[openssl-users] TLS Error in FreeRadius - eap_tls: ERROR: Failed in FUNCTION (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed

Sat Jan 20 10:59:29 UTC 2018

Viktor Dukhovni wrote:
>> On Jan 19, 2018, at 10:09 PM, Frank Migge <fm at frank4dd.com> wrote:
>>
>>>> Object 04: X509v3 Extended Key Usage: TLS Web Server Authentication
>>
>> This is were I would check first. 
>>
>> I am not fully sure, but believe that Extended Key Usage should *not* be there.
> 
> Indeed the intermediate CA should either not have an extendedKeyUsage, or that
> keyUsage should include the desired "purpose".

Full ack.

But unfortunately M$ implemented this requirement to add such a value to
Extended Key Usage of intermediate CA certs violating X.509 and RFC
5280. And now all PKI lemmings are following this crap.

=> use your own CA

Ciao, Michael.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3829 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20180120/d2c905b6/attachment.bin>

[openssl-users] TLS Error in FreeRadius - eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed

[openssl-users] TLS Error in FreeRadius - eap_tls: ERROR: Failed in FUNCTION (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed