RADSEC / TLS errors but not sure why

Alan DeKok aland at deployingradius.com
Mon Aug 7 15:44:06 UTC 2023


On Aug 7, 2023, at 11:26 AM, James Wood via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> Thanks. So when I use a basic certificate, it works, and using the openssl
> show cert command from an external machine it returns the certificates.

  That's good.

> I've also just tried using this SSL cert with radsecproxy instead of
> FreeRADIUS, on the same server, and it also errors when I run the openssl
> show cert command.

  Because radsecproxy uses OpenSSL for all of the TLS / certificate stuff.

> So yes, it must be related to the specific SSL certificate I am trying to
> use. I will go through a few more checks.
> 
> For reference, this is a publicly issued certificate from the WBA for
> OpenRoaming client/server use. So it's not my own certificate, however I do
> have the private key/CSR of course. I have verified the key/cert/ca matches.

  OpenRoaming definitely uses FreeRADIUS and OpenSSL.  So it definitely is possible to get it to work.  The only question is what magic string has to go into the "cipher_list".

  See https://www.openssl.org/docs/man1.1.1/man1/ciphers.html for a list of what strings are allowed in the "cipher_list" configuration item.

  But be aware that you need to update *both* the client and server.  If the server supports EC certificates, then it's likely also automatically support the relevant cipher suites which use those EC certificates.

  Which means you likely need to update the *client* configuration to allow the ECDH cipher suites.

  And yes, use "wireshark" to see the list of cipher suites which each side supports.

  Alan DeKok.



More information about the Freeradius-Users mailing list