[X] I have searched the existing issues, open and closed, and I'm convinced that mine is new.
[X] The title contains the plugin to which this issue belongs
Describe the bug
If selecting TLS Version 1.0 or 1.1, the correct min version is set in the config, but the cipher suite stays at "DEFAULT"
Since OpenSSL changed the default suite SECLEVEL of the suite in version 3.x, TLS 1.0 and 1.1 will not work if the cipher suite is not set to "DEFAULT:@SECLEVEL=0", making the made selection essentialy pointless. (SHA1 and MD5 are now SECLEVEL 0 albeit needed for TLS 1.0 and 1.1).
To mitigate the issue, we have to modify the line cipher_list = "DEFAULT" to cipher_list = "DEFAULT:@SECLEVEL=0" in the file /usr/local/etc/raddb/mods-enabled/eap. Since this file gets overwritten on reboot and config change, the template for the config file should be modified to set the correct cipher list based on the selected minimum TLS version.
To Reproduce
Enable Radius and EAP.
Stop Radius and start via console (radiusd -X)
Set minimal TLS version to 1.0
Try to connect a device with only TLS 1.0 or 1.1 capabilities
Observe missing cipher suite errors from openssl inside radius console.
Expected behavior
Client should be able to connect with TLS 1.0 or 1.1 if the minimal TLS selector is set low enough.
Important notices Before you add a new report, we ask you kindly to acknowledge the following:
Describe the bug If selecting TLS Version 1.0 or 1.1, the correct min version is set in the config, but the cipher suite stays at
"DEFAULT"
Since OpenSSL changed the default suite SECLEVEL of the suite in version 3.x, TLS 1.0 and 1.1 will not work if the cipher suite is not set to"DEFAULT:@SECLEVEL=0"
, making the made selection essentialy pointless. (SHA1 and MD5 are now SECLEVEL 0 albeit needed for TLS 1.0 and 1.1).To mitigate the issue, we have to modify the line
cipher_list = "DEFAULT"
tocipher_list = "DEFAULT:@SECLEVEL=0"
in the file/usr/local/etc/raddb/mods-enabled/eap
. Since this file gets overwritten on reboot and config change, the template for the config file should be modified to set the correct cipher list based on the selected minimum TLS version.To Reproduce
radiusd -X
)Expected behavior Client should be able to connect with TLS 1.0 or 1.1 if the minimal TLS selector is set low enough.
Additional context Relevant context in the OpenSSL Issues: https://github.com/openssl/openssl/issues/17476#issuecomment-1010812582 Our config stopped working with the switch from OpenSSL 1.1.1w to 3.0.13.
Environment OPNsense 24.1.8