Does FreeRADIUS 2.1.12's ECDH support include ECDH-RSA-AES128-SHA?
Edward Morris
emorris25 at yahoo.com
Wed Jan 29 05:23:38 CET 2014
Using FreeRADIUS 2.1.12 (from debian package) and OpenSSL 1.0.1f, I've been able to successfully configure EAP-TLS with a number of ECDHE (ephemeral) cipher suites.
However, my attempts to utilize ECDH (non-ephemeral) cipher suites fail with and error of "SSL3_GET_CLIENT_HELLO:no shared cipher." I've seen that same error occur both when I was attempting to employ a cipher suite not supported by FreeRADIUS (versions prior to 2.1.12 did not support any ECDHE cipher suites) and when I had a screwy configuration (e.g., attempts to use DSA cipher suites without first giving the server a DSA key). So I'm unclear on where the problem might lie.
I've confirmed that the client/supplicant I'm testing with supports the ECDH cipher suite (tcpdump and wireshark shows the Client Hello message includes the cipher), and querying debian's OpenSSL ("openssl ciphers -v aECDH") confirmed it supports the cipher
The only documentation I could find on this topic was the line 'ecdh_curve = "prime256v1"' in eap.conf.
Any pointers or confirmation as to whether or not FreeRADIUS (any version) supports plain ECDH cipher suites would be greatly appreciated.
Thanks
Ed
More information about the Freeradius-Users
mailing list