[openssl-users] TLS Error in FreeRadius - eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
Gladewitz, Robert
Robert.Gladewitz at dbfz.de
Mon Jan 22 06:57:45 UTC 2018
Hello Jeff,
That will be difficult. By complience policy, our servers are on Debian / Cent of the current stable version. Even patches code should not be used :-)
Does you already know when a version of OpenSSL will be released that follows this RFC?
Robert
-----Ursprüngliche Nachricht-----
Von: Jeffrey Walton [mailto:noloader at gmail.com]
Gesendet: Montag, 22. Januar 2018 07:47
An: Gladewitz, Robert <Robert.Gladewitz at dbfz.de>; OpenSSL Users <openssl-users at openssl.org>
Betreff: Re: [openssl-users] TLS Error in FreeRadius - eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
On Mon, Jan 22, 2018 at 1:44 AM, Gladewitz, Robert via openssl-users <openssl-users at openssl.org> wrote:
>
> Thank you all for all the answers.
> The problem is that Cisco prescribes the attributes.
> ...
>
> Unfortunately, the Cisco CUCM telephone systems do not seem to accept certificates without these attributes :-(.
>
> If I understand everything correctly, would the only (and unclean) workaround be adding "TLS Web Client Authentication" to solve my problem?
>
I think you have a couple of choices.
First, you can downgrade to a version of OpenSSL that follows the RFC.
Second, you can patch OpenSSL to follow the RFC. Third, you can implement the verify_callback and override the errant behavior.
Jeff
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6245 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20180122/54b109da/attachment.bin>
More information about the openssl-users
mailing list