最近在将应用程序更新到Android 11后,发现与Freeradius 3服务器的EAP-TLS身份验证失败。此外,通过日志可以看到以下错误消息“TLS alert read: fatal: protocol version”。
为了解决这个问题,我们需要在Freeradius 3服务器上启用TLS 1.3支持。这可以通过编辑该服务器上的Radius配置文件来完成。
在/etc/raddb/mods-enabled/eap中找到“ttls”和“tls”模块的配置文件。将ssl_version设置为“tlsv1.3”,如下所示:
tls { private_key_password = %{User-Password} private_key_file = ${certdir}/server.key certificate_file = ${certdir}/server.crt dh_file = ${certdir}/dh # 必要时可以使用 random_file = /dev/urandom cipher_list = TLSv1.3:!aNULL:!eNULL:!EXPORT:!SSLv2:!MD5:!DES:!LOW:!EXP:!DSS:!RC4:!SEED:!IDEA:@STRENGTH verify_peer = yes fail = no ca_path = ${cadir} tls_max_version = "TLSv1.3" tls_min_version = "TLSv1.3" }
ttls { # 这里也要设置为tlsv1.3 ssl_version = tlsv1.3 certificate_file = ${certdir}/server.crt private_key_file = ${certdir}/server.key ca_file = ${cadir}/ca.crt verify_depth = 10 cipher_list = "HIGH" }
让上述更改生效,必须重启Freeradius服务器。
如果您在使用自己签名的证书,则还必须在Android 11设备上安装该证书。以下是示例代码:
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
keyStore.load(null, null);
CertificateUtility certificateUtility = new CertificateUtility(context);
List
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); trustManagerFactory.init(keyStore);
SSLContext sslContext = SSLContext.getInstance("TLS"); sslContext.init(null, trustManagerFactory.getTrustManagers(), null);
URLConnection urlConnection = url.openConnection(); if (urlConnection instanceof Https