warn if RADIUSv1.1 and TLS <1.3

author Alan T. DeKok <aland@freeradius.org>

Thu, 20 Jul 2023 11:18:10 +0000 (07:18 -0400)

committer Alan T. DeKok <aland@freeradius.org>

Thu, 20 Jul 2023 11:18:10 +0000 (07:18 -0400)
author Alan T. DeKok <aland@freeradius.org>
Thu, 20 Jul 2023 11:18:10 +0000 (07:18 -0400)
committer Alan T. DeKok <aland@freeradius.org>
Thu, 20 Jul 2023 11:18:10 +0000 (07:18 -0400)
diff --git a/src/main/tls.c b/src/main/tls.c

index 1c03c8b9de2b2053780123c02d2e8637b549c8b6..9f62dba2de5cd775d2b64013bd11fd17daa60123 100644 (file)
--- a/src/main/tls.c
+++ b/src/main/tls.c
@@ -4167,6 +4167,16 @@ post_ca:
                         ERROR("Unknown or unsupported value for tls_min_version '%s'", conf->tls_min_version);
                         return NULL;
                 }
+
+#ifdef WITH_RADIUSV11
+               /*
+                *      RADIUS 1.1 requires TLS 1.3 or later.
+                */
+               if (conf->radius11 && (min_version < TLS1_3_VERSION) {
+                       WARN(LOG_PREFIX ": The configuration allows TLS <1.3.  RADIUSv1.1 MUST use TLS 1.3");
+                       WARN(LOG_PREFIX ": Please set: tls_min_version = '1.3'");
+               }
+#endif
         } else {
  #ifdef WITH_RADIUSV11
                 /*
author	Alan T. DeKok <aland@freeradius.org>
	Thu, 20 Jul 2023 11:18:10 +0000 (07:18 -0400)
committer	Alan T. DeKok <aland@freeradius.org>
	Thu, 20 Jul 2023 11:18:10 +0000 (07:18 -0400)