[openssl-users] WG: TLS Error in FreeRadius - eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed

Viktor Dukhovni openssl-users at dukhovni.org
Wed Jan 24 07:10:53 UTC 2018



> On Jan 24, 2018, at 1:33 AM, Gladewitz, Robert via openssl-users <openssl-users at openssl.org> wrote:
> 
> Nevertheless, a problem remains open for the Cisco CUCM users. If these use
> the certificate internally signed by Cisco, the attributes are set as in the
> discussion and can not be subsequently adapted in our case. This means that
> for these users only the change to a non openssl based application remains -
> really sad.

Can you be a bit more explicit as to why these users cannot deploy a
certificate chain via an alternate CA that does not have a problem EKU
(just as you did)?  Is it not possible to replace the intermediate CA
certificate with one that either has no EKU or has a more complete
EKU that lists both "serverAuth" and "clientAuth" (shorter OpenSSL
names for the EKUs under discussion).

There are surely some Cisco Engineers reading this list.  Ideally
someone from Cisco will reach out to the OpenSSL team (say myself)
and we can help them update the product to avoid compatibility issues.
I've posted a feedback comment at:

  https://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/212214-Tech-Note-on-CAPF-Certificate-Signed-by.html#anc7

Perhaps they'll reach out.

-- 
	Viktor.



More information about the openssl-users mailing list