What's the reason for "OpenSSL: openssl_handshake - SSL_connect error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher"

2008 vpn vpn2008
Wed Aug 31 18:52:48 PDT 2011 

  I'm try eap-fast method.
   But error happens:
   4c e8 59 6b 27
   EAP-FAST: server_random - hexdump(len=32): 4e 5d da af 1f eb a8 e0 fa c6
27
   89 e5 70 a3 fb 11 19 7a 4c c6 20 77 69 de 4b cd 38 b9 d8 40 dd
   EAP-FAST: master_secret - hexdump(len=48): [REMOVED]
   SSL: (where=0x4008 ret=0x228)
   SSL: SSL3 alert: write (local SSL3 detected an error):fatal:handshake
   failure
   SSL: (where=0x2002 ret=0xffffffff)
   SSL: SSL_accept:error in SSLv3 read client hello C
   OpenSSL: openssl_handshake - SSL_connect error:1408A0C1:SSL
   routines:SSL3_GET_CLIENT_
HELLO:no shared cipher
   SSL: 7 bytes pending from ssl_out
   SSL: Failed - tls_out available to report error
   EAP-FAST: TLS processing failed
   EAP-FAST: PHASE1 -> FAILURE
   EAP: EAP entering state SELECT_ACTION
   EAP: getDecision: method failed -> FAILURE
   EAP: EAP entering state FAILURE
   EAP: Building EAP-Failure (id=116)
   What does this mean?  Is my config wrong?




   My Config file is as following:
   interface=eth2
   driver=wired
   logger_stdout=-1
   logger_stdout_level=1
   debug=2
   dump_file=/tmp/hostapd.dump
   ctrl_interface=/var/run/hostapd

   ieee8021x=1
   eap_server=1

 eap_user_file=/home/test/work/eap-fast/hostapd/hostapd-0.7.3/hostapd/hostapd.eap_user.wired
   eap_reauth_period=3600
   dh_file=/etc/hostapd/hostapd.dh.pem
   use_pae_group_addr=1
   pac_opaque_encr_key=000102030405060708090a0b0c0d0e0f

   eap_fast_a_id=201112131415161718191a1b1c1d1e1f
   eap_fast_a_id_info=test server

   eap_fast_prov=3
   pac_key_lifetime=604800
   pac_key_refresh_time=86400

   ##### RADIUS configuration
   ####################################################
   # for IEEE 802.1X with external Authentication Server, IEEE 802.11
   # authentication with external ACL for MAC addresses, and accounting

   # The own IP address of the access point (used as NAS-IP-Address)
   own_ip_addr=127.0.0.1

   # RADIUS authentication server
   auth_server_addr=127.0.0.1
   auth_server_port=1812
   auth_server_shared_secret=radius*


  And the content of hostapd.eap_user.wired is:
   # Phase 1 users
   "user"          MD5     "password"
   "test user"     MD5     "secret"
   "FAST-000102030405" FAST

   # Phase 2 (tunnelled within EAP-PEAP or EAP-TTLS) users
   "t-md5"         MD5     "password"      [2]
   "DOMAIN\t-mschapv2"     MSCHAPV2        "password"      [2]
   "t-gtc"         GTC     "password"      [2]
   "not anonymous" MSCHAPV2        "password"      [2]
   "user"          MD5,GTC,MSCHAPV2        "password"      [2]
   "test user"     MSCHAPV2        hash:000102030405060708090a0b0c0d0e0f
[2]
   "ttls-user"     TTLS-PAP,TTLS-CHAP,TTLS-MSCHAP,TTLS-MSCHAPV2
   "password"      [2]


   Config for wpa_supplicant is:
   ctrl_interface=/var/run/wpa_supplicant

   ctrl_interface_group=root

   ap_scan=0
   fast_reauth=1
   network={
   ssid=""
   scan_ssid=0
   key_mgmt=IEEE8021X
   eap=FAST
   identity="user"
   password="password"
   anonymous_identity="FAST-000102030405"
           phase1="fast_provisioning=1"
           pac_file="/etc/wpa_supplicant.eap-fast-pac"

   }

   I noticed we should config certificate file for EAP-TLS/PEAP/TTLS.
   But do we need config certificate file for EAP-FAST?


   Best Regards.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/hostap/attachments/20110901/324025fd/attachment.htm

More information about the Hostap mailing list