eap.conf : Selection of TLS ciphersuite does not work
Thomas Otto
t.otto at tu-bs.de
Thu Apr 19 12:20:19 CEST 2007
Hi all,
My question concerns the option in eap.conf that you can specify TLS
ciphersuite(s) that the Server chooses for his ServerHello handshake
message.
But apparently I cant use all ciphersuites, for example the following one
(found with 'man ciphers')
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA EDH-RSA-DES-CBC3-SHA
I insert the line
cipher_list = 'EDH-RSA-DES-CBC3-SHA'
but freeradius (v.1.1.6) complains
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0060], ClientHello
rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal handshake_failure
TLS Alert write:fatal:handshake failure
TLS_accept:error in SSLv3 read client hello C
rlm_eap: SSL error error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared
cipher
rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails.
Note that the ClientHello of wpa_supplicant contains this ciphersuite,
see this snip from ethereal trace:
Cipher Suites (26 suites)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
---> Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)
What ciphersuites does Freeradius support? Why doesnt ciphersuite 0x0016
work? (I also tried 0x0039, DHE-RSA-AES256-SHA,
it also produces the same error)
I hope you can help me
Thanks in advance
Thomas Otto
More information about the Freeradius-Devel
mailing list