Freeradius 3.0.12 EAP TLS Problem

Stefan Winter stefan.winter at restena.lu
Mon Jul 10 07:25:43 CEST 2017


Hi,

> (1) eap_ttls: <<< recv TLS 1.2  [length 002d]
> (1) eap_ttls: >>> send TLS 1.0 Alert [length 0002], fatal handshake_failure
> (1) eap_ttls: ERROR: TLS Alert write:fatal:handshake failure
> tls: TLS_accept: Error in error
> (1) eap_ttls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417A0C1:SSL
> routines:tls_post_process_client_hello:no shared cipher

"No shared cipher" is pretty definitive: server and client have no
encrpytion cipher in common, so they can't continue the conversation.

It looks like the client tries - and insists - on TLS 1.2 (with its
recent ciphers) while the server only offers 1.0 (with its... still
somewhat contemporary ciphers).

If my reading above is correct, you'd have to upgrade the server to a
version that support TLS 1.2 (or just turn it on if you do have a
capable version but turned it off deliberately).

Greetings,

Stefan Winter


-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20170710/ffc0f370/attachment.sig>


More information about the Freeradius-Users mailing list