On Sep 19, 2024, at 5:35 AM, n5d9xq3ti233xiyif2vp--- via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
What am I missing to get EAP working both radius server and clients having ECC (P521) keys ?
It should just work.
Running freeradius in the foreground shows me this: (8) eap_tls: (TLS) EAP Peer says that the final record size will be 378 bytes (8) eap_tls: (TLS) EAP Got all data (378 bytes) (8) eap_tls: (TLS) recv TLS 1.3 Handshake, ClientHello (8) eap_tls: (TLS) Handshake state - Server SSLv3 read client hello A (8) eap_tls: (TLS) send TLS 1.3 Handshake, ServerHello (8) eap_tls: (TLS) Handshake state - Server SSLv3 write server hello A (8) eap_tls: (TLS) send TLS 1.3 Handshake, type=8 (8) eap_tls: (TLS) send TLS 1.3 Handshake, CertificateRequest (8) eap_tls: (TLS) Handshake state - Server SSLv3 write certificate request A (8) eap_tls: (TLS) send TLS 1.3 Alert, fatal handshake_failure (8) eap_tls: ERROR: (TLS) Server : Error in SSLv3 write certificate A (8) eap_tls: ERROR: (TLS) Failed reading from OpenSSL (8) eap_tls: ERROR: (TLS) error:1402D0FB:SSL routines:ACCEPT_SW_CERT:unknown pkey type (8) eap_tls: ERROR: (TLS) error:14FFF0A8:SSL routines:(UNKNOWN)SSL_internal:missing rsa certificate
A little bit of google shows this: https://github.com/libressl/portable/issues/1058 It's a bug in libressl or OpenSSL. Alan DeKok.