EAP-TLS and elliptic curves (OPEN)

Weisteen Per per.weisteen at telenor.no
Wed Apr 14 11:08:54 CEST 2021 

Hi

Setting ecdh_curve parameter to an empty string didn't work. 
Server fails with "no shared cipher" after it receives TLS client hello. 

(1) eap_tls: Continuing EAP-TLS
(1) eap_tls: Got final TLS record fragment (190 bytes)
(1) eap_tls: WARNING: Total received TLS record fragments (190 bytes), does not equal indicated TLS record length (0 bytes)
(1) eap_tls: [eaptls verify] = ok
(1) eap_tls: Done initial handshake
(1) eap_tls: (other): before/accept initialization
(1) eap_tls: TLS_accept: before/accept initialization
(1) eap_tls: <<< recv TLS 1.2  [length 00b9]
(1) eap_tls: >>> send TLS 1.2  [length 0002]
(1) eap_tls: ERROR: TLS Alert write:fatal:handshake failure
tls: TLS_accept: Error in error
tls: TLS_accept: Error in error
(1) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher
(1) eap_tls: ERROR: System call (I/O) error (-1)
(1) eap_tls: ERROR: TLS receive handshake failed during operation
(1) eap_tls: ERROR: [eaptls process] = fail
  
I'm using
OpenSSL 1.0.2k-fips
FreeRADIUS Version 3.0.13

./PerW


Sensitivity: Internal

> -----Original Message-----
> From: Freeradius-Users <freeradius-users-
> bounces+per.weisteen=telenor.no at lists.freeradius.org> On Behalf Of Alan
> DeKok
> Sent: tirsdag 13. april 2021 12:21
> To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
> Subject: Re: EAP-TLS and elliptic curves (OPEN)
> 
> On Apr 13, 2021, at 4:39 AM, Weisteen Per <per.weisteen at telenor.no>
> wrote:
> > I've got some supplicants that only supports secp256r1/prime256v1 as
> elliptic curve while others support additional curves like x25519, secp384r1
> etc.
> > Currently I've set ecdh_curve To prime256v1 which then applies to all
> supplicants.
> >
> > If I set ecdh_curve parameter empty will the server key exchange adjust
> curve info dynamically according to what the supplicant has announced in TLS
> client hello using the "best" curve available ?
> 
>   It's probably faster to try it and see, instead of waiting for an answer on the
> list.
> 
>   The real answer is: it's all magic in OpenSSL, we really can't tell you.
> 
>   Alan DeKok.
> 
> 
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list