Why this error (should, from what I understand, be ok)

Viktor Dukhovni openssl-users at dukhovni.org
Tue Feb 14 02:53:11 UTC 2023 

On Mon, Feb 13, 2023 at 07:56:22PM -0500, Karl Denninger wrote:

> Environment is a client/server, with both ends checking the certificates.
> 
>              Netscape Cert Type:
>              X509v3 Extended Key Usage:
>                  TLS Web Server Authentication, TLS Web Client Authentication
> 
> The client is able to follow the signature and verifies it. However,
> the client certificate with the same extensions connects, but the
> server complains on verification that the client cert supplied has
> "invalid purpose."

The problem purpose may be a result of explicit EKUs for one of the
issuing CAs, that don't include "TLS Web Client Authentication" (a.k.a.
"clientAuth").

You don't need to test with TLS connections,  instead, for example:

    # hostname=...
    # CAfile=...
    # openssl verify -show_chain -purpose sslclient \
        -verify_hostname "$hostname" \
        -trusted "$CAfile" \
        -untrusted "/etc/letsencrypt/live/$hostname/fullchain.pem" \
        "/etc/letsencrypt/live/$hostname/cert.pem"
    /etc/letsencrypt/live/.../cert.pem: OK
    Chain:
    depth=0: CN = ... (untrusted)
    depth=1: C = US, O = Let's Encrypt, CN = R3 (untrusted)
    depth=2: C = US, O = Internet Security Research Group, CN = ISRG Root X1

While with "smimesign" as the purpose:

    # hostname=...
    # CAfile=...
    # openssl verify -show_chain -purpose smimesign \
        -verify_hostname "$hostname" \
        -trusted "$CAfile" \
        -untrusted "/etc/letsencrypt/live/$hostname/fullchain.pem" \
        "/etc/letsencrypt/live/$hostname/cert.pem"
    CN = ...
    error 26 at 0 depth lookup: unsupported certificate purpose
    C = US, O = Let's Encrypt, CN = R3
    error 26 at 1 depth lookup: unsupported certificate purpose
    error /etc/letsencrypt/live/.../cert.pem: verification failed

However, note that the error reported by OpenSSL is "unsupported
purpose", NOT "invalid purpose", for that error, I actually need to
specify a made up purpose name.  So it is unclear how your server
managed to report an "invalid purpose", perhaps there's a typo in
the server code, and it rejects all client certificates, because
it tries to check them against an unknown (to OpenSSL) "purpose".

-- 
    Viktor.

More information about the openssl-users mailing list