[openssl-users] TLS Error in FreeRadius - eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed

Viktor Dukhovni openssl-users at dukhovni.org
Sat Jan 20 23:21:08 UTC 2018

> On Jan 20, 2018, at 6:42 AM, Gladewitz, Robert via openssl-users <openssl-users at openssl.org> wrote:
> Hello Vikor,
> hmm, we have only a self signed root ca and the CAPF ist directly minor. And the extended key usage is mandodary by cisco. 
> You mean, the only solution are, the the root ca also have the same extendedKeyUsage?

The intermediate CA you posted:

   Subject: C = DE, ST = Sachsen, L = Leipzig, O = DBFZ Deutsches Biomasseforschungszentrum gGmbH, OU = IT, CN = CAPF-91d43ef6

has extensions:

        X509v3 extensions:
            X509v3 Subject Key Identifier: ...
            X509v3 Authority Key Identifier: ...
            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:0
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign
            X509v3 Extended Key Usage: critical
                TLS Web Server Authentication

The last of these limits the CA to just "TLS Web Server Authentication".
The leaf certificate has:

            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication, IPSec End System

which works if you're authenticating it as a "TLS server" (the "Web" part
is irrelevant), but fails when used for a "TLS client" or "IPSec End System",
because those purposes are not included in the issuing CA certificate.

Presumably the problem in this case is that this CA is being used to
validate a "TLS client" certificate.  You'll need an intermediate CA
that either has no "X509v3 Extended Key Usage" or has one that includes
both "TLS Web Server Authentication" and "TLS Web Client Authentication".


More information about the openssl-users mailing list