TLS handshake error

Mark Dayton m4rk.dayton at gmail.com
Thu Jun 20 20:48:11 UTC 2024 

Hi Alan,
I have now changed it back to cipher_list = "HIGH" and yes it's still
working, believe the root cause to be ecdh_curve = "secp521r1"
This was forked from elsewhere so I'm trying my best to work through the
issues.
Mark

On Thu, 20 Jun 2024 at 21:34, Alan DeKok <aland at deployingradius.com> wrote:

> On Jun 20, 2024, at 4:23 PM, Mark Dayton <m4rk.dayton at gmail.com> wrote
> > Okay so im a little further, more logs. Errors mentioning no suitable
> > cipher
>
>   It's good to make progress, but details matter.  The error message isn't
> "no suitable cipher", which would be substantially different.
>
>   The error is actually:
>
> > (1) eap_tls: (TLS) TLS - send TLS 1.3 Alert, fatal handshake_failure
> > (1) eap_tls: ERROR: (TLS) TLS - Alert write:fatal:handshake failure
> > (1) eap_tls: ERROR: (TLS) TLS - Server : Error in error
> > (1) eap_tls: ERROR: (TLS) Failed reading from OpenSSL: error:0A000065:SSL
> > routines::no suitable key share
>
>   It is absolutely critical to use the correct terms.  TLS is complicated,
> and contains a lot of different concepts and terms.  If you use the wrong
> ones, you are *guaranteed* to not understand the issue, and then not be
> able to fix it.
>
>   The reason why this is happening is that you edited the default
> configuration, and broke it.  Don't do that.
>
>   Specifically, you changed the configuration from:
>
> cipher_list = "DEFAULT"
>
>    to
>
> cipher_list =
> "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-CAMELLIA128-SHA"
>
>   Change it back, and it will work.
>
>   This series of messages shows a whole set of bad processes which
> *create* problems.  Using good processes is better:
>
> * read the documentation.  Really.  It helps.
>
> * don't make massive changes to the configuration, and then wonder why it
> doesn't work
>
> * instead, make small changes, and test them one by one
>
> * when posting to the list, read the messages and follow instructions.
> When you reply to a message and do something *other* than what was asked,
> that causes problems.
>
>   You've spent a large amount of time breaking the server, and then trying
> to figure out why it was broken.  Just... don't do that.
>
>   Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>

More information about the Freeradius-Users mailing list