(RADIATOR) SSL3_GET_CLIENT_HELLO:no shared cipher
McGrath, Thomas J.
Thomas.McGrath at fccc.edu
Thu Feb 5 09:21:15 CST 2004
Mike,
After copying the files, I did verify the file permissions and I
needed to change them. They now have the correct permissions.
I did look further back in the log and found what may shine a light
on the problem. I didn't find any references to the error message in the
radiator archives. What is really strange is the fact that the path is
correct for the cacert.pem file, but it is telling me it can't verify the
location.
LOG:
Thu Feb 5 10:02:58 2004: DEBUG: Handling with Radius::AuthLDAP2:
Thu Feb 5 10:02:58 2004: DEBUG: Handling with EAP: code 2, 2, 13
Thu Feb 5 10:02:58 2004: DEBUG: Response type 1
Thu Feb 5 10:02:58 2004: ERR: TLS could not load_verify_locations
/etc/radiator
/certificates/demoCA/cacert.pem, :
Thu Feb 5 10:02:58 2004: INFO: Access rejected for testuser: EAP TTLS Could
not
initialise context
-----Original Message-----
From: Mike McCauley [mailto:mikem at open.com.au]
Sent: Wednesday, February 04, 2004 5:51 PM
To: McGrath, Thomas J.; radiator at open.com.au
Subject: Re: (RADIATOR) SSL3_GET_CLIENT_HELLO:no shared cipher
Hello Thomas,
On Thu, 5 Feb 2004 08:31 am, McGrath, Thomas J. wrote:
> All @ Radiator;
>
> I was attempting to replace the test certifcate with a valid SSL
> certificate and ran into a small problem. Fortunately, I backed up the
> certificate files and put them back in the correct locations. After
doing
> so, my Radiator is now giving a very strange error:
> "SSL3_GET_CLIENT_HELLO:no shared cipher". A copy of the log is as
> follows:
Its hard to tell exactly what the problem might be, since you have only sent
the last part of the log file, but it looks like the certificates are not
all
back the way they used to be.
In particular, I suggest that Radiator cant find (or has no permission to
read) the root certificate file that corresponds to the client certificate.
It is usually in %D/certificates/demoCA/cacert.pem
Hope that helps.
Cheers.
>
> *** --- *** LOGFILE *** --- ***
> Wed Feb 4 15:57:35 2004: DEBUG: Handling request with Handler 'Wi
> reless
> Wed Feb 4 15:57:35 2004: DEBUG: Deleting session for testuser,
> 10.10.10.10,
> 503
> Wed Feb 4 15:57:35 2004: DEBUG: Handling with Radius::AuthLDAP2:
> Wed Feb 4 15:57:35 2004: DEBUG: Handling with EAP: code 2, 3, 100
> Wed Feb 4 15:57:35 2004: DEBUG: Response type 21
> Wed Feb 4 15:57:35 2004: DEBUG: EAP TLS SSL_accept result: -1, 1, 8466
> Wed Feb 4 15:57:35 2004: ERR: EAP TLS error: -1, 1, 8466, 18841: 1 -
> error:140
> 8A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
>
> Wed Feb 4 15:57:35 2004: INFO: Access rejected for testuser: EAP TLS
error
> Wed Feb 4 15:57:35 2004: DEBUG: Packet dump:
> *** Sending to 10.10.10.10 port 21658 ....
> Code: Access-Reject
> Identifier: 3
> *** --- *** LOGFILE *** --- *** END
>
> The PEM files all appear to be exactly as they were before. I also
> granted all users full read/write access just to rule out a user access
> problem. Does anyone have a suggestion? Things did work prior to moving
> files out then back in again.
>
> Below is a copy of my cfg:
> *** --- *** CFG *** --- ***
> <Handler=Wireless>
> <AuthBy LDAP2>
> EAPType TTLS
> EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
> EAPTLS_CertificateFile %D/certificates/cert-srv.pem
> EAPTLS_CertificateType PEM
> EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
> EPTLS_PrivateKeyPassword whatever
> EAPTLS_MaxFragmentSize 1024
> AutoMPPEKeys Yes
> AddToReply MS-MPPE-Encryption-Policy = 2,
> MS-MPPE-Encryption-Typ
> es = 2
> DefaultSimultaneousUse 1
> </AuthBy>
> </Handler>
> *** --- *** CFG *** --- *** END
>
>
> Tom McGrath
>
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
--
Mike McCauley mikem at open.com.au
Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au
Phone +61 7 5598-7474 Fax +61 7 5598-7070
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP etc on Unix, Windows, MacOS etc.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list