[openssl-users] TLS Error in FreeRadius - eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
Gladewitz, Robert
Robert.Gladewitz at dbfz.de
Fri Jan 19 14:12:28 UTC 2018
Dear OpenSSL Team,
I have some problems with new Cisco CAPF certs and freeradius tls
authentification. The point is, that freeradius users see the problem on
openssl implemtiation.
<SNIP: DEBUG>
(69) eap_tls: Continuing EAP-TLS
(69) eap_tls: Peer indicated complete TLS record size will be 1432 bytes
(69) eap_tls: Got complete TLS record (1432 bytes)
(69) eap_tls: [eaptls verify] = length included
(69) eap_tls: TLS_accept: SSLv3/TLS write server done
(69) eap_tls: <<< recv TLS 1.0 Handshake [length 03c2], Certificate
(69) eap_tls: Creating attributes from certificate OIDs
(69) eap_tls: TLS-Cert-Serial := "1009"
(69) eap_tls: TLS-Cert-Expiration := "380111125719Z"
(69) eap_tls: TLS-Cert-Subject := "/C=DE/ST=Sachsen/L=Leipzig/O=DBFZ
Deutsches Biomasseforschungszentrum gGmbH/OU=IT/CN=CAPF-91d43ef6"
(69) eap_tls: TLS-Cert-Issuer := "/C=DE/ST=Sachsen/L=Leipzig/O=DBFZ
Deutsches Biomasseforschungszentrum gemeinnuetzige GmbH/OU=IT/CN=DBFZ CA
INTERN ROOT/emailAddress=support at dbfz.de
<mailto:ROOT/emailAddress=support at dbfz.de> "
(69) eap_tls: TLS-Cert-Common-Name := "CAPF-91d43ef6"
(69) eap_tls: ERROR: SSL says error 26 : unsupported certificate purpose
(69) eap_tls: >>> send TLS 1.0 Alert [length 0002], fatal
unsupported_certificate
(69) eap_tls: ERROR: TLS Alert write:fatal:unsupported certificate
tls: TLS_accept: Error in error
(69) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL
routines:tls_process_client_certificate:certificate verify failed
(69) eap_tls: ERROR: System call (I/O) error (-1)
(69) eap_tls: ERROR: TLS receive handshake failed during operation
(69) eap_tls: ERROR: [eaptls process] = fail </DEBUG>
</SNIP>
This means, that the check of ca certificate is failed. So, bu I do not see,
why. If i check the certificate by command openssl -verify, all sems to be
right.
# openssl verify -verbose -CAfile
/etc/freeradius/3.0/certs.8021x.ciscophone/cacert.capf.pem
SEP64A0E714844E-L1.pem
# SEP64A0E714844E-L1.pem: OK
The openssl version is Debian based 1.1.0g-2. But the same error is
happening on 1.1.0f also.
Older freeradius version 2 on Debian 8/openssl 1.0.1t-1+deb8u7 working fine
without this problem (by using the same certificates)
The ca certificate are signed by an intern ca. Can anyone see the error??
Robert
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20180119/c4a779f7/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cacert.capf.pem
Type: application/octet-stream
Size: 4193 bytes
Desc: cacert.capf.pem
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20180119/c4a779f7/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: SEP64A0E714844E-L1.pem
Type: application/octet-stream
Size: 1346 bytes
Desc: SEP64A0E714844E-L1.pem
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20180119/c4a779f7/attachment-0001.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6245 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20180119/c4a779f7/attachment.bin>
More information about the openssl-users
mailing list