RADSEC / TLS errors but not sure why

marki jm+freeradiususer at roth.lu
Mon Aug 7 12:45:35 UTC 2023 

You can use wireshark to capture the traffic on either side and see exactly what ciphers both ends are proposing.
Maybe when you see what they are proposing, it will lead you to the appropriate configuration.

On August 7, 2023 2:19:21 PM GMT+02:00, James Wood via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
>Hi All,
>
>I'm currently testing out RADSEC/TLS on the latest version, 3.2.3, with
>openssl 3.0 on Ubuntu 22.04.
>
>The key, certificate and CA are correct and have been validated to match
>before using in the Freeradius config.
>
>When I start the daemon there are no errors indicating the key/cert don't
>match so I assume all is well.
>
>However, when a client connects over RADSEC/TLS (port 2083), Freeradius
>displays an SSL error. I've also tried the openssl s_client command and the
>same error is thrown.
>
>openssl s_client -showcerts -connect radius.hostname:2083
>
>The key/cert is secp384r1 based.
>
>mods-enabled/eap:
>
>---------------------------
>tls-config tls-common {
>    private_key_password = whatever
>    private_key_file = ${certdir}/my_key.key
>    certificate_file = ${certdir}/my_key.crt
>    ca_file = ${certdir}/my_key.ca
>    dh_file = ${certdir}/dh
>    random_file = /dev/urandom
>    fragment_size = 1024
>    ca_path = ${cadir}
>    cipher_list = "DEFAULT"
>    cipher_server_preference = no
>    ecdh_curve = "secp384r1"
>}
>---------------------------
>
>
>sites-enabled/tls:
>
>---------------------------
>listen {
>        ipaddr = *
>        port = 2083
>        type = auth+acct
>        proto = tcp
>        virtual_server = default
>        clients = radsec
>        limit {
>              max_connections = 16
>              lifetime = 0
>              idle_timeout = 30
>        }
>        tls {
>                private_key_password = whatever
>                private_key_file = ${certdir}/my_key.key
>                certificate_file = ${certdir}/my_key.crt
>                ca_file = ${certdir}/my_key.ca
>                dh_file = ${certdir}/dh
>                random_file = /dev/urandom
>                fragment_size = 8192
>                ca_path = ${cadir}
>                cipher_list = "DEFAULT"
>                cipher_server_preference = no
>                require_client_cert = no
>        }
>}
>
>clients radsec {
>        client all {
>                ipaddr = 0.0.0.0/0
>                proto = tls
>                secret = radsec
>        }
>}
>
>home_server tls {
>        ipaddr = 127.0.0.1
>        port = 2083
>        type = auth
>        secret = radsec
>        proto = tcp
>        status_check = none
>
>        tls {
>                private_key_password = whatever
>                private_key_file = ${certdir}/my_key.key
>                certificate_file = ${certdir}/my_key.crt
>                ca_file = ${certdir}/my_key.ca
>                dh_file = ${certdir}/dh
>                random_file = /dev/urandom
>                fragment_size = 8192
>                ca_path = ${cadir}
>                cipher_list = "DEFAULT"
>        }
>
>}
>
>home_server_pool tls {
>                 type = fail-over
>                 home_server = tls
>}
>
>realm tls {
>      auth_pool = tls
>}
>---------------------------
>
>
>
>
>radius debug:
>
>[snip]
>Listening on auth+acct proto tcp address * port 2083 (TLS) bound to server
>default
>Listening on command file /usr/local/var/run/radiusd/radiusd.sock
>Listening on auth address * port 1812 bound to server default
>Listening on acct address * port 1813 bound to server default
>Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
>Listening on proxy address * port 40253
>Ready to process requests
>
> ... new connection request on TCP socket
>Listening on auth+acct from client (1.2.3.4, 38639) -> (*, 2083,
>virtual-server=default)
>Waking up in 0.9 seconds.
>(0) (TLS) Initiating new session
>(0) (TLS) Handshake state - before/accept initialization
>(0) (TLS) Handshake state - Server before/accept initialization
>(0) (TLS) recv TLS 1.2 Handshake, ClientHello
>(0) (TLS) send TLS 1.2 Alert, fatal handshake_failure
>(0) ERROR: (TLS) Alert write:fatal:handshake failure
>(0) ERROR: (TLS) Server : Error in error
>(0) ERROR: (TLS) Server : Error in error
>(0) ERROR: (TLS) Failed reading from OpenSSL: error:1408A0C1:SSL
>routines:ssl3_get_client_hello:no shared cipher
>(0) ERROR: (TLS) System call (I/O) error (-1)
>(0) (TLS) Failed in TLS handshake receive
>(TLS) Closing socket from client port 38639
>
>
>If I query a public radsec radius server on port 2083 using the openssl
>s_client command it returns the certificate list correctly etc.
>
>Is it a problem with my key/cert, openssl, or the client?
>
>Thanks
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list