TLS handshake error

Alan DeKok aland at deployingradius.com
Thu Jun 20 20:33:54 UTC 2024 

On Jun 20, 2024, at 4:23 PM, Mark Dayton <m4rk.dayton at gmail.com> wrote
> Okay so im a little further, more logs. Errors mentioning no suitable
> cipher

  It's good to make progress, but details matter.  The error message isn't "no suitable cipher", which would be substantially different.

  The error is actually:

> (1) eap_tls: (TLS) TLS - send TLS 1.3 Alert, fatal handshake_failure
> (1) eap_tls: ERROR: (TLS) TLS - Alert write:fatal:handshake failure
> (1) eap_tls: ERROR: (TLS) TLS - Server : Error in error
> (1) eap_tls: ERROR: (TLS) Failed reading from OpenSSL: error:0A000065:SSL
> routines::no suitable key share

  It is absolutely critical to use the correct terms.  TLS is complicated, and contains a lot of different concepts and terms.  If you use the wrong ones, you are *guaranteed* to not understand the issue, and then not be able to fix it.

  The reason why this is happening is that you edited the default configuration, and broke it.  Don't do that.

  Specifically, you changed the configuration from:

cipher_list = "DEFAULT"

   to

cipher_list = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-CAMELLIA128-SHA"

  Change it back, and it will work.

  This series of messages shows a whole set of bad processes which *create* problems.  Using good processes is better:

* read the documentation.  Really.  It helps.

* don't make massive changes to the configuration, and then wonder why it doesn't work

* instead, make small changes, and test them one by one

* when posting to the list, read the messages and follow instructions.  When you reply to a message and do something *other* than what was asked, that causes problems.

  You've spent a large amount of time breaking the server, and then trying to figure out why it was broken.  Just... don't do that.

  Alan DeKok.

More information about the Freeradius-Users mailing list