Does FreeRADIUS 2.1.12's ECDH support include ECDH-RSA-AES128-SHA?
Alan DeKok
aland at deployingradius.com
Wed Jan 29 16:38:29 CET 2014
Edward Morris wrote:
> Using FreeRADIUS 2.1.12 (from debian package) and OpenSSL 1.0.1f, I've been able to successfully configure EAP-TLS with a number of ECDHE (ephemeral) cipher suites.
OK.
> However, my attempts to utilize ECDH (non-ephemeral) cipher suites fail with and error of "SSL3_GET_CLIENT_HELLO:no shared cipher." I've seen that same error occur both when I was attempting to employ a cipher suite not supported by FreeRADIUS (versions prior to 2.1.12 did not support any ECDHE cipher suites) and when I had a screwy configuration (e.g., attempts to use DSA cipher suites without first giving the server a DSA key). So I'm unclear on where the problem might lie.
With OpenSSL. FreeRADIUS doesn't implement SSL, so it's completely at
the mercy of OpenSSL.
> I've confirmed that the client/supplicant I'm testing with supports the ECDH cipher suite (tcpdump and wireshark shows the Client Hello message includes the cipher), and querying debian's OpenSSL ("openssl ciphers -v aECDH") confirmed it supports the cipher
That's good.
> The only documentation I could find on this topic was the line 'ecdh_curve = "prime256v1"' in eap.conf.
See also "cipher_list". You can add the ECDH cipher suite to that.
See the OpenSSL documentation for details on what text to put there.
> Any pointers or confirmation as to whether or not FreeRADIUS (any version) supports plain ECDH cipher suites would be greatly appreciated.
FreeRADIUS just passes the SSL configuration to OpenSSL, and lets
OpenSSL do it's magic. If it doesn't work, then (a) the configuration
doesn't have the right SSL magic, or (b) OpenSSL doesn't support that
cipher suite.
Alan DeKok.
More information about the Freeradius-Users
mailing list