[openssl-users] TLS Error in FreeRadius - eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed

Jeffrey Walton noloader at gmail.com
Tue Jan 23 14:05:36 UTC 2018


On Sun, Jan 21, 2018 at 6:38 PM, Salz, Rich via openssl-users
<openssl-users at openssl.org> wrote:
> ➢ The sensible thing at this point is to publish an update to RFC5280
>     that accepts reality.
>
> Yes, and there’s an IETF place to do that if anyone is interested; see the LAMPS working group.

Related, the subject came up recently on the PKIX mailing list: "Next
edition of X.509",
https://www.ietf.org/mail-archive/web/pkix/current/msg33478.html .

https://www.ietf.org/mail-archive/web/pkix/current/msg33489.html was a
proposal to modify the text. The modifications appear to propose KU
and EKU cast a wider net to accommodate IoT gadgets.

https://www.ietf.org/mail-archive/web/pkix/current/msg33490.html was a
comment to avoid the modification. The objection stated to an OID for
the new usages to accommodate the use cases.

Another thread of interest from SAAG is "Considerations about the need
to resume PKIX work",
https://mailarchive.ietf.org/arch/msg/saag/BJWLw-XZvq_fgCYDldCDLVamNbg

There does not seem to be a lot of interest in revising PKIX. I
persoanlly find it disappointing because it seems like it is the wild,
wild west to me.

Jeff


More information about the openssl-users mailing list