On Aug 7, 2023, at 11:26 AM, James Wood via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
Thanks. So when I use a basic certificate, it works, and using the openssl show cert command from an external machine it returns the certificates.
That's good.
I've also just tried using this SSL cert with radsecproxy instead of FreeRADIUS, on the same server, and it also errors when I run the openssl show cert command.
Because radsecproxy uses OpenSSL for all of the TLS / certificate stuff.
So yes, it must be related to the specific SSL certificate I am trying to use. I will go through a few more checks.
For reference, this is a publicly issued certificate from the WBA for OpenRoaming client/server use. So it's not my own certificate, however I do have the private key/CSR of course. I have verified the key/cert/ca matches.
OpenRoaming definitely uses FreeRADIUS and OpenSSL. So it definitely is possible to get it to work. The only question is what magic string has to go into the "cipher_list". See https://www.openssl.org/docs/man1.1.1/man1/ciphers.html for a list of what strings are allowed in the "cipher_list" configuration item. But be aware that you need to update *both* the client and server. If the server supports EC certificates, then it's likely also automatically support the relevant cipher suites which use those EC certificates. Which means you likely need to update the *client* configuration to allow the ECDH cipher suites. And yes, use "wireshark" to see the list of cipher suites which each side supports. Alan DeKok.