[openssl-users] TLS Error in FreeRadius - eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed

Viktor Dukhovni openssl-users at dukhovni.org
Mon Jan 22 15:59:30 UTC 2018



> On Jan 22, 2018, at 1:47 AM, Jeffrey Walton <noloader at gmail.com> wrote:
> 
> I think you have a couple of choices.
> 
> First, you can downgrade to a version of OpenSSL that follows the RFC.
> Second, you can patch OpenSSL to follow the RFC. Third, you can
> implement the verify_callback and override the errant behavior.

None of this is necessary.  The OP indicates that the *leaf* certificate
has certain required extended key usages, but there is no indication that
the same applies to the intermediate CA.

The solution is to use a CA chain in which NONE of the CA certificates
have an extended key usage extension.  ONLY the leaf certificate should
have that extension.

CA certificates should have extended key usage specified when intended
to only issue leaf certificates that are to be used ONLY for the listed
purposes.  General-purpose CAs should not have extended key usage.

-- 
	Viktor.


More information about the openssl-users mailing list