[strongSwan] Fw: fatal TLS alert 'handshake failure'

Terry Hennessy trense at us.ibm.com
Thu May 5 04:32:44 CEST 2011



Please disregard my previous note.  I accidentally omitted --enable-openssl
when I ran ./configure on the client.  I rebuilt strongswan again and now
it gets through the handshake.

Terry Hennessy
Dept MR6 : IBM i Security Development
IBM  Rochester, MN
(507) 253-4448

----- Forwarded by Terry Hennessy/Rochester/IBM on 05/04/2011 09:29 PM
-----
|------------>
| From:      |
|------------>
  >--------------------------------------------------------------------------------------------------------------------------------------------------|
  |Terry Hennessy/Rochester/IBM                                                                                                                      |
  >--------------------------------------------------------------------------------------------------------------------------------------------------|
|------------>
| To:        |
|------------>
  >--------------------------------------------------------------------------------------------------------------------------------------------------|
  |users at lists.strongswan.org                                                                                                                        |
  >--------------------------------------------------------------------------------------------------------------------------------------------------|
|------------>
| Date:      |
|------------>
  >--------------------------------------------------------------------------------------------------------------------------------------------------|
  |05/04/2011 07:08 PM                                                                                                                               |
  >--------------------------------------------------------------------------------------------------------------------------------------------------|
|------------>
| Subject:   |
|------------>
  >--------------------------------------------------------------------------------------------------------------------------------------------------|
  |fatal TLS alert 'handshake failure'                                                                                                               |
  >--------------------------------------------------------------------------------------------------------------------------------------------------|




Hello,

I'm trying to set up the TNC Client and Server configuration using  EAP-TLS
certificate based authentication.  The main difference between my config
and the one found in
http://wiki.strongswan.org/projects/strongswan/wiki/TrustedNetworkConnect
is that I'm using ECDSA certificates instead of RSA certificates.  When I
start up the client I get a handshake failure.  And I see the following in
charon.log

May  4 15:47:31 04[TLS] processing TLS Handshake record (81 bytes)
May  4 15:47:31 04[TLS] received TLS ClientHello handshake (77 bytes)
May  4 15:47:31 04[TLS] received TLS 'signature algorithms' extension
May  4 15:47:31 04[TLS] received 10 TLS cipher suites:
May  4 15:47:31 04[TLS]   TLS_DHE_RSA_WITH_AES_128_CBC_SHA
May  4 15:47:31 04[TLS]   TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
May  4 15:47:31 04[TLS]   TLS_DHE_RSA_WITH_AES_256_CBC_SHA
May  4 15:47:31 04[TLS]   TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
May  4 15:47:31 04[TLS]   TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
May  4 15:47:31 04[TLS]   TLS_RSA_WITH_AES_128_CBC_SHA
May  4 15:47:31 04[TLS]   TLS_RSA_WITH_AES_128_CBC_SHA256
May  4 15:47:31 04[TLS]   TLS_RSA_WITH_AES_256_CBC_SHA
May  4 15:47:31 04[TLS]   TLS_RSA_WITH_AES_256_CBC_SHA256
May  4 15:47:31 04[TLS]   TLS_RSA_WITH_3DES_EDE_CBC_SHA
May  4 15:47:31 04[TLS] received cipher suites inacceptable
May  4 15:47:31 04[TLS] sending fatal TLS alert 'handshake failure'
May  4 15:47:31 04[TLS] sending TLS Alert record (2 bytes)

Is there some client config parm that can set the ciphe rsuite?  If not, is
ECDSA not supported for TNC?



ps.  Andreas Steffan, thank you for your response to my post a few weeks
ago.  That solved the problem.



Terry Hennessy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110504/487b7432/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ecblank.gif
Type: image/gif
Size: 45 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110504/487b7432/attachment.gif>


More information about the Users mailing list