Hi,
Alfred, I'd like to say "thanks" once more.
I tried with newer ciphers and version 1.2 - and now freeradius (3.0.16)
indeed sends me the second
"challenge". So, it's a huge progress.
Indeed, the capture now looks like an EAP-TLS negotiation should go on.
The server accepted the client hello, an prepared its message flight of
messages. Among them is the server's Certificate message, which is quite
huge, and so they cannot be sent in one packet. Your client would next
send an empty EAP-TLS message, thereby acknowledging reception of this
message fragment. The server would then send the next fragment of these
messages. Since the overall length of the message flight is 3137, and
FreeRADUIS decided to send ~1000 bytes per fragment, expect another two of
those 'ping-pongs' to happen until your client is able to reassemble and
process the server's messages.
However it still complains on the unknown TLS version. I attach the
server log and the packet capture, just in case.
Well, no idea where the version 0x0304 is coming from. One would probably
have to look into the FreeRADIUS sources, or ask on the proper FreeRADIUS
mailing lists for assistance. My personal "wild guess" is that this is
some sort of 'internal default' as long as the the EAP-TLS module hasn't
yet decided about the used protocol version. I wouldn't bother about this
too much if you're interested in other things.
There's however one other thing I wanted to mention: The Random value your
clients sends in the Client Hello is not that random...there is the time
stamp in the first four bytes, but the remaining 28 bytes are all-zero -
they should contain data from a cryptographically safe random number
generator.
Best regards
Alfred Arnold
--
Alfred Arnold E-Mail: alfred@xxxxxxxxxxxxxxxxxxx
Computer Club at the http://john.ccac.rwth-aachen.de:8000/alf/
Technical University Phone: +49-241-406526
of Aachen
