From c2c49fb1a17e00a2af37456c39d5e4470672da12 Mon Sep 17 00:00:00 2001 From: Kota Shiratsuka Date: Sat, 31 Jan 2026 03:54:11 +0900 Subject: [PATCH] FreeRADIUS: add TLS maximum version setting for EAP (#5175) --- .../OPNsense/Freeradius/forms/eap.xml | 6 ++++++ .../app/models/OPNsense/Freeradius/Eap.php | 20 +++++++++++++++++++ .../app/models/OPNsense/Freeradius/Eap.xml | 13 +++++++++++- .../OPNsense/Freeradius/mods-enabled-eap | 2 +- 4 files changed, 39 insertions(+), 2 deletions(-) diff --git a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/eap.xml b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/eap.xml index 1f9cc42dc..dea314515 100644 --- a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/eap.xml +++ b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/eap.xml @@ -58,4 +58,10 @@ dropdown Set minimum TLS version. Please be aware that every version below 1.2 is considered as insecure. + + eap.tls_max_version + + dropdown + Set maximum TLS version. Use 1.2 to avoid TLS 1.3 for legacy clients. + diff --git a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.php b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.php index 7698b14be..f135125c2 100644 --- a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.php +++ b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.php @@ -3,6 +3,7 @@ namespace OPNsense\Freeradius; use OPNsense\Base\BaseModel; +use OPNsense\Base\Messages\Message; /* Copyright (C) 2017 Michael Muenz @@ -32,4 +33,23 @@ use OPNsense\Base\BaseModel; class Eap extends BaseModel { + public function performValidation($validateFullModel = false) + { + $messages = parent::performValidation($validateFullModel); + + if ( + $validateFullModel || + $this->tls_min_version->isFieldChanged() || + $this->tls_max_version->isFieldChanged() + ) { + if ($this->tls_min_version->asFloat() > $this->tls_max_version->asFloat()) { + $messages->appendMessage(new Message( + gettext('TLS minimum version must be less than or equal to TLS maximum version.'), + $this->tls_max_version->getInternalXMLTagName() + )); + } + } + + return $messages; + } } diff --git a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml index fba239000..7cda2110c 100644 --- a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml +++ b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml @@ -1,7 +1,7 @@ //OPNsense/freeradius/eap EAP configuration - 1.9.17 + 1.9.18 md5 @@ -65,5 +65,16 @@ 1.3 + + 1.3 + Y + N + + 1.0 + 1.1 + 1.2 + 1.3 + + diff --git a/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-eap b/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-eap index 652bebc8e..e43e15708 100644 --- a/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-eap +++ b/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-eap @@ -456,7 +456,7 @@ eap { # The values must be in quotes. # tls_min_version = "{{ OPNsense.freeradius.eap.tls_min_version }}" - tls_max_version = "1.3" + tls_max_version = "{{ OPNsense.freeradius.eap.tls_max_version }}" # Elliptical cryptography configuration #