Fwd: RADSEC / TLS errors but not sure why

James Wood james.wood at purplewifi.com
Mon Aug 7 12:15:15 UTC 2023


Hi All,

I'm currently testing out RADSEC/TLS on the latest version, 3.2.3, with
openssl 3.0 on Ubuntu 22.04.

The key, certificate and CA are correct and have been validated to match
before using in the Freeradius config.

When I start the daemon there are no errors indicating the key/cert don't
match so I assume all is well.

However, when a client connects over RADSEC/TLS (port 2083), Freeradius
displays an SSL error. I've also tried the openssl s_client command and the
same error is thrown.

openssl s_client -showcerts -connect radius.hostname:2083

The key/cert is secp384r1 based.

mods-enabled/eap:

---------------------------
tls-config tls-common {
    private_key_password = whatever
    private_key_file = ${certdir}/my_key.key
    certificate_file = ${certdir}/my_key.crt
    ca_file = ${certdir}/my_key.ca
    dh_file = ${certdir}/dh
    random_file = /dev/urandom
    fragment_size = 1024
    ca_path = ${cadir}
    cipher_list = "DEFAULT"
    cipher_server_preference = no
    ecdh_curve = "secp384r1"
}
---------------------------


sites-enabled/tls:

---------------------------
listen {
        ipaddr = *
        port = 2083
        type = auth+acct
        proto = tcp
        virtual_server = default
        clients = radsec
        limit {
              max_connections = 16
              lifetime = 0
              idle_timeout = 30
        }
        tls {
                private_key_password = whatever
                private_key_file = ${certdir}/my_key.key
                certificate_file = ${certdir}/my_key.key
                ca_file = ${certdir}/my_key.key
                dh_file = ${certdir}/dh
                random_file = /dev/urandom
                fragment_size = 8192
                ca_path = ${cadir}
                cipher_list = "DEFAULT"
                cipher_server_preference = no
                require_client_cert = no
        }
}

clients radsec {
        client all {
                ipaddr = 0.0.0.0/0
                proto = tls
                secret = radsec
        }
}

home_server tls {
        ipaddr = 127.0.0.1
        port = 2083
        type = auth
        secret = radsec
        proto = tcp
        status_check = none

        tls {
                private_key_password = whatever
                private_key_file = ${certdir}/purple.key
                certificate_file = ${certdir}/purple.crt
                ca_file = ${certdir}/purple.ca
                dh_file = ${certdir}/dh
                random_file = /dev/urandom
                fragment_size = 8192
                ca_path = ${cadir}
                cipher_list = "DEFAULT"
        }

}

home_server_pool tls {
                 type = fail-over
                 home_server = tls
}

realm tls {
      auth_pool = tls
}
---------------------------




radius debug:

[snip]
Listening on auth+acct proto tcp address * port 2083 (TLS) bound to server
default
Listening on command file /usr/local/var/run/radiusd/radiusd.sock
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on proxy address * port 40253
Ready to process requests

 ... new connection request on TCP socket
Listening on auth+acct from client (1.2.3.4, 38639) -> (*, 2083,
virtual-server=default)
Waking up in 0.9 seconds.
(0) (TLS) Initiating new session
(0) (TLS) Handshake state - before/accept initialization
(0) (TLS) Handshake state - Server before/accept initialization
(0) (TLS) recv TLS 1.2 Handshake, ClientHello
(0) (TLS) send TLS 1.2 Alert, fatal handshake_failure
(0) ERROR: (TLS) Alert write:fatal:handshake failure
(0) ERROR: (TLS) Server : Error in error
(0) ERROR: (TLS) Server : Error in error
(0) ERROR: (TLS) Failed reading from OpenSSL: error:1408A0C1:SSL
routines:ssl3_get_client_hello:no shared cipher
(0) ERROR: (TLS) System call (I/O) error (-1)
(0) (TLS) Failed in TLS handshake receive
(TLS) Closing socket from client port 38639


If I query a public radsec radius server on port 2083 using the openssl
s_client command it returns the certificate list correctly etc.

Is it a problem with my key/cert, openssl, or the client?

Thanks


More information about the Freeradius-Users mailing list