Hi,
I am trying to debug an EAP-TTLS handshake problem between FreeRADIUS 2.2.4 with OpenSSL 1.0.1f and Mac OS X 10.10.5 and 10.9.5. The Macs are using
old. upgrade your FR
b) FreeRADIUS/OpenSSL and these versions of Mac OS X can all do TLS 1.2. Does the text "TLS 1.0 Handshake" in the log really mean that it is only using TLS 1.0 instead of TLS 1.2?
yes. FR 2.2.4 doesnt do TLS 1.2 - 2.2.9 does
c) There is a message in the log "TLS_accept: failed in SSLv3 read client certificate A". Does this mean that there was a client certificate presented by the client? (there shouldn't be a client cert at all)
how is the OSX device configured?
d) Does anyone have any other suggestions to make this work? I already tried setting the cipher_list to well used ciphers that the Macs generally like ('AES+aRSA') and got the same result. (The trace below is with the default cipher_list).
works with DEFAULT. unless you want to start playing client compatibility issue and need to remove eg DH methods or DES methods from the list I wouldnt touch it (that particular combo only allows TLS1.2 and a few SSLv3 methods
dh_file = ${certdir}/dh
how big is that dh key? must be 1024 or bigger openssl dhparam -in dh -text -noout
ttls { default_eap_type = md5
md5? really? I'm sure you want that to be mschapv2 for your systems. dont think OSX will renegotiate. alan