[strongSwan] fatal TLS alert 'handshake failure'

Andreas Steffen andreas.steffen at strongswan.org
Thu May 5 05:57:06 CEST 2011 

Hello Terry,

did you compile strongSwan with the .configure --enable-openssl option
since the libstrongswan openssl plugin is required for ECC support as
in the following EAP-TLS scenario:

http://www.strongswan.org/uml/testresults/openssl-ikev2/rw-eap-tls-only/

Regards

Andreas

On 05/05/2011 02:08 AM, Terry Hennessy wrote:
> Hello,
> 
> I'm trying to set up the TNC Client and Server configuration using
> EAP-TLS certificate based authentication. The main difference between my
> config and the one found in
> http://wiki.strongswan.org/projects/strongswan/wiki/TrustedNetworkConnect is
> that I'm using ECDSA certificates instead of RSA certificates. When I
> start up the client I get a handshake failure. And I see the following
> in charon.log
> 
> May 4 15:47:31 04[TLS] processing TLS Handshake record (81 bytes)
> May 4 15:47:31 04[TLS] received TLS ClientHello handshake (77 bytes)
> May 4 15:47:31 04[TLS] received TLS 'signature algorithms' extension
> May 4 15:47:31 04[TLS] received 10 TLS cipher suites:
> May 4 15:47:31 04[TLS] TLS_DHE_RSA_WITH_AES_128_CBC_SHA
> May 4 15:47:31 04[TLS] TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
> May 4 15:47:31 04[TLS] TLS_DHE_RSA_WITH_AES_256_CBC_SHA
> May 4 15:47:31 04[TLS] TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
> May 4 15:47:31 04[TLS] TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
> May 4 15:47:31 04[TLS] TLS_RSA_WITH_AES_128_CBC_SHA
> May 4 15:47:31 04[TLS] TLS_RSA_WITH_AES_128_CBC_SHA256
> May 4 15:47:31 04[TLS] TLS_RSA_WITH_AES_256_CBC_SHA
> May 4 15:47:31 04[TLS] TLS_RSA_WITH_AES_256_CBC_SHA256
> May 4 15:47:31 04[TLS] TLS_RSA_WITH_3DES_EDE_CBC_SHA
> May 4 15:47:31 04[TLS] received cipher suites inacceptable
> May 4 15:47:31 04[TLS] sending fatal TLS alert 'handshake failure'
> May 4 15:47:31 04[TLS] sending TLS Alert record (2 bytes)
> 
> Is there some client config parm that can set the ciphe rsuite? If not,
> is ECDSA not supported for TNC?
> 
> 
> 
> ps. Andreas Steffan, thank you for your response to my post a few weeks
> ago. That solved the problem.
> 
> 
> 
> Terry Hennessy

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

More information about the Users mailing list