RADSEC / TLS errors but not sure why
James Wood
james.wood at purplewifi.com
Mon Aug 7 12:19:21 UTC 2023
Hi All,
I'm currently testing out RADSEC/TLS on the latest version, 3.2.3, with
openssl 3.0 on Ubuntu 22.04.
The key, certificate and CA are correct and have been validated to match
before using in the Freeradius config.
When I start the daemon there are no errors indicating the key/cert don't
match so I assume all is well.
However, when a client connects over RADSEC/TLS (port 2083), Freeradius
displays an SSL error. I've also tried the openssl s_client command and the
same error is thrown.
openssl s_client -showcerts -connect radius.hostname:2083
The key/cert is secp384r1 based.
mods-enabled/eap:
---------------------------
tls-config tls-common {
private_key_password = whatever
private_key_file = ${certdir}/my_key.key
certificate_file = ${certdir}/my_key.crt
ca_file = ${certdir}/my_key.ca
dh_file = ${certdir}/dh
random_file = /dev/urandom
fragment_size = 1024
ca_path = ${cadir}
cipher_list = "DEFAULT"
cipher_server_preference = no
ecdh_curve = "secp384r1"
}
---------------------------
sites-enabled/tls:
---------------------------
listen {
ipaddr = *
port = 2083
type = auth+acct
proto = tcp
virtual_server = default
clients = radsec
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
tls {
private_key_password = whatever
private_key_file = ${certdir}/my_key.key
certificate_file = ${certdir}/my_key.crt
ca_file = ${certdir}/my_key.ca
dh_file = ${certdir}/dh
random_file = /dev/urandom
fragment_size = 8192
ca_path = ${cadir}
cipher_list = "DEFAULT"
cipher_server_preference = no
require_client_cert = no
}
}
clients radsec {
client all {
ipaddr = 0.0.0.0/0
proto = tls
secret = radsec
}
}
home_server tls {
ipaddr = 127.0.0.1
port = 2083
type = auth
secret = radsec
proto = tcp
status_check = none
tls {
private_key_password = whatever
private_key_file = ${certdir}/my_key.key
certificate_file = ${certdir}/my_key.crt
ca_file = ${certdir}/my_key.ca
dh_file = ${certdir}/dh
random_file = /dev/urandom
fragment_size = 8192
ca_path = ${cadir}
cipher_list = "DEFAULT"
}
}
home_server_pool tls {
type = fail-over
home_server = tls
}
realm tls {
auth_pool = tls
}
---------------------------
radius debug:
[snip]
Listening on auth+acct proto tcp address * port 2083 (TLS) bound to server
default
Listening on command file /usr/local/var/run/radiusd/radiusd.sock
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on proxy address * port 40253
Ready to process requests
... new connection request on TCP socket
Listening on auth+acct from client (1.2.3.4, 38639) -> (*, 2083,
virtual-server=default)
Waking up in 0.9 seconds.
(0) (TLS) Initiating new session
(0) (TLS) Handshake state - before/accept initialization
(0) (TLS) Handshake state - Server before/accept initialization
(0) (TLS) recv TLS 1.2 Handshake, ClientHello
(0) (TLS) send TLS 1.2 Alert, fatal handshake_failure
(0) ERROR: (TLS) Alert write:fatal:handshake failure
(0) ERROR: (TLS) Server : Error in error
(0) ERROR: (TLS) Server : Error in error
(0) ERROR: (TLS) Failed reading from OpenSSL: error:1408A0C1:SSL
routines:ssl3_get_client_hello:no shared cipher
(0) ERROR: (TLS) System call (I/O) error (-1)
(0) (TLS) Failed in TLS handshake receive
(TLS) Closing socket from client port 38639
If I query a public radsec radius server on port 2083 using the openssl
s_client command it returns the certificate list correctly etc.
Is it a problem with my key/cert, openssl, or the client?
Thanks
More information about the Freeradius-Users
mailing list