RADSEC / TLS errors but not sure why

Alan DeKok aland at deployingradius.com
Mon Aug 7 19:51:16 UTC 2023 

On Aug 7, 2023, at 3:37 PM, James Wood via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> 
> I too initially assumed it was the client that was the problem, but because
> I can call another public server, with the same signed certificate (just a
> different CN/Alt names - all Openroaming issued certs are the same CA etc)
> as I'm trying to use, and the client successfully negotiates SHA384, with a
> peer signature type of ECDSA, using TLSv1.3 and cipher
> TLS_AES_256_GCM_SHA384, then I can't see how the client is the problem. I
> seem to be able to use openssl s_client against any TLS host and get a
> valid response, just not my host.

  I've tried repeatedly to explain, so I'm not sure what isn't getting across.

  It's NEGOTIATION.  That means BOTH SIDES HAVE TO AGREE ON THE CIPHERS.

  Depending on what happens, you may have to change the configuration of the client, or of the server.  Since your messages go back and forth on what's happening, my response may seem to give different advice.  But don't take a reply to one message as meaning that my other replies are wrong.

> I am not restricting (that I'm aware of) anything in the openssl config on
> the host so it should be able to use TLS_AES_256_GCM_SHA384, which is
> inside the Client Hello packet capture.
> 
> Running "openssl ciphers" on the server provided that supported list in the
> previous message.

  <sigh>  I suggest reading my messages.

  The fact that the OPENSSL LIBRARIES SUPPORT A PARTICULAR SET OF CIPHERS

  does not mean that FREERADIUS WILL SUPPORT THE SAME SET OF CIPHERS

  I gave a long explanation in my previous message, including examples.  What is very much unhelpful is replying with the same comment of "But I ran openssl ciphers".

  I don't care.  It's irrelevant.  Or may only *slightly* relevant.  It's frustrating to see my explanations ignored, and the same replies repeated.

  So yes... I did see your message about "openssl ciphers".  I replied to it, and explained why it didn't matter.

  Are you going to pay attention to the reply?

> I'll look more into the server side of things now. Do you have any pointers
> as to what could be restricting the available ciphers on the server?

  There are "configuration files" shipped with FreeRADIUS.  Which includes "comments" and "documentation" on how, and what, to configured.

  The only thing which is clear here is that:

* the default (i.e. likely RSA) certificates work

* the EC cert doesn't work

  So.... see my previous message for comments on EC versus RSA ciphers.

  Alan DeKok.

More information about the Freeradius-Users mailing list