但 FreeRADIUS 仍不断抱怨 TLS 1.0/1.1

我正在实施认证协议自由RADIUS 3.0.21。设备能够连接,服务器正在运行。但是,FreeRADIUS 抱怨其启动日志消息中 TLS 1.0/1.1 仍然可用。以下是systemctl status freeradius命令的输出:

● freeradius.service - FreeRADIUS multi-protocol policy server
     Loaded: loaded (/lib/systemd/system/freeradius.service; enabled; vendor preset: enabled)
     Active: active (running) since Thu 2023-03-09 17:22:55 UTC; 2h 33min ago
       Docs: man:radiusd(8)
             man:radiusd.conf(5)
             http://wiki.freeradius.org/
             http://networkradius.com/doc/
    Process: 783 ExecStartPre=/usr/sbin/freeradius $FREERADIUS_OPTIONS -Cx -lstdout (code=exited, status=0/SUCCESS)
   Main PID: 786 (freeradius)
     Status: "Processing requests"
      Tasks: 6 (limit: 2101)
     Memory: 81.7M (limit: 2.0G)
        CPU: 1.621s
     CGroup: /system.slice/freeradius.service
             └─786 /usr/sbin/freeradius -f

Mar 09 17:22:54 rpi4-20230308 freeradius[783]: rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output
Mar 09 17:22:54 rpi4-20230308 freeradius[783]: rlm_sql (sql): Attempting to connect to database "radius"
Mar 09 17:22:54 rpi4-20230308 freeradius[783]: rlm_sql (sql): Initialising connection pool
Mar 09 17:22:54 rpi4-20230308 freeradius[783]: Ignoring "ldap" (see raddb/mods-available/README.rst)
Mar 09 17:22:54 rpi4-20230308 freeradius[783]:  # Skipping contents of 'if' as it is always 'false' -- /etc/freeradius/3.0/sites-enabled/inner-tunnel:336
Mar 09 17:22:54 rpi4-20230308 freeradius[783]: radiusd: #### Skipping IP addresses and Ports ####
Mar 09 17:22:54 rpi4-20230308 freeradius[783]: The configuration allows TLS 1.0 and/or TLS 1.1.  We STRONGLY recommned using only TLS 1.2 for security
Mar 09 17:22:54 rpi4-20230308 freeradius[783]: Please set: tls_min_version = "1.2"
Mar 09 17:22:54 rpi4-20230308 freeradius[783]: Configuration appears to be OK
Mar 09 17:22:55 rpi4-20230308 systemd[1]: Started FreeRADIUS multi-protocol policy server.

尽管我tls_min_version = "1.2"mods-available/eap文件中设置了推荐选项,但 FreeRADIUS 仍然会抱怨。以下是文件:


eap {
    default_eap_type = ttls
    timer_expire = 60
    ignore_unknown_eap_types = no
    cisco_accounting_username_bug = no
    max_sessions = ${max_requests}
    md5 {
    }
    leap {
    }
    gtc {
        auth_type = PAP
    }
    tls-config tls-common {
        private_key_password = secretpassword
        private_key_file = ${certdir}/freeradius.key.pem
        certificate_file = ${certdir}/freeradius.pem
        ca_file = ${certdir}/ca.pem
        dh_file = ${certdir}/dh
        random_file = /dev/urandom
        ca_path = ${cadir}
        cipher_list = "DEFAULT"
                #cipher_list = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-CAMELLIA128-SHA"
        cipher_server_preference = no
        tls_min_version = "1.2"
        tls_max_version = "1.2"
        ecdh_curve = "secp384r1"
        cache {
            enable = no
            lifetime = 24 # hours
            persist_dir = "${logdir}/tlscache"
            store {
                Tunnel-Private-Group-Id
            }
        }
        verify {
        }
        ocsp {
            enable = no
            override_cert_url = yes
            url = "http://127.0.0.1/ocsp/"
        }
    }
    tls {
        tls = tls-common
    }
    ttls {
        tls = tls-common
        default_eap_type = md5
        copy_request_to_tunnel = no
        use_tunneled_reply = no
        virtual_server = "inner-tunnel"
    }
    peap {
        tls = tls-common
        default_eap_type = mschapv2
        copy_request_to_tunnel = no
        use_tunneled_reply = no
        virtual_server = "inner-tunnel"
    }
    mschapv2 {
    }
}


此外,这是我的sites-available/tls文件:

listen {
    ipaddr = *
    port = 2083
    type = auth+acct
    proto = tcp
    virtual_server = default
    clients = radsec
    limit {
          max_connections = 16
          lifetime = 0
          idle_timeout = 30
    }
    tls {

        private_key_password = secretpassword 
                private_key_file = ${certdir}/freeradius.key.pem
        certificate_file = ${certdir}/freeradius.pem
        ca_file = ${certdir}/ca.pem
        dh_file = ${certdir}/dh
        random_file = /dev/urandom
        fragment_size = 8192
        ca_path = ${cadir}
        cipher_list = "DEFAULT"
        cipher_server_preference = no
        cache {
              enable = no
              lifetime = 24 # hours
        }
        require_client_cert = yes
        verify {
        }
    }
}
clients radsec {
    client 127.0.0.1 {
        ipaddr = 127.0.0.1
        proto = tls
        secret = radsec
    }
}
home_server tls {
    ipaddr = 127.0.0.1
    port = 2083
    type = auth
    secret = radsec
    proto = tcp
    status_check = none
    tls {
        private_key_password = whatever
        private_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
        certificate_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
        ca_file = /etc/ssl/certs/ca-certificates.crt
        dh_file = ${certdir}/dh
        random_file = /dev/urandom
        fragment_size = 8192
        ca_path = ${cadir}
        cipher_list = "DEFAULT"
    }
}
home_server_pool tls {
         type = fail-over
         home_server = tls
}
realm tls {
      auth_pool = tls
}


FreeRADIUS 服务器在 RaspberryPi4 上的 Debian 上运行。以下是uname -a命令的输出:

Linux rpi4-20230308 5.10.0-21-arm64 #1 SMP Debian 5.10.162-1 (2023-01-21) aarch64 GNU/Linux

命令的输出openssl version如下:

OpenSSL 1.1.1n  15 Mar 2022

请问,有人能帮我找出配置出了什么问题(如果有的话)以及为什么 FreeRADIUS 服务器认为它可以接受处理 TLS 1.0/1.1 握手吗?

以下是针对 Konrad Gajewski 的建议所采取的措施的 wireshark 截图

wireshark 截图显示 TLSv1.2 握手

答案1

可能你不必在 mods-available/eap 中进行更改,而是在 mods-enabled/eap 中进行更改。对于在 Ubuntu 16 上运行的 freeradius 3.0.12,此方法对我有用(在此旧版 freeradius 中,语法为disable_tlsv1_0=yesand disable_tlsv1_1=yesand not tls_min_version = "1.2")。

试一试!

答案2

跑步时Debian 上的 FreeRADIUS,你必须记住,默认版本不支持开箱即用的 TLS。它没有报告任何特定的错误,只是没有已编译使用它。

为了解决这个问题,你需要编译 FreeRADIUS 并启用 SSL/TLS 支持。本质上创建你自己的 deb,安装它们,然后确保在升级服务器时它们不会被覆盖。

(如何做到这一点是另一回事 - 但如果您遇到困难,请告诉我们)

相关内容