[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freeradius-users
Subject:    Re: Does FreeRADIUS 2.1.12's ECDH support include ECDH-RSA-AES128-SHA?
From:       Edward Morris <emorris25 () yahoo ! com>
Date:       2014-01-29 23:36:47
Message-ID: 1391038607.30383.YahooMailNeo () web140406 ! mail ! bf1 ! yahoo ! com
[Download RAW message or body]



> > However, my attempts to utilize ECDH (non-ephemeral) cipher suites fail with and \
> > error of "SSL3_GET_CLIENT_HELLO:no shared cipher."  I've seen that same error \
> > occur both when I was attempting to employ a cipher suite not supported by \
> > FreeRADIUS (versions prior to 2.1.12 did not support any ECDHE cipher suites) and \
> > when I had a screwy configuration (e.g., attempts to use DSA cipher suites \
> > without first giving the server a DSA key).  So I'm unclear on where the problem \
> > might lie.

> With OpenSSL.  FreeRADIUS doesn't implement SSL, so it's completely at
the mercy of OpenSSL.

Thank you.  Code changes were needed in FreeRADIUS to support ECDH cipher suites (as \
prior to 2.1.12 FreeRADIUS did not support ECDH suites even if OpenSSL did), so there \
was a possibility in my mind that the changes to FreeRADIUS may have only enabled \
support for ECDH*E* suites and not ECDH suites.  I understand now this isn't the \
case.


> > The only documentation I could find on this topic was the line 'ecdh_curve = \
> > "prime256v1"' in eap.conf.  

> See also "cipher_list".  You can add the ECDH cipher suite to that.
See the OpenSSL documentation for details on what text to put there.

I neglected to mention that I've been setting the cipher_list to explicitly include \
only a single cipher suite at a time to test the client's ability to support a given \
one.


> > Any pointers or confirmation as to whether or not FreeRADIUS (any version) \
> > supports plain ECDH cipher suites would be greatly appreciated.

> FreeRADIUS just passes the SSL configuration to OpenSSL, and lets OpenSSL do it's \
> magic.  If it doesn't work, then (a) the configuration doesn't have the right SSL \
> magic, or (b) OpenSSL doesn't support that cipher suite. 
> Alan DeKok.

Thank you again for clarifying.  Upon your advice, I took FreeRADIUS out of the \
equation and performed testing directly with openssl (using the certificates I had \
generated for FreeRADIUS).  I also read the RFC governing ECDH & ECDHE cipher suites \
in more detail ( http://tools.ietf.org/html/rfc4492#section-2 ) and learned that the \
RFC requires that the server's certificate be signed with ECDSA (something I hadn't \
paid attention to when generating my server's certifciate).  The further testing \
yielded puzzling results, but results that confirm your suspicion that the problem \
lay with OpenSSL.

Ed

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


[prev in list] [next in list] [prev in thread] [next in thread]