[openssl-users] TLS Error in FreeRadius - eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed

Jeffrey Walton noloader at gmail.com
Mon Jan 22 20:42:22 UTC 2018


On Mon, Jan 22, 2018 at 2:50 PM, Viktor Dukhovni
<openssl-users at dukhovni.org> wrote:
>
>
>> On Jan 22, 2018, at 12:07 PM, Gladewitz, Robert via openssl-users <openssl-users at openssl.org> wrote:
>>
>> the problem is, that i cant change the cisco implementation :-(.
>
> YOU DO NOT need to change the Cisco implementation.
>
>> Cisco tell me, the capf implemtation is following all rfc documents.
>
> Nothing Cisco is telling you requires your issuing CA to have an
> extended key usage listing just "TLS Web Server Authentication".
>
>> If you are right,
>> i cant use any freeradius implementation, because there are based on
>> openssl. There is no option in freeradius, to ignore some think like this.
>
> Your problem is a misconfigured CA certificate.  Make sure your *CA*
> certificate has no extended key usage specified, OR has *all* the key
> usages specified that are required by any leaf certificate it will issue.

This is wrong. The CA is not misconfigured.

>> For my understanding, CA certificate may have these exteded keys - it's just
>> something out of the ordinary.
>
> The extended key usages on the CA are interpreted to LIMIT the key usages
> of certificates it can issue.  You can certainly use this extension, but
> then expect the CA to be invalid for key usages you did not list.

This is wrong. The KU and EKU bits are not interpreted that way.

Here's the standards OpenSSL claims to implement:
https://www.openssl.org/docs/standards.html.

Jeff


More information about the openssl-users mailing list