(RADIATOR) SSL3_GET_CLIENT_HELLO:no shared cipher

Mike McCauley mikem at open.com.au
Thu Feb 5 15:27:27 CST 2004 

Hello Thomas,


On Fri, 6 Feb 2004 02:21 am, McGrath, Thomas J. wrote:
> Mike,
>
> 	After copying the files, I did verify the file permissions and I
> needed to change them.   They now have the correct permissions.
> 	I did look further back in the log and found what may shine a light
> on the problem.   I didn't find any references to the error message in the
> radiator archives.   What is really strange is the fact that the path is
> correct for the cacert.pem file, but it is telling me it can't verify the
> location.

That message comes direct from openssl, and its saying it could not run the 
function load_verify_locations, which is supposed to load the files that 
allow certificates to be verified (ie the root certificate(s)).

Cheers.

>
> LOG:
> Thu Feb  5 10:02:58 2004: DEBUG: Handling with Radius::AuthLDAP2:
> Thu Feb  5 10:02:58 2004: DEBUG: Handling with EAP: code 2, 2, 13
> Thu Feb  5 10:02:58 2004: DEBUG: Response type 1
> Thu Feb  5 10:02:58 2004: ERR: TLS could not load_verify_locations
> /etc/radiator
> /certificates/demoCA/cacert.pem, :
> Thu Feb  5 10:02:58 2004: INFO: Access rejected for testuser: EAP TTLS
> Could not
>  initialise context
>
> -----Original Message-----
> From: Mike McCauley [mailto:mikem at open.com.au]
> Sent: Wednesday, February 04, 2004 5:51 PM
> To: McGrath, Thomas J.; radiator at open.com.au
> Subject: Re: (RADIATOR) SSL3_GET_CLIENT_HELLO:no shared cipher
>
>
> Hello Thomas,
>
> On Thu, 5 Feb 2004 08:31 am, McGrath, Thomas J. wrote:
> > All @ Radiator;
> >
> > 	I was attempting to replace the test certifcate with a valid SSL
> > certificate and ran into a small problem.   Fortunately, I backed up the
> > certificate files and put them back in the correct locations.   After
>
> doing
>
> > so, my Radiator is now giving a very strange error:
> > "SSL3_GET_CLIENT_HELLO:no shared cipher".   A copy of the log is as
> > follows:
>
> Its hard to tell exactly what the problem might be, since you have only
> sent
>
> the last part of the log file, but it looks like the certificates are not
> all
> back the way they used to be.
> In particular, I suggest that Radiator cant find (or has no permission to
> read) the root certificate file that corresponds to the client certificate.
> It is usually in %D/certificates/demoCA/cacert.pem
>
> Hope that helps.
>
> Cheers.
>
> > *** --- *** LOGFILE *** --- ***
> > Wed Feb  4 15:57:35 2004: DEBUG: Handling request with Handler 'Wi
> > reless
> > Wed Feb  4 15:57:35 2004: DEBUG:  Deleting session for testuser,
> > 10.10.10.10,
> > 503
> > Wed Feb  4 15:57:35 2004: DEBUG: Handling with Radius::AuthLDAP2:
> > Wed Feb  4 15:57:35 2004: DEBUG: Handling with EAP: code 2, 3, 100
> > Wed Feb  4 15:57:35 2004: DEBUG: Response type 21
> > Wed Feb  4 15:57:35 2004: DEBUG: EAP TLS SSL_accept result: -1, 1, 8466
> > Wed Feb  4 15:57:35 2004: ERR: EAP TLS error: -1, 1, 8466,  18841: 1 -
> > error:140
> > 8A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
> >
> > Wed Feb  4 15:57:35 2004: INFO: Access rejected for testuser: EAP TLS
>
> error
>
> > Wed Feb  4 15:57:35 2004: DEBUG: Packet dump:
> > *** Sending to 10.10.10.10 port 21658 ....
> > Code:       Access-Reject
> > Identifier: 3
> > *** --- *** LOGFILE *** --- *** END
> >
> > The PEM files all appear to be exactly as they were before.   I also
> > granted all users full read/write access just to rule out a user access
> > problem. Does anyone have a suggestion?   Things did work prior to moving
> > files out then back in again.
> >
> > Below is a copy of my cfg:
> > *** --- *** CFG *** --- ***
> > <Handler=Wireless>
> >         <AuthBy LDAP2>
> >                 EAPType TTLS
> >                 EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
> >                 EAPTLS_CertificateFile %D/certificates/cert-srv.pem
> >                 EAPTLS_CertificateType PEM
> >                 EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
> >                 EPTLS_PrivateKeyPassword whatever
> >                 EAPTLS_MaxFragmentSize 1024
> >                 AutoMPPEKeys Yes
> >                 AddToReply MS-MPPE-Encryption-Policy = 2,
> > MS-MPPE-Encryption-Typ
> > es = 2
> >                         DefaultSimultaneousUse 1
> >         </AuthBy>
> > </Handler>
> > *** --- *** CFG *** --- *** END
> >
> >
> > Tom McGrath
> >
> >
> > ===
> > Archive at http://www.open.com.au/archives/radiator/
> > Announcements on radiator-announce at open.com.au
> > To unsubscribe, email 'majordomo at open.com.au' with
> > 'unsubscribe radiator' in the body of the message.

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS etc.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list