[openssl-users] TLS Error in FreeRadius - eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
Gladewitz, Robert
Robert.Gladewitz at dbfz.de
Mon Jan 22 06:44:21 UTC 2018
Thank you all for all the answers.
The problem is that Cisco prescribes the attributes.
https://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/212214-Tech-Note-on-CAPF-Certificate-Signed-by.html
CAPF CSR:
Attributes:
Requested Extensions:
X509v3 Extended Key Usage:
TLS Web Server Authentication, IPSec End System
X509v3 Key Usage:
Digital Signature, Certificate Sign
Unfortunately, the Cisco CUCM telephone systems do not seem to accept certificates without these attributes :-(.
If I understand everything correctly, would the only (and unclean) workaround be adding "TLS Web Client Authentication" to solve my problem?
Robert
-----Ursprüngliche Nachricht-----
Von: openssl-users [mailto:openssl-users-bounces at openssl.org] Im Auftrag von Salz, Rich via openssl-users
Gesendet: Montag, 22. Januar 2018 00:39
An: openssl-users at openssl.org
Betreff: Re: [openssl-users] TLS Error in FreeRadius - eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
➢ The sensible thing at this point is to publish an update to RFC5280
that accepts reality.
Yes, and there’s an IETF place to do that if anyone is interested; see the LAMPS working group.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6245 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20180122/70c158de/attachment-0001.bin>
More information about the openssl-users
mailing list