[openssl-users] TLS Error in FreeRadius - eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed

Gladewitz, Robert Robert.Gladewitz at dbfz.de
Mon Jan 22 17:07:09 UTC 2018


Hello Viktor,

the problem is, that i cant change the cisco implementation :-(. Cisco tell
me, the capf implemtation is following all rfc documents. If you are right,
i cant use any freeradius implementation, because there are based on
openssl. There is no option in freeradius, to ignore some think like this.

For my understanding, CA certificate may have these exteded keys - it's just
something out of the ordinary. So, you mean, there is no chance to get this
correct rfc interpretation to openssl??

Cisco:
https://www.cisco.com/c/en/us/support/docs/unified-communications/unified-co
mmunications-manager-callmanager/212214-Tech-Note-on-CAPF-Certificate-Signed
-by.pdf
https://www.cisco.com/c/en/us/support/docs/unified-communications/unified-co
mmunications-manager-callmanager/212214-Tech-Note-on-CAPF-Certificate-Signed
-by.html

Regards

Robert





-----Ursprüngliche Nachricht-----
Von: openssl-users [mailto:openssl-users-bounces at openssl.org] Im Auftrag von
Viktor Dukhovni
Gesendet: Montag, 22. Januar 2018 17:01
An: openssl-users at openssl.org
Betreff: Re: [openssl-users] TLS Error in FreeRadius - eap_tls: ERROR:
Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL
routines:tls_process_client_certificate:certificate verify failed



> On Jan 22, 2018, at 1:57 AM, Gladewitz, Robert via openssl-users
<openssl-users at openssl.org> wrote:
> 
> Does you already know when a version of OpenSSL will be released that
follows this RFC?

The RFC is out of touch with real-world practice by multiple
implementations.  There are no plans to "follow the RFC".

-- 
	Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6245 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20180122/3b9449cd/attachment.bin>


More information about the openssl-users mailing list