FreeRADIUS: add TLS maximum version setting for EAP (#5175)

2026-02-03 20:40:37 -05:00 · 2026-01-31 03:54:11 +09:00 · 2026-01-31 03:54:11 +09:00 · c2c49fb1a1
commit c2c49fb1a1
parent 4773ff712e
4 changed files with 39 additions and 2 deletions
--- a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/eap.xml
+++ b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/eap.xml
@ -58,4 +58,10 @@
        <type>dropdown</type>
        <help>Set minimum TLS version. Please be aware that every version below 1.2 is considered as insecure.</help>
    </field>
+    <field>
+        <id>eap.tls_max_version</id>
+        <label>TLS Maximum Version</label>
+        <type>dropdown</type>
+        <help>Set maximum TLS version. Use 1.2 to avoid TLS 1.3 for legacy clients.</help>
+    </field>
 </form>
--- a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.php
+++ b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.php
@ -3,6 +3,7 @@
 namespace OPNsense\Freeradius;

 use OPNsense\Base\BaseModel;
+use OPNsense\Base\Messages\Message;

 /*
    Copyright (C) 2017 Michael Muenz <m.muenz@gmail.com>
@ -32,4 +33,23 @@ use OPNsense\Base\BaseModel;

 class Eap extends BaseModel
 {
+    public function performValidation($validateFullModel = false)
+    {
+        $messages = parent::performValidation($validateFullModel);
+
+        if (
+            $validateFullModel ||
+            $this->tls_min_version->isFieldChanged() ||
+            $this->tls_max_version->isFieldChanged()
+        ) {
+            if ($this->tls_min_version->asFloat() > $this->tls_max_version->asFloat()) {
+                $messages->appendMessage(new Message(
+                    gettext('TLS minimum version must be less than or equal to TLS maximum version.'),
+                    $this->tls_max_version->getInternalXMLTagName()
+                ));
+            }
+        }
+
+        return $messages;
+    }
 }
--- a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml
+++ b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml
@ -1,7 +1,7 @@
 <model>
    <mount>//OPNsense/freeradius/eap</mount>
    <description>EAP configuration</description>
-    <version>1.9.17</version>
+    <version>1.9.18</version>
    <items>
        <default_eap_type type="OptionField">
            <Default>md5</Default>
@ -65,5 +65,16 @@
                <Option4 value="1.3">1.3</Option4>
            </OptionValues>
        </tls_min_version>
+        <tls_max_version type="OptionField">
+            <Default>1.3</Default>
+            <Required>Y</Required>
+            <Multiple>N</Multiple>
+            <OptionValues>
+                <Option1 value="1.0">1.0</Option1>
+                <Option2 value="1.1">1.1</Option2>
+                <Option3 value="1.2">1.2</Option3>
+                <Option4 value="1.3">1.3</Option4>
+            </OptionValues>
+        </tls_max_version>
    </items>
 </model>
--- a/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-eap
+++ b/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-eap
@ -456,7 +456,7 @@ eap {
                #  The values must be in quotes.
                #
                tls_min_version = "{{ OPNsense.freeradius.eap.tls_min_version }}"
-                tls_max_version = "1.3"
+                tls_max_version = "{{ OPNsense.freeradius.eap.tls_max_version }}"

                #  Elliptical cryptography configuration
                #