[openssl-users] TLS Error in FreeRadius - eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
Michael Ströder
michael at stroeder.com
Sat Jan 20 10:59:29 UTC 2018
Viktor Dukhovni wrote:
>> On Jan 19, 2018, at 10:09 PM, Frank Migge <fm at frank4dd.com> wrote:
>>
>>>> Object 04: X509v3 Extended Key Usage: TLS Web Server Authentication
>>
>> This is were I would check first.
>>
>> I am not fully sure, but believe that Extended Key Usage should *not* be there.
>
> Indeed the intermediate CA should either not have an extendedKeyUsage, or that
> keyUsage should include the desired "purpose".
Full ack.
But unfortunately M$ implemented this requirement to add such a value to
Extended Key Usage of intermediate CA certs violating X.509 and RFC
5280. And now all PKI lemmings are following this crap.
=> use your own CA
Ciao, Michael.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3829 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20180120/d2c905b6/attachment.bin>
More information about the openssl-users
mailing list