Prevent crash with tls 1.3 and ubuntu (see https://github.com/FreeRADIUS/freeradius-server/issues/2385 )

freeradius_utils/freeradius3/mods-enabled/eap

@@ -2,7 +2,7 @@
 ##
 ##  eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.)
 ##
-##	$Id: 0e8d5caef5ad09dfa6acb14c5d475bae55cf4b27 $
+##	$Id: f67cbdbff9b6560cec9f68da1adb82b59723d2ef $
 
 #######################################################################
 #
@@ -285,6 +285,10 @@ eap {
 
 		ca_path = ${cadir}
 
+		# Accept an expired Certificate Revocation List
+		#
+#		allow_expired_crl = no
+
 		#
 		#  If check_cert_issuer is set, the value will
 		#  be checked against the DN of the issuer in
@@ -292,10 +296,10 @@ eap {
 		#  match, the certificate verification will fail,
 		#  rejecting the user.
 		#
-		#  In 2.1.10 and later, this check can be done
-		#  more generally by checking the value of the
-		#  TLS-Client-Cert-Issuer attribute.  This check
-		#  can be done via any mechanism you choose.
+		#  This check can be done more generally by checking
+		#  the value of the TLS-Client-Cert-Issuer attribute.
+		#  This check can be done via any mechanism you
+		#  choose.
 		#
 	#	check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
 
@@ -325,16 +329,42 @@ eap {
 		#
 		cipher_list = "DEFAULT"
 
-		# Work-arounds for OpenSSL nonsense
-		# OpenSSL 1.0.1f and 1.0.1g do not calculate
-		# the EAP keys correctly.  The fix is to upgrade
-		# OpenSSL, or disable TLS 1.2 here. 
-		#
-		#  For EAP-FAST, this MUST be set to "yes".
-		#
-#		disable_tlsv1_2 = no
+		# If enabled, OpenSSL will use server cipher list
+		# (possibly defined by cipher_list option above)
+		# for choosing right cipher suite rather than
+		# using client-specified list which is OpenSSl default
+		# behavior. Having it set to yes is a current best practice
+		# for TLS
+		cipher_server_preference = no
 
 		#
+		#  You can selectively disable TLS versions for
+		#  compatability with old client devices.
+		#
+		#  If your system has OpenSSL 1.1.0 or greater, do NOT
+		#  use these.  Instead, set tls_min_version and
+		#  tls_max_version.
+		#
+#		disable_tlsv1_2 = no
+#		disable_tlsv1_1 = no
+#		disable_tlsv1 = no
+
+		#
+		#  Set min / max TLS version.  Mainly for Debian
+		#  "trusty", which disables older versions of TLS, and
+		#  requires the application to manually enable them.
+		#
+		#  If you are running Debian trusty, you should set
+		#  these options, otherwise older clients will not be
+		#  able to connect.
+		#
+		#  Allowed values are "1.0", "1.1", and "1.2".
+		#
+		#  The values must be in quotes.
+		#
+		tls_min_version = "1.0"
+		tls_max_version = "1.2"
+
 
 		#
 		#  Elliptical cryptography configuration
@@ -374,6 +404,12 @@ eap {
 			#  Enable it.  The default is "no". Deleting the entire "cache"
 			#  subsection also disables caching.
 			#
+			#  As of version 3.0.14, the session cache requires the use
+			#  of the "name" and "persist_dir" configuration items, below.
+			#
+			#  The internal OpenSSL session cache has been permanently
+			#  disabled.
+			#
 			#  You can disallow resumption for a particular user by adding the
 			#  following attribute to the control item list:
 			#
@@ -388,16 +424,7 @@ eap {
 			#  Lifetime of the cached entries, in hours. The sessions will be
 			#  deleted/invalidated after this time.
 			#
-			lifetime = 24 # hours
-
-			#
-			#  The maximum number of entries in the
-			#  cache.  Set to "0" for "infinite".
-			#
-			#  This could be set to the number of users
-			#  who are logged in... which can be a LOT.
-			#
-			max_entries = 255
+			lifetime = 1 # hours
 
 			#
 			#  Internal "name" of the session cache. Used to
@@ -416,6 +443,11 @@ eap {
 			#  state and the cached VPs. This will persist session
 			#  across server restarts.
 			#
+			#  The default directory is ${logdir}, for historical
+			#  reasons.  You should ${db_dir} instead.  And check
+			#  the value of db_dir in the main radiusd.conf file.
+			#  It should not point to ${raddb}
+			#
 			#  The server will need write perms, and the directory
 			#  should be secured from anyone else. You might want
 			#  a script to remove old files from here periodically:
@@ -663,6 +695,10 @@ eap {
 		#
 		# in the control items for a request.
 		#
+		# Note that the majority of supplicants do not support using a
+		# client certificate with EAP-TTLS, so this option is unlikely
+		# to be usable for most people.
+		#
 	#	require_client_cert = yes
 	}
 
@@ -789,6 +825,10 @@ eap {
 		#
 		# in the control items for a request.
 		#
+		# Note that the majority of supplicants do not support using a
+		# client certificate with PEAP, so this option is unlikely to
+		# be usable for most people.
+		#
 	#	require_client_cert = yes
 	}
 
@@ -839,13 +879,26 @@ eap {
 #	fast {
 		# Point to the common TLS configuration
 		#
-		# cipher_list though must include "ADH" for anonymous provisioning.
-		# This is not as straight forward as appending "ADH" alongside
-		# "DEFAULT" as "DEFAULT" contains "!aNULL" so instead it is
-		# recommended "ALL:!EXPORT:!eNULL:!SSLv2" is used
-		#
 #		tls = tls-common
 
+		#
+		#  If 'cipher_list' is set here, it will over-ride the
+		#  'cipher_list' configuration from the 'tls-common'
+		#  configuration.  The EAP-FAST module has it's own
+		#  over-ride for 'cipher_list' because the
+		#  specifications mandata a different set of ciphers
+		#  than are used by the other EAP methods.
+		#
+		#  cipher_list though must include "ADH" for anonymous provisioning.
+		#  This is not as straight forward as appending "ADH" alongside
+		#  "DEFAULT" as "DEFAULT" contains "!aNULL" so instead it is
+		#  recommended "ALL:!EXPORT:!eNULL:!SSLv2" is used
+		#
+		#  Note - for OpenSSL 1.1.0 and above you may need
+		#  to add ":@SECLEVEL=0"
+		#
+#		cipher_list = "ALL:!EXPORT:!eNULL:!SSLv2"
+
 		# PAC lifetime in seconds (default: seven days)
 		#
 #		pac_lifetime = 604800