EAP - TLS 1.2 Support
Cholleti, Hanumantha
Hanumantha.Cholleti at viasat.com
Mon Jan 20 00:16:51 CET 2014
Sorry - there is a typo in the below email - I meant FreeRadius and not OpenAM below:
The reason we thought upgrading the OpenSSL is good enough is; before we upgraded OpenSSL and in the EAPcipher_list if we used " AES256-SHA256", FreeRadius failed to start with the error of invalid cipher list.
After we upgraded the OpenSSL, FreeRadius started successfully. With this we assumed that FreeRadius is using upgraded OpenSSL.
Thanks
-Hanu
-----Original Message-----
From: freeradius-users-bounces+hanumantha.cholleti=viasat.com at lists.freeradius.org [mailto:freeradius-users-bounces+hanumantha.cholleti=viasat.com at lists.freeradius.org] On Behalf Of Cholleti, Hanumantha
Sent: Sunday, January 19, 2014 2:14 PM
To: FreeRadius users mailing list
Subject: RE: EAP - TLS 1.2 Support
Thank you Alan and Stefan for the quick response...
> Why not use the default cipher list? Have you even tried? It should work.
Alan, tried with the "DEFAULT" cipher_list and get the same error (attached is the complete debug log with -X option):
(1) eap : EAP TLS (13)
(1) eap : Calling eap_tls to process EAP data
(1) eap_tls : Authenticate
(1) eap_tls : processing EAP-TLS
TLS Length 50
(1) eap_tls : Length Included
(1) eap_tls : eaptls_verify returned 11
(1) eap_tls : (other): before/accept initialization
(1) eap_tls : TLS_accept: before/accept initialization
(1) eap_tls : <<< TLS 1.0 Handshake [length 002d], ClientHello
(1) eap_tls : >>> TLS 1.0 Alert [length 0002], fatal handshake_failure [1m [31m(1) ERROR: eap_tls : SSL says: TLS Alert write:fatal:handshake failure [0m
[1m [31m(1) ERROR: eap_tls : SSL says: TLS_accept: error in SSLv3 read client hello C [0m
[1m [31m(1) ERROR: eap_tls : SSL says: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher [0m
[31mSSL: SSL_read failed in a system call (-1), TLS session fails. [0m TLS receive handshake failed during operation
(1) eap_tls : eaptls_process returned 4 [1m [31m(1) ERROR: eap : Failed continuing EAP TLS (13) session. EAP sub-module failed [0m
(1) eap : Failed in EAP select
(1) [eap] = invalid
(1) } # Auth-Type eap = invalid
(1) Failed to authenticate the user.
> Your OpenSSL library version is not what you think it is.
Stefan, we thought the same, what OpenSSL version command shows as "OpenSSL 1.0.1e-fips 11 Feb 2013" vs what FreeRadius version shows as "OpenSSL 1.0.0-fips 29 Mar 2010"
The FreeRadius RPM we deployed was based on older version of OpenSSL, so we thought by upgrading the OpenSSL it could use the newer version.
Do we have to rebuild the FreeRadius RPM using the " OpenSSL 1.0.1e-fips 11 Feb 2013" version.
The reason we thought upgrading the OpenSSL is good enough is; before we upgraded OpenSSL and in the EAPcipher_list if we used " AES256-SHA256", FreeRadius failed to start with the error of invalid cipher list.
After we upgraded the OpenSSL, FreeRadius started successfully. With this we assumed that OpenAM is using upgraded OpenSSL.
> There is no TLS 2.0.
Stefan, sorry that was a typo on my part, meant TLS 1.2 - when modem sends the protocol as TLS 1.2; the authentication fails in EAP module, with above error. If the modem sends protocol as TLS 1.0, authentication is successful.
Thanks
-Hanu
More information about the Freeradius-Users
mailing list