TLS DHE ciphers fail in FIPS mode with openssl 3.0
Alan DeKok
aland at deployingradius.com
Wed Jan 22 14:07:53 UTC 2025
On Jan 22, 2025, at 9:00 AM, murugesh pitchaiah <murugesh.pitchaiah at gmail.com> wrote:
> Things were working fine with openssl client 1.0.2. But when I upgrade the
> client to openssl 3.0 - see the TLS handshake failing on the clide side
> with "bad dh" error.
This is due to increased security with OpenSSL.
> I see some references as "Randomly generated safe primes are not allowed by
> FIPS,".
You should be able to disable FIPS.
> I see with "make dh" freeradius with the help of openssl - generates random
> dh. I guess these randomly generated safe primes are not allowed in FIPS
> from openssl 3. Guess somehow if we skip this and use only standard dh in
> radius server side it should work. Any information is much appreciated.
>
> Note: Freeradius server is using : OpenSSL 1.1.1
Is the client FreeRADIUS or something else?
The solutions are (a) fix the client so that it allows DH, (b) fix the server so it doesn't use DH.
Alan DeKok.
More information about the Freeradius-Users
mailing list