<html><body>
<p><font size="2" face="sans-serif">Please disregard my previous note. I accidentally omitted --enable-openssl when I ran ./configure on the client. I rebuilt strongswan again and now it gets through the handshake.</font><br>
<font size="2" face="sans-serif"><br>
Terry Hennessy<br>
Dept MR6 : IBM i Security Development<br>
IBM Rochester, MN <br>
(507) 253-4448<br>
</font><br>
<font size="1" color="#800080" face="sans-serif">----- Forwarded by Terry Hennessy/Rochester/IBM</font><font size="1" color="#800080" face="sans-serif"> on 05/04/2011 09:29 PM</font><font size="1" color="#800080" face="sans-serif"> -----</font><br>
<br>
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr valign="top"><td width="1%"><img width="96" height="1" src="cid:1__=09BBF214DF9E2B818f9e8a93df938@us.ibm.com" border="0" alt=""><br>
<ul style="padding-left: 4pt"><font size="1" color="#5F5F5F" face="sans-serif">From:</font></ul>
</td><td width="100%"><img width="1" height="1" src="cid:1__=09BBF214DF9E2B818f9e8a93df938@us.ibm.com" border="0" alt=""><br>
<font size="1" face="sans-serif">Terry Hennessy/Rochester/IBM</font></td></tr>
<tr valign="top"><td width="1%"><img width="96" height="1" src="cid:1__=09BBF214DF9E2B818f9e8a93df938@us.ibm.com" border="0" alt=""><br>
<ul style="padding-left: 4pt"><font size="1" color="#5F5F5F" face="sans-serif">To:</font></ul>
</td><td width="100%"><img width="1" height="1" src="cid:1__=09BBF214DF9E2B818f9e8a93df938@us.ibm.com" border="0" alt=""><br>
<font size="1" face="sans-serif">users@lists.strongswan.org</font></td></tr>
<tr valign="top"><td width="1%"><img width="96" height="1" src="cid:1__=09BBF214DF9E2B818f9e8a93df938@us.ibm.com" border="0" alt=""><br>
<ul style="padding-left: 4pt"><font size="1" color="#5F5F5F" face="sans-serif">Date:</font></ul>
</td><td width="100%"><img width="1" height="1" src="cid:1__=09BBF214DF9E2B818f9e8a93df938@us.ibm.com" border="0" alt=""><br>
<font size="1" face="sans-serif">05/04/2011 07:08 PM</font></td></tr>
<tr valign="top"><td width="1%"><img width="96" height="1" src="cid:1__=09BBF214DF9E2B818f9e8a93df938@us.ibm.com" border="0" alt=""><br>
<ul style="padding-left: 4pt"><font size="1" color="#5F5F5F" face="sans-serif">Subject:</font></ul>
</td><td width="100%"><img width="1" height="1" src="cid:1__=09BBF214DF9E2B818f9e8a93df938@us.ibm.com" border="0" alt=""><br>
<font size="1" face="sans-serif">fatal TLS alert 'handshake failure'</font></td></tr>
</table>
<hr width="100%" size="2" align="left" noshade style="color:#8091A5; "><br>
<br>
<font size="2" face="sans-serif">Hello,</font><br>
<br>
<font size="2" face="sans-serif">I'm trying to set up the TNC Client and Server configuration using EAP-TLS certificate based authentication. The main difference between my config and the one found in </font><font size="2" face="sans-serif"><a href="http://wiki.strongswan.org/projects/strongswan/wiki/TrustedNetworkConnect">http://wiki.strongswan.org/projects/strongswan/wiki/TrustedNetworkConnect</a></font><font size="2" face="sans-serif"> is that I'm using ECDSA certificates instead of RSA certificates. When I start up the client I get a handshake failure. And I see the following in charon.log</font><br>
<br>
<font size="2" face="sans-serif">May 4 15:47:31 04[TLS] processing TLS Handshake record (81 bytes)</font><br>
<font size="2" face="sans-serif">May 4 15:47:31 04[TLS] received TLS ClientHello handshake (77 bytes)</font><br>
<font size="2" face="sans-serif">May 4 15:47:31 04[TLS] received TLS 'signature algorithms' extension</font><br>
<font size="2" face="sans-serif">May 4 15:47:31 04[TLS] received 10 TLS cipher suites:</font><br>
<font size="2" face="sans-serif">May 4 15:47:31 04[TLS] TLS_DHE_RSA_WITH_AES_128_CBC_SHA</font><br>
<font size="2" face="sans-serif">May 4 15:47:31 04[TLS] TLS_DHE_RSA_WITH_AES_128_CBC_SHA256</font><br>
<font size="2" face="sans-serif">May 4 15:47:31 04[TLS] TLS_DHE_RSA_WITH_AES_256_CBC_SHA</font><br>
<font size="2" face="sans-serif">May 4 15:47:31 04[TLS] TLS_DHE_RSA_WITH_AES_256_CBC_SHA256</font><br>
<font size="2" face="sans-serif">May 4 15:47:31 04[TLS] TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA</font><br>
<font size="2" face="sans-serif">May 4 15:47:31 04[TLS] TLS_RSA_WITH_AES_128_CBC_SHA</font><br>
<font size="2" face="sans-serif">May 4 15:47:31 04[TLS] TLS_RSA_WITH_AES_128_CBC_SHA256 </font><br>
<font size="2" face="sans-serif">May 4 15:47:31 04[TLS] TLS_RSA_WITH_AES_256_CBC_SHA</font><br>
<font size="2" face="sans-serif">May 4 15:47:31 04[TLS] TLS_RSA_WITH_AES_256_CBC_SHA256</font><br>
<font size="2" face="sans-serif">May 4 15:47:31 04[TLS] TLS_RSA_WITH_3DES_EDE_CBC_SHA</font><br>
<font size="2" face="sans-serif">May 4 15:47:31 04[TLS] received cipher suites inacceptable</font><br>
<font size="2" face="sans-serif">May 4 15:47:31 04[TLS] sending fatal TLS alert 'handshake failure'</font><br>
<font size="2" face="sans-serif">May 4 15:47:31 04[TLS] sending TLS Alert record (2 bytes)</font><br>
<br>
<font size="2" face="sans-serif">Is there some client config parm that can set the ciphe rsuite? If not, is ECDSA not supported for TNC?</font><br>
<br>
<br>
<br>
<font size="2" face="sans-serif">ps. Andreas Steffan, thank you for your response to my post a few weeks ago. That solved the problem.</font><br>
<br>
<br>
<font size="2" face="sans-serif"><br>
Terry Hennessy<br>
</font><br>
</body></html>