You can use wireshark to capture the traffic on either side and see exactly what ciphers both ends are proposing. Maybe when you see what they are proposing, it will lead you to the appropriate configuration. On August 7, 2023 2:19:21 PM GMT+02:00, James Wood via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
Hi All,
I'm currently testing out RADSEC/TLS on the latest version, 3.2.3, with openssl 3.0 on Ubuntu 22.04.
The key, certificate and CA are correct and have been validated to match before using in the Freeradius config.
When I start the daemon there are no errors indicating the key/cert don't match so I assume all is well.
However, when a client connects over RADSEC/TLS (port 2083), Freeradius displays an SSL error. I've also tried the openssl s_client command and the same error is thrown.
openssl s_client -showcerts -connect radius.hostname:2083
The key/cert is secp384r1 based.
mods-enabled/eap:
--------------------------- tls-config tls-common { private_key_password = whatever private_key_file = ${certdir}/my_key.key certificate_file = ${certdir}/my_key.crt ca_file = ${certdir}/my_key.ca dh_file = ${certdir}/dh random_file = /dev/urandom fragment_size = 1024 ca_path = ${cadir} cipher_list = "DEFAULT" cipher_server_preference = no ecdh_curve = "secp384r1" } ---------------------------
sites-enabled/tls:
--------------------------- listen { ipaddr = * port = 2083 type = auth+acct proto = tcp virtual_server = default clients = radsec limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } tls { private_key_password = whatever private_key_file = ${certdir}/my_key.key certificate_file = ${certdir}/my_key.crt ca_file = ${certdir}/my_key.ca dh_file = ${certdir}/dh random_file = /dev/urandom fragment_size = 8192 ca_path = ${cadir} cipher_list = "DEFAULT" cipher_server_preference = no require_client_cert = no } }
clients radsec { client all { ipaddr = 0.0.0.0/0 proto = tls secret = radsec } }
home_server tls { ipaddr = 127.0.0.1 port = 2083 type = auth secret = radsec proto = tcp status_check = none
tls { private_key_password = whatever private_key_file = ${certdir}/my_key.key certificate_file = ${certdir}/my_key.crt ca_file = ${certdir}/my_key.ca dh_file = ${certdir}/dh random_file = /dev/urandom fragment_size = 8192 ca_path = ${cadir} cipher_list = "DEFAULT" }
}
home_server_pool tls { type = fail-over home_server = tls }
realm tls { auth_pool = tls } ---------------------------
radius debug:
[snip] Listening on auth+acct proto tcp address * port 2083 (TLS) bound to server default Listening on command file /usr/local/var/run/radiusd/radiusd.sock Listening on auth address * port 1812 bound to server default Listening on acct address * port 1813 bound to server default Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel Listening on proxy address * port 40253 Ready to process requests
... new connection request on TCP socket Listening on auth+acct from client (1.2.3.4, 38639) -> (*, 2083, virtual-server=default) Waking up in 0.9 seconds. (0) (TLS) Initiating new session (0) (TLS) Handshake state - before/accept initialization (0) (TLS) Handshake state - Server before/accept initialization (0) (TLS) recv TLS 1.2 Handshake, ClientHello (0) (TLS) send TLS 1.2 Alert, fatal handshake_failure (0) ERROR: (TLS) Alert write:fatal:handshake failure (0) ERROR: (TLS) Server : Error in error (0) ERROR: (TLS) Server : Error in error (0) ERROR: (TLS) Failed reading from OpenSSL: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher (0) ERROR: (TLS) System call (I/O) error (-1) (0) (TLS) Failed in TLS handshake receive (TLS) Closing socket from client port 38639
If I query a public radsec radius server on port 2083 using the openssl s_client command it returns the certificate list correctly etc.
Is it a problem with my key/cert, openssl, or the client?
Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html