[openssl-users] TLS Error in FreeRadius - eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed

[Gladewitz, Robert]

Hello Michael,

So, i think there is a lot of problems for many infrastrucure in the feature, if all software use functions based on openssl >1.1.0.  

But a am using a own root ca based on creation time in openssl 1.0.0. What ca i do, when cisco need the Extended Key Usage?

Robert


-----Ursprüngliche Nachricht-----
Von: openssl-users [mailto:openssl-users-bounces at openssl.org] Im Auftrag von Michael Ströder
Gesendet: Samstag, 20. Januar 2018 11:59
An: openssl-users at openssl.org; Viktor Dukhovni <openssl-users at dukhovni.org>
Betreff: Re: [openssl-users] TLS Error in FreeRadius - eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed

Viktor Dukhovni wrote:
>> On Jan 19, 2018, at 10:09 PM, Frank Migge <fm at frank4dd.com> wrote:
>>
>>>> Object 04: X509v3 Extended Key Usage: TLS Web Server Authentication
>>
>> This is were I would check first. 
>>
>> I am not fully sure, but believe that Extended Key Usage should *not* be there.
> 
> Indeed the intermediate CA should either not have an extendedKeyUsage, 
> or that keyUsage should include the desired "purpose".

Full ack.

But unfortunately M$ implemented this requirement to add such a value to Extended Key Usage of intermediate CA certs violating X.509 and RFC 5280. And now all PKI lemmings are following this crap.

=> use your own CA

Ciao, Michael.