From: Alan T. DeKok Date: Fri, 2 Apr 2021 11:36:05 +0000 (-0400) Subject: Allow TLS 1.3 for RadSec X-Git-Tag: release_3_0_22~124 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5e5280e1ac60285a065dde9228ffdbd34b953e65;p=thirdparty%2Ffreeradius-server.git Allow TLS 1.3 for RadSec --- diff --git a/raddb/sites-available/tls b/raddb/sites-available/tls index 5736791d13..0bda75f42c 100644 --- a/raddb/sites-available/tls +++ b/raddb/sites-available/tls @@ -258,6 +258,13 @@ listen { # for TLS cipher_server_preference = no + # + # Older TLS versions are deprecated. But for RadSec, + # we CAN allow TLS 1.3. + # + tls_min_version = "1.2" + tls_max_version = "1.3" + # # Session resumption / fast reauthentication # cache. diff --git a/src/include/tls-h b/src/include/tls-h index f994f58d5a..b97351eb33 100644 --- a/src/include/tls-h +++ b/src/include/tls-h @@ -315,7 +315,7 @@ int tls_error_io_log(REQUEST *request, tls_session_t *session, int ret, char co void tls_global_cleanup(void); tls_session_t *tls_new_session(TALLOC_CTX *ctx, fr_tls_server_conf_t *conf, REQUEST *request, bool client_cert); tls_session_t *tls_new_client_session(TALLOC_CTX *ctx, fr_tls_server_conf_t *conf, int fd, VALUE_PAIR **certs); -fr_tls_server_conf_t *tls_server_conf_parse(CONF_SECTION *cs); +fr_tls_server_conf_t *tls_server_conf_parse(CONF_SECTION *cs, bool allow_tls13); fr_tls_server_conf_t *tls_client_conf_parse(CONF_SECTION *cs); fr_tls_server_conf_t *tls_server_conf_alloc(TALLOC_CTX *ctx); SSL_CTX *tls_init_ctx(fr_tls_server_conf_t *conf, int client); @@ -366,9 +366,10 @@ struct fr_tls_server_conf_t { bool disable_tlsv1_1; bool disable_tlsv1_2; #ifdef TLS1_3_VERSION - bool tls13_enable_magic; - bool tls13_send_zero; + bool tls13_enable_magic; + bool tls13_send_zero; #endif + bool tls13_internal_enable; //!< for radsec char const *tls_min_version; char const *tls_max_version; diff --git a/src/main/listen.c b/src/main/listen.c index e09518e3fa..27ce67c6bc 100644 --- a/src/main/listen.c +++ b/src/main/listen.c @@ -1055,7 +1055,7 @@ int common_socket_parse(CONF_SECTION *cs, rad_listen_t *this) */ if (listen_port == 0) listen_port = PW_RADIUS_TLS_PORT; - this->tls = tls_server_conf_parse(tls); + this->tls = tls_server_conf_parse(tls, true); if (!this->tls) { return -1; } diff --git a/src/main/tls.c b/src/main/tls.c index 7d73ab13a3..09d78283eb 100644 --- a/src/main/tls.c +++ b/src/main/tls.c @@ -3660,7 +3660,7 @@ post_ca: * UNLESS they set the magic / undocumented flag saying * "please, let me use TLS 1.3". */ - if (!conf->tls13_enable_magic) { + if (!conf->tls13_internal_enable && !conf->tls13_enable_magic) { if (min_version >= TLS1_3_VERSION) { ERROR("tls_min_version '%s' MUST NOT be 1.3, as the standards have not been finalized.", conf->tls_min_version); @@ -4096,7 +4096,7 @@ static int store_cmp(void const *a, void const *b) return one - two; } -fr_tls_server_conf_t *tls_server_conf_parse(CONF_SECTION *cs) +fr_tls_server_conf_t *tls_server_conf_parse(CONF_SECTION *cs, bool allow_tls13) { fr_tls_server_conf_t *conf; @@ -4123,6 +4123,11 @@ fr_tls_server_conf_t *tls_server_conf_parse(CONF_SECTION *cs) */ if (conf->fragment_size < 100) conf->fragment_size = 100; + /* + * Allow TLS 1.3 for RadSec + */ + conf->tls13_internal_enable = allow_tls13; + /* * Only check for certificate things if we don't have a * PSK query. @@ -4154,7 +4159,7 @@ fr_tls_server_conf_t *tls_server_conf_parse(CONF_SECTION *cs) /* * Initialize configuration mutex */ - pthread_mutex_init(&conf->mutex, NULL); + pthread_mutex_init(&conf->mutex, NULL); /* * Initialize TLS @@ -4293,6 +4298,11 @@ fr_tls_server_conf_t *tls_client_conf_parse(CONF_SECTION *cs) */ if (conf->fragment_size < 100) conf->fragment_size = 100; + /* + * Allow TLS 1.3 for outgoing RadSec connections. + */ + conf->tls13_internal_enable = true; + /* * Initialize TLS */ diff --git a/src/modules/rlm_eap/libeap/eap_tls.c b/src/modules/rlm_eap/libeap/eap_tls.c index f2729ddb6b..4d22750088 100644 --- a/src/modules/rlm_eap/libeap/eap_tls.c +++ b/src/modules/rlm_eap/libeap/eap_tls.c @@ -1174,7 +1174,7 @@ fr_tls_server_conf_t *eaptls_conf_parse(CONF_SECTION *cs, char const *attr) if (!tls_cs) return NULL; - tls_conf = tls_server_conf_parse(tls_cs); + tls_conf = tls_server_conf_parse(tls_cs, false); if (!tls_conf) return NULL;