RADSEC / TLS errors but not sure why
Alan DeKok
aland at deployingradius.com
Mon Aug 7 12:36:45 UTC 2023
On Aug 7, 2023, at 8:19 AM, James Wood via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> When I start the daemon there are no errors indicating the key/cert don't
> match so I assume all is well.
TLS also requires agreement from the other end.
> (0) ERROR: (TLS) Failed reading from OpenSSL: error:1408A0C1:SSL
> routines:ssl3_get_client_hello:no shared cipher
Either your system is configured with a restrictive list of ciphers, OR the other end is configured with a restrictive list of ciphers.
i.e. Maybe one end says "I only do DES", and the other "I only do AES". At that point they can't agree in a shared encryption method, and they can't talk.
Since the openssl client is showing the same error, the issue is likely the server. Go back to the default configuration, and don't use exotic certificates. Use the test certificates in raddb/certs. It will work.
Then, replace pieces of the configuration and certs one by one (and test them) until it stops working. The thing you just changed is what's breaking it.
Alan DeKok.
More information about the Freeradius-Users
mailing list