eap.conf : Selection of TLS ciphersuite does not work

Thomas Otto t.otto at tu-bs.de
Thu Apr 19 12:20:19 CEST 2007

Hi all,

My question concerns the option in eap.conf that you can specify TLS
ciphersuite(s) that the Server chooses for his ServerHello handshake

But apparently I cant use all ciphersuites, for example the following one
(found with 'man ciphers')


I insert the line

   cipher_list = 'EDH-RSA-DES-CBC3-SHA'

but freeradius (v.1.1.6) complains

  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0060], ClientHello  
  rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal handshake_failure  
TLS Alert write:fatal:handshake failure
    TLS_accept:error in SSLv3 read client hello C
rlm_eap: SSL error error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared
rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails.

Note that the ClientHello of wpa_supplicant contains this ciphersuite,
see this snip from ethereal trace:

      Cipher Suites (26 suites)

       Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)            
       Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038)
       Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
--->   Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)

What ciphersuites does Freeradius support? Why doesnt ciphersuite 0x0016
work? (I also tried 0x0039, DHE-RSA-AES256-SHA,
it also produces the same error)

I hope you can help me

Thanks in advance

Thomas Otto 

More information about the Freeradius-Devel mailing list