What's the reason for "OpenSSL: openssl_handshake - SSL_connect error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher"

Jouni Malinen j at w1.fi
Sat Sep 10 16:08:07 EDT 2011


On Thu, Sep 01, 2011 at 09:52:48AM +0800, 2008 vpn wrote:

>    SSL: SSL3 alert: write (local SSL3 detected an error):fatal:handshake
>    failure
>    SSL: (where=0x2002 ret=0xffffffff)
>    SSL: SSL_accept:error in SSLv3 read client hello C
>    OpenSSL: openssl_handshake - SSL_connect error:1408A0C1:SSL
>    routines:SSL3_GET_CLIENT_
> HELLO:no shared cipher

Sounds like the supplicant trying to use only ciphers that were not
allowed at this point. I would need to see more context in the debug
log (i.e., including the previous EAP messages that started EAP-FAST)
and ideally, also a packet capture log showing that exact ClientHello
message to see what exactly the supplicant was trying to do.

>    Config for wpa_supplicant is:

>    eap=FAST
>    identity="user"
>    password="password"
>    anonymous_identity="FAST-000102030405"
>            phase1="fast_provisioning=1"
>            pac_file="/etc/wpa_supplicant.eap-fast-pac"

OK, so this is for anonymous provisioning.. Could you please also send
debug log from wpa_supplicant showing what it is doing when this failure
shows up?

>    I noticed we should config certificate file for EAP-TLS/PEAP/TTLS.
>    But do we need config certificate file for EAP-FAST?

Depends a bit on how you handle provisioning. Anonymous provisioning
(like the configuration above) is not that secure, so verifying server
certificate during the provisioning step would be advised if you cannot
guarantee a safe location to do the initial setup. Once the PAC has been
provisioned, there is less need for certificate validation.

-- 
Jouni Malinen                                            PGP id EFC895FA


More information about the HostAP mailing list