Edward Morris wrote:
Using FreeRADIUS 2.1.12 (from debian package) and OpenSSL 1.0.1f, I've been able to successfully configure EAP-TLS with a number of ECDHE (ephemeral) cipher suites.
OK.
However, my attempts to utilize ECDH (non-ephemeral) cipher suites fail with and error of "SSL3_GET_CLIENT_HELLO:no shared cipher." I've seen that same error occur both when I was attempting to employ a cipher suite not supported by FreeRADIUS (versions prior to 2.1.12 did not support any ECDHE cipher suites) and when I had a screwy configuration (e.g., attempts to use DSA cipher suites without first giving the server a DSA key). So I'm unclear on where the problem might lie.
With OpenSSL. FreeRADIUS doesn't implement SSL, so it's completely at the mercy of OpenSSL.
I've confirmed that the client/supplicant I'm testing with supports the ECDH cipher suite (tcpdump and wireshark shows the Client Hello message includes the cipher), and querying debian's OpenSSL ("openssl ciphers -v aECDH") confirmed it supports the cipher
That's good.
The only documentation I could find on this topic was the line 'ecdh_curve = "prime256v1"' in eap.conf.
See also "cipher_list". You can add the ECDH cipher suite to that. See the OpenSSL documentation for details on what text to put there.
Any pointers or confirmation as to whether or not FreeRADIUS (any version) supports plain ECDH cipher suites would be greatly appreciated.
FreeRADIUS just passes the SSL configuration to OpenSSL, and lets OpenSSL do it's magic. If it doesn't work, then (a) the configuration doesn't have the right SSL magic, or (b) OpenSSL doesn't support that cipher suite. Alan DeKok.