"No shared cipher" error but listed in preferred ciphers

Alan DeKok alan.dekok at inkbridge.io
Mon Nov 24 20:52:19 UTC 2025 

On Nov 24, 2025, at 5:26 AM, Nicolas Godbert via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> I try to recycle some old HPE switches as radius client using EAP-TLS based protocols for test only.
> They are using old deprecated ciphers, so i rebuild openssl for legacy suites on a raspbian (I know, it's bad idea and not secure).

  If it works...

> # openssl ciphers -v ALL | grep RC4
> RC4-MD5                        SSLv3   Kx=RSA      Au=RSA  Enc=RC4(128)               Mac=MD5

  Ugh, but OK.

> So, when the server freeradius and the switch try to negociate, i can see in the logs that the cipher RC4-MD5 is now common for the two devices.

  That's good.

> But i still got an error "no shared cipher"
> 
> ...
> Thu Nov 20 15:11:44 2025 : ERROR: (26) eap_ttls: (TLS) Failed reading from OpenSSL: ../ssl/statem/statem_srvr.c[2333]:error:0A0000C1:SSL routines::no shared cipher

  This might be "no shared message digest", or something else.  Unfortunately, this is all OpenSSL magic, and it's hard to know what's going on inside of OpenSSL.

> ..
>         cipher_list = "ALL at SECLEVEL=0"
>         cipher_server_preference = no
>         tls_min_version = "1.0"

  That should all be good.

> Is this mandatory to use tls_min_version/max options since the deprecated cipher i try to use belong to SSLv3 suite ?

  Yes.  You can (in theory) use some newer ciphers with TLS 1.0, or older ciphers with TLS 1.3.  So you have to enable everything in order for it to work.

> Do you have some hints to help debug further please ?

  This is all OpenSSL magic.  Unfortunately, the RC4-MD5 ciphers have been deprecated for decades.  We can't help a lot here.  Perhaps the OpenSSL people can help.

  Alan DeKok.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20251124/2298fa90/attachment.sig>

More information about the Freeradius-Users mailing list