[openssl-users] TLS Error in FreeRadius - eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed

[Gladewitz, Robert]

Dear OpenSSL Team,

 

I have some problems with new Cisco CAPF certs and freeradius tls
authentification. The point is, that freeradius users see the problem on
openssl implemtiation. 

 

<SNIP: DEBUG>

(69) eap_tls: Continuing EAP-TLS

(69) eap_tls: Peer indicated complete TLS record size will be 1432 bytes

(69) eap_tls: Got complete TLS record (1432 bytes)

(69) eap_tls: [eaptls verify] = length included

(69) eap_tls: TLS_accept: SSLv3/TLS write server done

(69) eap_tls: <<< recv TLS 1.0 Handshake [length 03c2], Certificate

(69) eap_tls: Creating attributes from certificate OIDs

(69) eap_tls:   TLS-Cert-Serial := "1009"

(69) eap_tls:   TLS-Cert-Expiration := "380111125719Z"

(69) eap_tls:   TLS-Cert-Subject := "/C=DE/ST=Sachsen/L=Leipzig/O=DBFZ
Deutsches Biomasseforschungszentrum gGmbH/OU=IT/CN=CAPF-91d43ef6"

(69) eap_tls:   TLS-Cert-Issuer := "/C=DE/ST=Sachsen/L=Leipzig/O=DBFZ
Deutsches Biomasseforschungszentrum gemeinnuetzige GmbH/OU=IT/CN=DBFZ CA
INTERN ROOT/emailAddress=support at dbfz.de
<mailto:ROOT/emailAddress=support at dbfz.de> "

(69) eap_tls:   TLS-Cert-Common-Name := "CAPF-91d43ef6"

(69) eap_tls:   ERROR: SSL says error 26 : unsupported certificate purpose

(69) eap_tls: >>> send TLS 1.0 Alert [length 0002], fatal
unsupported_certificate

(69) eap_tls: ERROR: TLS Alert write:fatal:unsupported certificate

tls: TLS_accept: Error in error

(69) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL
routines:tls_process_client_certificate:certificate verify failed

(69) eap_tls: ERROR: System call (I/O) error (-1)

(69) eap_tls: ERROR: TLS receive handshake failed during operation

(69) eap_tls: ERROR: [eaptls process] = fail </DEBUG>

</SNIP>

 

This means, that the check of ca certificate is failed. So, bu I do not see,
why. If i check the certificate by command openssl -verify, all sems to be
right. 

# openssl verify -verbose -CAfile
/etc/freeradius/3.0/certs.8021x.ciscophone/cacert.capf.pem
SEP64A0E714844E-L1.pem 

# SEP64A0E714844E-L1.pem: OK

 

 

The openssl version is Debian based 1.1.0g-2. But the same error is
happening on 1.1.0f also. 

 

Older freeradius version 2 on Debian 8/openssl 1.0.1t-1+deb8u7 working fine
without this problem (by using the same certificates)

 

The ca certificate are signed by an intern ca. Can anyone see the error??

 

Robert

 

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20180119/c4a779f7/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cacert.capf.pem
Type: application/octet-stream
Size: 4193 bytes
Desc: cacert.capf.pem
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20180119/c4a779f7/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: SEP64A0E714844E-L1.pem
Type: application/octet-stream
Size: 1346 bytes
Desc: SEP64A0E714844E-L1.pem
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20180119/c4a779f7/attachment-0001.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6245 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20180119/c4a779f7/attachment.bin>