eap.conf : Selection of TLS ciphersuite does not work
Hi all, My question concerns the option in eap.conf that you can specify TLS ciphersuite(s) that the Server chooses for his ServerHello handshake message. But apparently I cant use all ciphersuites, for example the following one (found with 'man ciphers') TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA EDH-RSA-DES-CBC3-SHA I insert the line cipher_list = 'EDH-RSA-DES-CBC3-SHA' but freeradius (v.1.1.6) complains rlm_eap_tls: <<< TLS 1.0 Handshake [length 0060], ClientHello rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal handshake_failure TLS Alert write:fatal:handshake failure TLS_accept:error in SSLv3 read client hello C rlm_eap: SSL error error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. Note that the ClientHello of wpa_supplicant contains this ciphersuite, see this snip from ethereal trace: Cipher Suites (26 suites) Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038) Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035) ---> Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016) What ciphersuites does Freeradius support? Why doesnt ciphersuite 0x0016 work? (I also tried 0x0039, DHE-RSA-AES256-SHA, it also produces the same error) I hope you can help me Thanks in advance Thomas Otto
Thomas Otto wrote:
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA EDH-RSA-DES-CBC3-SHA
It's a DH cipher, and you need a non-empty DH file. I've just committed instructions for creating it, and code to warn the user if it's empty. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
participants (2)
-
Alan DeKok -
Thomas Otto