[prev in list] [next in list] [prev in thread] [next in thread]
List: freeradius-users
Subject: Re: Does FreeRADIUS 2.1.12's ECDH support include ECDH-RSA-AES128-SHA?
From: Edward Morris <emorris25 () yahoo ! com>
Date: 2014-01-29 23:36:47
Message-ID: 1391038607.30383.YahooMailNeo () web140406 ! mail ! bf1 ! yahoo ! com
[Download RAW message or body]
> > However, my attempts to utilize ECDH (non-ephemeral) cipher suites fail with and \
> > error of "SSL3_GET_CLIENT_HELLO:no shared cipher." I've seen that same error \
> > occur both when I was attempting to employ a cipher suite not supported by \
> > FreeRADIUS (versions prior to 2.1.12 did not support any ECDHE cipher suites) and \
> > when I had a screwy configuration (e.g., attempts to use DSA cipher suites \
> > without first giving the server a DSA key). So I'm unclear on where the problem \
> > might lie.
> With OpenSSL. FreeRADIUS doesn't implement SSL, so it's completely at
the mercy of OpenSSL.
Thank you. Code changes were needed in FreeRADIUS to support ECDH cipher suites (as \
prior to 2.1.12 FreeRADIUS did not support ECDH suites even if OpenSSL did), so there \
was a possibility in my mind that the changes to FreeRADIUS may have only enabled \
support for ECDH*E* suites and not ECDH suites. I understand now this isn't the \
case.
> > The only documentation I could find on this topic was the line 'ecdh_curve = \
> > "prime256v1"' in eap.conf.
> See also "cipher_list". You can add the ECDH cipher suite to that.
See the OpenSSL documentation for details on what text to put there.
I neglected to mention that I've been setting the cipher_list to explicitly include \
only a single cipher suite at a time to test the client's ability to support a given \
one.
> > Any pointers or confirmation as to whether or not FreeRADIUS (any version) \
> > supports plain ECDH cipher suites would be greatly appreciated.
> FreeRADIUS just passes the SSL configuration to OpenSSL, and lets OpenSSL do it's \
> magic. If it doesn't work, then (a) the configuration doesn't have the right SSL \
> magic, or (b) OpenSSL doesn't support that cipher suite.
> Alan DeKok.
Thank you again for clarifying. Upon your advice, I took FreeRADIUS out of the \
equation and performed testing directly with openssl (using the certificates I had \
generated for FreeRADIUS). I also read the RFC governing ECDH & ECDHE cipher suites \
in more detail ( http://tools.ietf.org/html/rfc4492#section-2 ) and learned that the \
RFC requires that the server's certificate be signed with ECDSA (something I hadn't \
paid attention to when generating my server's certifciate). The further testing \
yielded puzzling results, but results that confirm your suspicion that the problem \
lay with OpenSSL.
Ed
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic