[openssl-users] TLS Error in FreeRadius - eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
Viktor Dukhovni
openssl-users at dukhovni.org
Mon Jan 22 22:02:35 UTC 2018
> On Jan 22, 2018, at 3:42 PM, Jeffrey Walton <noloader at gmail.com> wrote:
>
>> Your problem is a misconfigured CA certificate. Make sure your *CA*
>> certificate has no extended key usage specified, OR has *all* the key
>> usages specified that are required by any leaf certificate it will issue.
>
> This is wrong. The CA is not misconfigured.
You might say so, and yet, with more than just OpenSSL, the CA is not
suitable for issuing leaf certificates that are not included in its
extended key usage. This is a de facto standard.
>>> For my understanding, CA certificate may have these exteded keys - it's just
>>> something out of the ordinary.
>>
>> The extended key usages on the CA are interpreted to LIMIT the key usages
>> of certificates it can issue. You can certainly use this extension, but
>> then expect the CA to be invalid for key usages you did not list.
>
> This is wrong. The KU and EKU bits are not interpreted that way.
They plainly *are* interpreted in that way, just not by RFC5280, but
that's not the point.
> Here's the standards OpenSSL claims to implement:
> https://www.openssl.org/docs/standards.html.
So do many others, and yet when the RFC is impractical, a more practical
alternative is implemented.
--
Viktor.
More information about the openssl-users
mailing list