<html><head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head><body bgcolor="#FFFFFF" text="#000000">I got it wrong. The
failing cert from your log is actually the intermediate, which has five
extensions:<br>
<br>
>> Object 00: X509v3 Subject Key Identifier:
58:A4:EB:D9:DD:CE:A2:99:72:3B:E1:20:19:1D:40:C1:F9:D5:C2:28
<br>
>> Object 01: X509v3 Authority Key Identifier:
keyid:E2:E9:20:42:29:83:C4:77:8C:87:AB:FA:4B:A1:A9:C4:CE:00:BD:39<br>
>> Object 02: X509v3 Basic Constraints:
CA:TRUE, pathlen:0
<br>
>> Object 03: X509v3 Key Usage:
Digital Signature, Certificate Sign, CRL Sign
<br>
>> Object 04: X509v3 Extended Key Usage:
TLS Web Server Authentication<br>
<br>
This is were I would check first. <br>
<br>
I am not fully sure, but believe that Extended Key Usage should *not* be
there.<br>
<br>
Frank<br>
<span>
</span><br>
<blockquote style="border: 0px none;"
cite="mid:5A62A9A6.3000708@frank4dd.com" type="cite">
<div style="margin:30px 25px 10px 25px;" class="__pbConvHr"><div
style="width:100%;border-top:2px solid #EDF1F4;padding-top:10px;"> <div
style="display:inline-block;white-space:nowrap;vertical-align:middle;width:49%;">
<a moz-do-not-send="true" href="mailto:fm@frank4dd.com"
style="color:#485664
!important;padding-right:6px;font-weight:500;text-decoration:none
!important;">Frank Migge</a></div> <div
style="display:inline-block;white-space:nowrap;vertical-align:middle;width:48%;text-align:
right;"> <font color="#909AA4"><span style="padding-left:6px">Saturday,
January 20, 2018 11:29 AM</span></font></div> </div></div>
<div style="color:#909AA4;margin-left:24px;margin-right:24px;"
__pbrmquotes="true" class="__pbConvBody">
<meta content="text/html; charset=UTF-8" http-equiv="content-type">
<div style="font-family: -moz-fixed" graphical-quote="true"
wrap="false" class="moz-text-plain"><pre wrap="">Hi Robert,
</pre><blockquote style="color: #000000;" type="cite"><blockquote
style="color: #000000;" type="cite"><pre wrap="">error 26 : unsupported certificate purpose
</pre></blockquote></blockquote><pre wrap=""><!---->
It seems the cert gets declined because of a problem with cert
extensions. "keyUsage" or "extendedKeyUsage" are typical candidates. In
your case, the leaf certificate "CAPF-91d43ef6" has two extensions:
Object 00: X509v3 Key Usage
Digital Signature, Key Encipherment
Object 01: X509v3 Extended Key Usage
TLS Web Server Authentication, TLS Web Client Authentication, IPSec End System
I would check if an extension is now missing/newly required, or no
longer recognized. Try check for differences in the openssl.cnf and
freeradius config files between the old Debian system and the new one.
Some EAP TLS guides (incl. Cisco) also list extensions "nonRepudiation" and "dataEncipherment", but this is just a guess since you mentioned it works on the old system.
</pre><blockquote style="color: #000000;" type="cite"><blockquote
style="color: #000000;" type="cite"><pre wrap="">I have some problems with new Cisco CAPF certs
</pre></blockquote></blockquote><pre wrap=""><!---->
What is the authenticating device? Cisco IP phone?
Cheers,
Frank
</pre></div>
</div>
<div style="margin:30px 25px 10px 25px;" class="__pbConvHr"><div
style="width:100%;border-top:2px solid #EDF1F4;padding-top:10px;"> <div
style="display:inline-block;white-space:nowrap;vertical-align:middle;width:49%;">
<a moz-do-not-send="true" href="mailto:openssl-users@openssl.org"
style="color:#485664
!important;padding-right:6px;font-weight:500;text-decoration:none
!important;">Gladewitz, Robert via openssl-users</a></div> <div
style="display:inline-block;white-space:nowrap;vertical-align:middle;width:48%;text-align:
right;"> <font color="#909AA4"><span style="padding-left:6px">Friday,
January 19, 2018 11:12 PM</span></font></div> </div></div>
<div style="color:#909AA4;margin-left:24px;margin-right:24px;"
__pbrmquotes="true" class="__pbConvBody"><meta content="text/html;
charset=UTF-8" http-equiv="Content-Type"><meta content="Microsoft Word
15 (filtered medium)" name="Generator"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"Nur Text Zchn";
margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
span.E-MailFormatvorlage17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.NurTextZchn
{mso-style-name:"Nur Text Zchn";
mso-style-priority:99;
mso-style-link:"Nur Text";
font-family:"Calibri",sans-serif;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 2.0cm 70.85pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--><div class="WordSection1"><p
class="MsoNormal">Dear OpenSSL Team,<o:p></o:p></p><p class="MsoNormal"><o:p> </o:p></p><p
class="MsoNormal">I have some problems with new Cisco CAPF certs and
freeradius tls authentification. The point is, that freeradius users see
the problem on openssl implemtiation. <o:p></o:p></p><p
class="MsoNormal"><o:p> </o:p></p><p class="MsoPlainText"><SNIP:
DEBUG><o:p></o:p></p><p class="MsoPlainText">(69) eap_tls: Continuing
EAP-TLS<o:p></o:p></p><p class="MsoPlainText">(69) eap_tls: Peer
indicated complete TLS record size will be 1432 bytes<o:p></o:p></p><p
class="MsoPlainText">(69) eap_tls: Got complete TLS record (1432 bytes)<o:p></o:p></p><p
class="MsoPlainText">(69) eap_tls: [eaptls verify] = length included<o:p></o:p></p><p
class="MsoPlainText">(69) eap_tls: TLS_accept: SSLv3/TLS write server
done<o:p></o:p></p><p class="MsoPlainText">(69) eap_tls: <<<
recv TLS 1.0 Handshake [length 03c2], Certificate<o:p></o:p></p><p
class="MsoPlainText">(69) eap_tls: Creating attributes from certificate
OIDs<o:p></o:p></p><p class="MsoPlainText">(69) eap_tls:
TLS-Cert-Serial := "1009"<o:p></o:p></p><p class="MsoPlainText">(69)
eap_tls: TLS-Cert-Expiration := "380111125719Z"<o:p></o:p></p><p
class="MsoPlainText">(69) eap_tls: TLS-Cert-Subject :=
"/C=DE/ST=Sachsen/L=Leipzig/O=DBFZ Deutsches Biomasseforschungszentrum
gGmbH/OU=IT/CN=CAPF-91d43ef6"<o:p></o:p></p><p class="MsoPlainText">(69)
eap_tls: TLS-Cert-Issuer := "/C=DE/ST=Sachsen/L=Leipzig/O=DBFZ
Deutsches Biomasseforschungszentrum gemeinnuetzige GmbH/OU=IT/CN=DBFZ CA
INTERN <a moz-do-not-send="true"
href="mailto:ROOT/emailAddress=support@dbfz.de">ROOT/emailAddress=support@dbfz.de</a>"<o:p></o:p></p><p
class="MsoPlainText">(69) eap_tls: TLS-Cert-Common-Name :=
"CAPF-91d43ef6"<o:p></o:p></p><p class="MsoPlainText">(69) eap_tls:
ERROR: SSL says error 26 : unsupported certificate purpose<o:p></o:p></p><p
class="MsoPlainText">(69) eap_tls: >>> send TLS 1.0 Alert
[length 0002], fatal unsupported_certificate<o:p></o:p></p><p
class="MsoPlainText">(69) eap_tls: ERROR: TLS Alert
write:fatal:unsupported certificate<o:p></o:p></p><p
class="MsoPlainText">tls: TLS_accept: Error in error<o:p></o:p></p><p
class="MsoPlainText">(69) eap_tls: ERROR: Failed in __FUNCTION__
(SSL_read): error:1417C086:SSL
routines:tls_process_client_certificate:certificate verify failed<o:p></o:p></p><p
class="MsoPlainText">(69) eap_tls: ERROR: System call (I/O) error (-1)<o:p></o:p></p><p
class="MsoPlainText">(69) eap_tls: ERROR: TLS receive handshake failed
during operation<o:p></o:p></p><p class="MsoPlainText">(69) eap_tls:
ERROR: [eaptls process] = fail </DEBUG><o:p></o:p></p><p
class="MsoNormal"></SNIP><o:p></o:p></p><p class="MsoNormal"><o:p> </o:p></p><p
class="MsoNormal">This means, that the check of ca certificate is
failed. So, bu I do not see, why. If i check the certificate by command
openssl –verify, all sems to be right. <o:p></o:p></p><p
class="MsoPlainText"># openssl verify -verbose -CAfile
/etc/freeradius/3.0/certs.8021x.ciscophone/cacert.capf.pem
SEP64A0E714844E-L1.pem <o:p></o:p></p><p class="MsoPlainText">#
SEP64A0E714844E-L1.pem: OK<o:p></o:p></p><p class="MsoNormal"><o:p> </o:p></p><p
class="MsoNormal"><o:p> </o:p></p><p class="MsoNormal">The openssl
version is Debian based 1.1.0g-2. But the same error is happening on
1.1.0f also. <o:p></o:p></p><p class="MsoNormal"><o:p> </o:p></p><p
class="MsoNormal">Older freeradius version 2 on Debian 8/openssl
1.0.1t-1+deb8u7 working fine without this problem (by using the same
certificates)<o:p></o:p></p><p class="MsoNormal"><o:p> </o:p></p><p
class="MsoNormal">The ca certificate are signed by an intern ca. Can
anyone see the error??<o:p></o:p></p><p class="MsoNormal"><o:p> </o:p></p><p
class="MsoNormal">Robert<o:p></o:p></p><p class="MsoNormal"><o:p> </o:p></p><p
class="MsoNormal"><o:p> </o:p></p><p class="MsoNormal"><o:p> </o:p></p></div></div>
</blockquote>
<br>
</body></html>