On Jun 29, 2020, at 8:29 AM, Vieri via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
Hi,
What does this log snippet mean?
(2) eap_peap: Continuing EAP-TLS (2) eap_peap: Peer indicated complete TLS record size will be 71 bytes (2) eap_peap: Got complete TLS record (71 bytes) (2) eap_peap: [eaptls verify] = length included (2) eap_peap: (other): before SSL initialization (2) eap_peap: TLS_accept: before SSL initialization (2) eap_peap: TLS_accept: before SSL initialization (2) eap_peap: <<< recv TLS 1.3 [length 0042] (2) eap_peap: >>> send TLS 1.0 Alert [length 0002], fatal handshake_failure (2) eap_peap: ERROR: TLS Alert write:fatal:handshake failure tls: TLS_accept: Error in error (2) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher (2) eap_peap: ERROR: System call (I/O) error (-1) (2) eap_peap: ERROR: TLS receive handshake failed during operation (2) eap_peap: ERROR: [eaptls process] = fail (2) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed (2) eap: Sending EAP Failure (code 4) ID 101 length 4 (2) eap: Failed in EAP select
Does it mean that the wifi client asked for TLS 1.3, but we replied with TLS 1.0?
It means that the there is no shared cipher. TLS uses a variety of encryption methods. The methods used by the client and server have to agree, otherwise they cannot communicate.
I have this in freeradius:
tls_min_version = "1.0" tls_max_version = "1.2"
and I'm using openssl-1.1.1g.
That should work. Perhaps the client has been configured to require TLS 1.3, *or* it has been configured to understand only a very limited set of ciphers. Alan DeKok.