[openssl-users] TLS Error in FreeRadius - eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed

Gladewitz, Robert Robert.Gladewitz at dbfz.de
Sat Jan 20 10:53:25 UTC 2018 

Hello Frank.

Thank your for helping ☺.

The CAPF certificates in cisco CUCM Systems have some functions, for example phone proxy services. Usually, you create a certificate reqest on CUCM (Callmanager) and you will signed by you internal ca. Also it is possible, that the CUCM callmanager signed by self. (On both, the problem are happening)

I use a signed ca certificate for CAPF, with is signed by my internal root ca, wich is bases on openssl.

So, for new phone, the CUCM callmanager generate and sign the phone client certificate, wich is downloaded from the phone and used for check configuration signing und in our problem case use as a client certificate for 802.1x tls authentification.

In freeradius, the CAPF CA certificate is installed as a CA certificatge for check the clients certs in tls authentification processes. In freeradius2 anything is working fine and the phone client certificates is verify without any error.

The interesst think is, that the error is display for  the ca (CAPF) certificate, not for the client certificates.

So, i check the attributes and extensions:

        X509v3 extensions:
            X509v3 Subject Key Identifier:
                58:A4:EB:D9:DD:CE:A2:99:72:3B:E1:20:19:1D:40:C1:F9:D5:C2:28
            X509v3 Authority Key Identifier:
                keyid:E2:E9:20:42:29:83:C4:77:8C:87:AB:FA:4B:A1:A9:C4:CE:00:BD:39

            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:0
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign
            X509v3 Extended Key Usage: critical
                TLS Web Server Authentication


For my interpretation, anything ist ok. May the TLS Web Server Authentication is not usual, but it is mandodary by cisco. On the way, we use the minimal mandodary requirements from cisco.

Vg
Robert



Von: Frank Migge [mailto:fm at frank4dd.com]
Gesendet: Samstag, 20. Januar 2018 03:30
An: Gladewitz, Robert <Robert.Gladewitz at dbfz.de>; openssl-users at openssl.org
Betreff: Re: [openssl-users] TLS Error in FreeRadius - eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed


Hi Robert,



error 26 : unsupported certificate purpose



It seems the cert gets declined because of a problem with cert

extensions. "keyUsage" or "extendedKeyUsage" are typical candidates. In

your case, the leaf certificate "CAPF-91d43ef6" has two extensions:



Object 00: X509v3 Key Usage

  Digital Signature, Key Encipherment



Object 01: X509v3 Extended Key Usage

  TLS Web Server Authentication, TLS Web Client Authentication, IPSec End System



I would check if an extension is now missing/newly required, or no

longer recognized. Try check for differences in the openssl.cnf and

freeradius config files between the old Debian system and the new one.



Some EAP TLS guides (incl. Cisco) also list extensions "nonRepudiation" and "dataEncipherment", but this is just a guess since you mentioned it works on the old system.



I have some problems with new Cisco CAPF certs



What is the authenticating device? Cisco IP phone?



Cheers,

Frank
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20180120/c15b0adf/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cacert.capf.pem
Type: application/octet-stream
Size: 4193 bytes
Desc: cacert.capf.pem
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20180120/c15b0adf/attachment-0001.obj>

More information about the openssl-users mailing list