Issue #2113
How to limit Cipher Suites under Handshake Protocol: Client Hello for EAP-TLS ,
Affected version:
5.5.0
Resolution:
No feedback
Description
[client]=============[dut]----------------[radius]
I am trying EAP-TLS session. I just want to limit Cipher Suites under Handshake Protocol: Client Hello for EAP-TLS Negotiation phase.
As of now Client Hello send 41 cipher suites, I want include 2 cipher suites instead of 41 suites.
I have tried below config mentioned, but i didn't work
Logs
Extensible Authentication Protocol
Code: Response (2)
Id: 1
Length: 190
Type: TLS EAP (EAP-TLS) (13)
EAP-TLS Flags: 0x80
1... .... = Length Included: True
.0.. .... = More Fragments: False
..0. .... = Start: False
EAP-TLS Length: 180
Secure Sockets Layer
SSL Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
Version: TLS 1.1 (0x0302)
Length: 175
Handshake Protocol: Client Hello
Handshake Type: Client Hello (1)
Length: 171
Version: TLS 1.1 (0x0302)
Random
gmt_unix_time: Sep 13, 2016 07:00:17.000000000 EDT
random_bytes: 34f5c1cd1e49b4e683a44e76b59ec8bb120083441ac97e18...
Session ID Length: 0
Cipher Suites Length: 82
Cipher Suites (41 suites)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x006b)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f)
Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0045)
Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 (0x00be)
Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0088)
Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 (0x00c4)
Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
Cipher Suite: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0041)
Cipher Suite: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 (0x00ba)
Cipher Suite: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0084)
Cipher Suite: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 (0x00c0)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc008)
Cipher Suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)
Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_NULL_SHA (0xc006)
Cipher Suite: TLS_ECDHE_RSA_WITH_NULL_SHA (0xc010)
Cipher Suite: TLS_RSA_WITH_NULL_SHA (0x0002)
Cipher Suite: TLS_RSA_WITH_NULL_SHA256 (0x003b)
Cipher Suite: TLS_RSA_WITH_NULL_MD5 (0x0001)
Compression Methods Length: 1
Compression Methods (1 method)
Compression Method: null (0)
Extensions Length: 48
Extension: signature_algorithms
Type: signature_algorithms (0x000d)
Length: 22
Data (22 bytes)
Extension: elliptic_curves
Type: elliptic_curves (0x000a)
Length: 12
Elliptic Curves Length: 10
Elliptic curves (5 curves)
Elliptic curve: secp256r1 (0x0017)
Elliptic curve: secp384r1 (0x0018)
Elliptic curve: secp521r1 (0x0019)
Elliptic curve: secp224r1 (0x0015)
Elliptic curve: secp192r1 (0x0013)
Extension: ec_point_formats
Type: ec_point_formats (0x000b)
Length: 2
EC point formats Length: 1
Elliptic curves point formats (1)
EC point format: uncompressed (0)
I have tried using following config in strongswan.conf . But not able to limit.
strongswan.conf
[root@ovm_h2o-rtalari etc]# cat strongswan.conf
# strongswan.conf - strongSwan configuration file
charon {
charondebug="ike 7, knl 3, cfg 7"
# number of worker threads in charon
threads = 16
# send strongswan vendor ID?
# send_vendor_id = yes
#load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown eap-identity
plugins {
sql {
# loglevel to log into sql database
loglevel = -1
# URI to the database
# database = sqlite:///path/to/file.db
# database = mysql://user:password@localhost/database
}
libtls {
suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
}
}
p-cscf {
# Whether to load the plugin. Can also be an integer to increase the
# priority of this plugin.
load = yes
# Section to enable requesting P-CSCF server addresses for individual
# connections.
enable {
# <conn> is the name of a connection with an ePDG from which to request
# P-CSCF server addresses.
# <conn> = no
epm_sim_9098 = yes
b_pcscf_v6 = yes
b_pcscf_1 = yes
b_pcscf = yes
psk = yes
bb_pcscf = yes
eap1 = yes
eap2 = yes
}
}
}
# ...
pluto {
}
libstrongswan {
# set to no, the DH exponent size is optimized
# dh_exponent_ansi_x9_42 = no
}
#include /tmp/*-strongswan.conf
[root@ovm_h2o-rtalari etc]#
History
#1 Updated by rajarathnam talari almost 9 years ago
libtls {
suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
}
#2 Updated by Tobias Brunner almost 9 years ago
- Description updated (diff)
- Category set to configuration
- Status changed from New to Feedback
You configured suites in the wrong place (there is no libtls section under charon.plugins). Either set it in the top-level libtls section (same level as charon), or in the charon.tls section (see strongswan.conf).
#3 Updated by Tobias Brunner over 8 years ago
- Status changed from Feedback to Closed
- Assignee set to Tobias Brunner
- Resolution set to No feedback