On Nov 24, 2025, at 5:26 AM, Nicolas Godbert via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
I try to recycle some old HPE switches as radius client using EAP-TLS based protocols for test only. They are using old deprecated ciphers, so i rebuild openssl for legacy suites on a raspbian (I know, it's bad idea and not secure).
If it works...
# openssl ciphers -v ALL | grep RC4 RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
Ugh, but OK.
So, when the server freeradius and the switch try to negociate, i can see in the logs that the cipher RC4-MD5 is now common for the two devices.
That's good.
But i still got an error "no shared cipher"
... Thu Nov 20 15:11:44 2025 : ERROR: (26) eap_ttls: (TLS) Failed reading from OpenSSL: ../ssl/statem/statem_srvr.c[2333]:error:0A0000C1:SSL routines::no shared cipher
This might be "no shared message digest", or something else. Unfortunately, this is all OpenSSL magic, and it's hard to know what's going on inside of OpenSSL.
.. cipher_list = "ALL@SECLEVEL=0" cipher_server_preference = no tls_min_version = "1.0"
That should all be good.
Is this mandatory to use tls_min_version/max options since the deprecated cipher i try to use belong to SSLv3 suite ?
Yes. You can (in theory) use some newer ciphers with TLS 1.0, or older ciphers with TLS 1.3. So you have to enable everything in order for it to work.
Do you have some hints to help debug further please ?
This is all OpenSSL magic. Unfortunately, the RC4-MD5 ciphers have been deprecated for decades. We can't help a lot here. Perhaps the OpenSSL people can help. Alan DeKok.