最近在将应用程序更新到Android 11后，发现与Freeradius 3服务器的EAP-TLS身份验证失败。此外，通过日志可以看到以下错误消息“TLS alert read: fatal: protocol version”。

为了解决这个问题，我们需要在Freeradius 3服务器上启用TLS 1.3支持。这可以通过编辑该服务器上的Radius配置文件来完成。

在/etc/raddb/mods-enabled/eap中找到“ttls”和“tls”模块的配置文件。将ssl_version设置为“tlsv1.3”，如下所示：

tls { private_key_password = %{User-Password} private_key_file = ${certdir}/server.key certificate_file = ${certdir}/server.crt dh_file = ${certdir}/dh # 必要时可以使用 random_file = /dev/urandom cipher_list = TLSv1.3:!aNULL:!eNULL:!EXPORT:!SSLv2:!MD5:!DES:!LOW:!EXP:!DSS:!RC4:!SEED:!IDEA:@STRENGTH verify_peer = yes fail = no ca_path = ${cadir} tls_max_version = "TLSv1.3" tls_min_version = "TLSv1.3" }

ttls { # 这里也要设置为tlsv1.3 ssl_version = tlsv1.3 certificate_file = ${certdir}/server.crt private_key_file = ${certdir}/server.key ca_file = ${cadir}/ca.crt verify_depth = 10 cipher_list = "HIGH" }

让上述更改生效，必须重启Freeradius服务器。

如果您在使用自己签名的证书，则还必须在Android 11设备上安装该证书。以下是示例代码：

KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType()); keyStore.load(null, null); CertificateUtility certificateUtility = new CertificateUtility(context); List certificateList = certificateUtility.getCertificateChain(); for (X509Certificate certificate : certificateList) { String alias = certificate.getSubjectDN().getName(); keyStore.setCertificateEntry(alias, certificate); }

TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); trustManagerFactory.init(keyStore);

SSLContext sslContext = SSLContext.getInstance("TLS"); sslContext.init(null, trustManagerFactory.getTrustManagers(), null);

URLConnection urlConnection = url.openConnection(); if (urlConnection instanceof Https