Does FreeRADIUS 2.1.12's ECDH support include ECDH-RSA-AES128-SHA?

Edward Morris emorris25 at yahoo.com
Thu Jan 30 00:36:47 CET 2014 


>> However, my attempts to utilize ECDH (non-ephemeral) cipher suites fail with and error of "SSL3_GET_CLIENT_HELLO:no shared cipher."  I've seen that same error occur both when I was attempting to employ a cipher suite not supported by FreeRADIUS (versions prior to 2.1.12 did not support any ECDHE cipher suites) and when I had a screwy configuration (e.g., attempts to use DSA cipher suites without first giving the server a DSA key).  So I'm unclear on where the problem might lie.

>  With OpenSSL.  FreeRADIUS doesn't implement SSL, so it's completely at
the mercy of OpenSSL.

Thank you.  Code changes were needed in FreeRADIUS to support ECDH cipher suites (as prior to 2.1.12 FreeRADIUS did not support ECDH suites even if OpenSSL did), so there was a possibility in my mind that the changes to FreeRADIUS may have only enabled support for ECDH*E* suites and not ECDH suites.  I understand now this isn't the case.


>> The only documentation I could find on this topic was the line 'ecdh_curve = "prime256v1"' in eap.conf.  

>  See also "cipher_list".  You can add the ECDH cipher suite to that.
See the OpenSSL documentation for details on what text to put there.

I neglected to mention that I've been setting the cipher_list to explicitly include only a single cipher suite at a time to test the client's ability to support a given one.


>> Any pointers or confirmation as to whether or not FreeRADIUS (any version) supports plain ECDH cipher suites would be greatly appreciated.

>  FreeRADIUS just passes the SSL configuration to OpenSSL, and lets OpenSSL do it's magic.  If it doesn't work, then (a) the configuration doesn't have the right SSL magic, or (b) OpenSSL doesn't support that cipher suite.
>
>  Alan DeKok.

Thank you again for clarifying.  Upon your advice, I took FreeRADIUS out of the equation and performed testing directly with openssl (using the certificates I had generated for FreeRADIUS).  I also read the RFC governing ECDH & ECDHE cipher suites in more detail ( http://tools.ietf.org/html/rfc4492#section-2 ) and learned that the RFC requires that the server's certificate be signed with ECDSA (something I hadn't paid attention to when generating my server's certifciate).  The further testing yielded puzzling results, but results that confirm your suspicion that the problem lay with OpenSSL.

Ed

More information about the Freeradius-Users mailing list