Radsec Regression Alpine 3.14

Alan DeKok aland at deployingradius.com
Tue Sep 14 18:40:49 CEST 2021

On Sep 14, 2021, at 12:03 PM, Emile Swarts <emile.swarts123 at gmail.com> wrote:
> Thanks for that.
> Had a look at the debug logs:
> ...
> (0) (TLS) Application data.
> (0) FAILED in TLS handshake receive

  Hmm... that message means that FreeRADIUS is ready for application data (i.e. stuff inside of the radsec tunnel), but OpenSSL thinks that the TLS handshake isn't finished.

  See src/main/tls_listen.c, the label "check_for_setup".  It does:

* if SSL init is not done
  try to do more handshake
  if handshake data to send, then send that

* else there's no handshake data to send, then the SSL init MUST be done
  but OpenSSL says it's not... so who knows what's up :(

  It's not clear what's going on here.  Maybe some wireshark debugging of the TLS packets might help.  But I haven't had any luck getting wireshark to decode TLS recently.

> I've been unable to find much about the default security policies of
> Openssl / Alpine.
> Is this something I can update myself, that could potentially solve the
> problem?

  See the link I posted... setting the cipher_list will over-ride the default security policies.

  Alan DeKok.

More information about the Freeradius-Users mailing list