(RADIATOR) SSL3_GET_CLIENT_HELLO:no shared cipher

McGrath, Thomas J. Thomas.McGrath at fccc.edu
Thu Feb 5 12:18:53 CST 2004 

Mike,

	After some analysis of the OS, I found the demoCA directory had
become corrupted.   A deletion of the directory and re-creation was
required.  Radiator is working once again.

Tom

-----Original Message-----
From: McGrath, Thomas J. [mailto:Thomas.McGrath at fccc.edu]
Sent: Thursday, February 05, 2004 10:21 AM
To: 'Mike McCauley'; McGrath, Thomas J.; radiator at open.com.au
Subject: RE: (RADIATOR) SSL3_GET_CLIENT_HELLO:no shared cipher


Mike,

	After copying the files, I did verify the file permissions and I
needed to change them.   They now have the correct permissions.
	I did look further back in the log and found what may shine a light
on the problem.   I didn't find any references to the error message in the
radiator archives.   What is really strange is the fact that the path is
correct for the cacert.pem file, but it is telling me it can't verify the
location.

LOG:
Thu Feb  5 10:02:58 2004: DEBUG: Handling with Radius::AuthLDAP2:
Thu Feb  5 10:02:58 2004: DEBUG: Handling with EAP: code 2, 2, 13
Thu Feb  5 10:02:58 2004: DEBUG: Response type 1
Thu Feb  5 10:02:58 2004: ERR: TLS could not load_verify_locations
/etc/radiator
/certificates/demoCA/cacert.pem, :
Thu Feb  5 10:02:58 2004: INFO: Access rejected for testuser: EAP TTLS Could
not
 initialise context

-----Original Message-----
From: Mike McCauley [mailto:mikem at open.com.au]
Sent: Wednesday, February 04, 2004 5:51 PM
To: McGrath, Thomas J.; radiator at open.com.au
Subject: Re: (RADIATOR) SSL3_GET_CLIENT_HELLO:no shared cipher


Hello Thomas,


On Thu, 5 Feb 2004 08:31 am, McGrath, Thomas J. wrote:
> All @ Radiator;
>
> 	I was attempting to replace the test certifcate with a valid SSL
> certificate and ran into a small problem.   Fortunately, I backed up the
> certificate files and put them back in the correct locations.   After
doing
> so, my Radiator is now giving a very strange error:
> "SSL3_GET_CLIENT_HELLO:no shared cipher".   A copy of the log is as
> follows:

Its hard to tell exactly what the problem might be, since you have only sent

the last part of the log file, but it looks like the certificates are not
all 
back the way they used to be.
In particular, I suggest that Radiator cant find (or has no permission to 
read) the root certificate file that corresponds to the client certificate. 
It is usually in %D/certificates/demoCA/cacert.pem

Hope that helps.

Cheers.

>
> *** --- *** LOGFILE *** --- ***
> Wed Feb  4 15:57:35 2004: DEBUG: Handling request with Handler 'Wi
> reless
> Wed Feb  4 15:57:35 2004: DEBUG:  Deleting session for testuser,
> 10.10.10.10,
> 503
> Wed Feb  4 15:57:35 2004: DEBUG: Handling with Radius::AuthLDAP2:
> Wed Feb  4 15:57:35 2004: DEBUG: Handling with EAP: code 2, 3, 100
> Wed Feb  4 15:57:35 2004: DEBUG: Response type 21
> Wed Feb  4 15:57:35 2004: DEBUG: EAP TLS SSL_accept result: -1, 1, 8466
> Wed Feb  4 15:57:35 2004: ERR: EAP TLS error: -1, 1, 8466,  18841: 1 -
> error:140
> 8A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
>
> Wed Feb  4 15:57:35 2004: INFO: Access rejected for testuser: EAP TLS
error
> Wed Feb  4 15:57:35 2004: DEBUG: Packet dump:
> *** Sending to 10.10.10.10 port 21658 ....
> Code:       Access-Reject
> Identifier: 3
> *** --- *** LOGFILE *** --- *** END
>
> The PEM files all appear to be exactly as they were before.   I also
> granted all users full read/write access just to rule out a user access
> problem. Does anyone have a suggestion?   Things did work prior to moving
> files out then back in again.
>
> Below is a copy of my cfg:
> *** --- *** CFG *** --- ***
> <Handler=Wireless>
>         <AuthBy LDAP2>
>                 EAPType TTLS
>                 EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
>                 EAPTLS_CertificateFile %D/certificates/cert-srv.pem
>                 EAPTLS_CertificateType PEM
>                 EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
>                 EPTLS_PrivateKeyPassword whatever
>                 EAPTLS_MaxFragmentSize 1024
>                 AutoMPPEKeys Yes
>                 AddToReply MS-MPPE-Encryption-Policy = 2,
> MS-MPPE-Encryption-Typ
> es = 2
>                         DefaultSimultaneousUse 1
>         </AuthBy>
> </Handler>
> *** --- *** CFG *** --- *** END
>
>
> Tom McGrath
>
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS etc.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list