Max Freeman wrote:
Good evening,
Thank you for your suggestions/ reply. My comments/ questions are underneath your thoughts using ">>".
Ugh. Standard quoting rules are nicer.
Do you mean within the OpenSSL source code? I've been trying to track down the location of where OpenSSL picks a TLS 1.0 handshake over TLS 1.2.
No. I mean via the FreeRADIUS configuration. There is no TLS 1.0 versus 1.2 configuration currently in the server. It's not really needed.
I'll continue to read. Is it acceptable under the ECC Curve section in EAP.Conf to use two elliptic curves? That is what wire shark is sending over.
I think it's only one, but I'm not really sure. It's more of an OpenSSL question.
The client (wpa_Supplicant) sends FreeRadius a Client Hello over TLS 1.0 (could perhaps cause problems with ECC?) and then FreeRadius Rejects it because of and "SSL3_CLIENT_HELLO: no shared cipher." However, I have confirmed that the latest version of openssl supports my cipher.
FreeRADIUS depends on OpenSSL to do all SSL. If OpenSSL says "no shared cipher", FreeRADIUS can't do much about it.
wire shark has been showing the correct cipher suites are available on nth sides, which is odd. It seems that FR server rejects the Client Hello right away, even though the client hello seemingly has all the necessary information. Could it have something to do with Users/ clients.conf?
No. Presuming you've listed the NAS in the "clients.conf" file...
Does the EAP.conf/ FR have anything to do with Elliptic Curve's and their shared cipher besides putting in "ALL" for the cipher and "secptxxx" for the curve?
No.
I have also confirmed through OpenSSL's s_client/ s_server program that my certificates are set up properly and ONLY succeed with TLS1_2 and not TLS1.0 or TLS1.1.
Hmm.. that might be the issue. In v3, try editing src/main/tls.c. Change: ctx = SSL_CTX_new(TLSv1_method()); to: ctx = SSL_CTX_new(SSLv23_method()); If that works, I'll make the change in the main tree. Alan DeKok.