[openssl-users] TLS Error in FreeRadius - eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
Frank Migge
fm at frank4dd.com
Sat Jan 20 02:29:58 UTC 2018
Hi Robert,
>> error 26 : unsupported certificate purpose
It seems the cert gets declined because of a problem with cert
extensions. "keyUsage" or "extendedKeyUsage" are typical candidates. In
your case, the leaf certificate "CAPF-91d43ef6" has two extensions:
Object 00: X509v3 Key Usage
Digital Signature, Key Encipherment
Object 01: X509v3 Extended Key Usage
TLS Web Server Authentication, TLS Web Client Authentication, IPSec End System
I would check if an extension is now missing/newly required, or no
longer recognized. Try check for differences in the openssl.cnf and
freeradius config files between the old Debian system and the new one.
Some EAP TLS guides (incl. Cisco) also list extensions "nonRepudiation" and "dataEncipherment", but this is just a guess since you mentioned it works on the old system.
>> I have some problems with new Cisco CAPF certs
What is the authenticating device? Cisco IP phone?
Cheers,
Frank
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20180120/2f73773d/attachment.html>
More information about the openssl-users
mailing list