aironet1100 EAP-FAST + supplicant

Jouni Malinen jkmaline
Wed Dec 13 21:29:38 PST 2006

On Wed, Dec 13, 2006 at 09:53:14AM -0500, Aaron Baillargeon wrote:

> I found an email from June posted to the mailing list that asked about 
> EAP-FAST and an SSL error that came up with CiscoAPs, couldn't find any 
> resolution. Below is an excerpt from the email(seemingly from a cisco 
> employee) showing the error:

> / SSL: (where=0x4008 ret=0x22f)
> />/ SSL: SSL3 alert: write (local SSL3 detected an error):fatal:illegal
> />/ parameter
> />/ SSL: (where=0x1002 ret=0xffffffff)
> />/ SSL: SSL_connect:error in SSLv3 read server hello B
> />/ OpenSSL: tls_connection_handshake - SSL_connect error:14092105:SSL
> />/ routines:SSL3
> />/ _GET_SERVER_HELLO:wrong cipher returned

If I remember correctly, this is caused by a bug in the EAP-FAST server
implementation that is included in some of the APs as the local
authentication server.

> I was curious if anyone else working with EAP-FAST encountered this.
> I tried openssl 0.9.8a and 0.9.8d(patched) with wpa_supplicant 0.5.6 and 
> dont have any other EAP-FAST capable servers around to test (freeradius 
> doesn't support it correct?)

The internal TLS implementation (CONFIG_TLS=internal and
CONFIG_INTERNAL_LIBTOMMATH=y in .config) seems to work with the local
authentication server in the Cisco APs.. In order to get OpenSSL
working, some of the cipher suites would need to be disabled as a
workaround (again, if I remember correctly).

Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list