EAP-TLS not working with ECC Keys
Alan DeKok
aland at deployingradius.com
Thu Sep 19 12:17:52 UTC 2024
On Sep 19, 2024, at 5:35 AM, n5d9xq3ti233xiyif2vp--- via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> What am I missing to get EAP working both radius server and clients having ECC (P521) keys ?
It should just work.
> Running freeradius in the foreground shows me this:
> (8) eap_tls: (TLS) EAP Peer says that the final record size will be 378 bytes
> (8) eap_tls: (TLS) EAP Got all data (378 bytes)
> (8) eap_tls: (TLS) recv TLS 1.3 Handshake, ClientHello
> (8) eap_tls: (TLS) Handshake state - Server SSLv3 read client hello A
> (8) eap_tls: (TLS) send TLS 1.3 Handshake, ServerHello
> (8) eap_tls: (TLS) Handshake state - Server SSLv3 write server hello A
> (8) eap_tls: (TLS) send TLS 1.3 Handshake, type=8
> (8) eap_tls: (TLS) send TLS 1.3 Handshake, CertificateRequest
> (8) eap_tls: (TLS) Handshake state - Server SSLv3 write certificate request A
> (8) eap_tls: (TLS) send TLS 1.3 Alert, fatal handshake_failure
> (8) eap_tls: ERROR: (TLS) Server : Error in SSLv3 write certificate A
> (8) eap_tls: ERROR: (TLS) Failed reading from OpenSSL
> (8) eap_tls: ERROR: (TLS) error:1402D0FB:SSL routines:ACCEPT_SW_CERT:unknown pkey type
> (8) eap_tls: ERROR: (TLS) error:14FFF0A8:SSL routines:(UNKNOWN)SSL_internal:missing rsa certificate
A little bit of google shows this: https://github.com/libressl/portable/issues/1058
It's a bug in libressl or OpenSSL.
Alan DeKok.
More information about the Freeradius-Users
mailing list