Alan DeKok wrote:
The DEFAULT list of ciphers is old. Your OpenSSL libraries may not include the new ciphers that Windows expects. Try setting it to "ALL". If that doesn't work, it's more difficult to say what's wrong. Windows is "helpful" and doesn't produce reasonable error messages about what it expects.
Hadn't tried "ALL", but testing it now doesn't change the error. The config line in the debug output did reflect "ALL" being set.
Does PEAP work?
I just added a couple of config lines to allow PEAP/MSCHAPv2. My Android device was still able to negotiate a TLS connection, but the Windows client stops with the same error (just [tls] swapped with [peap], otherwise the lines are identical). At least that eliminates the client certificate. I'll play around some of the extensions on the server certificate. Thanks Marty