[openssl-users] TLS Error in FreeRadius - eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed

Gladewitz, Robert Robert.Gladewitz at dbfz.de
Sun Jan 21 12:34:26 UTC 2018 

Hello Viktor,

thanks for all this hepl.

I i understand your right, than I need to add "TLS Web Client Authentication" to the CAPF certificate.

But I have i question. In Freeradius i use the CAPF cert only as an ca cert, not as a server or client cert. The only funktion is, to ckeck the client cert is signed from CAPF. For only check this, the ca need "TLS Web Client Authentication"?? 

Regards

Robert


-----Ursprüngliche Nachricht-----
Von: Viktor Dukhovni [mailto:openssl-users at dukhovni.org] 
Gesendet: Sonntag, 21. Januar 2018 00:21
An: Gladewitz, Robert <Robert.Gladewitz at dbfz.de>; openssl-users at openssl.org
Betreff: Re: [openssl-users] TLS Error in FreeRadius - eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed



> On Jan 20, 2018, at 6:42 AM, Gladewitz, Robert via openssl-users <openssl-users at openssl.org> wrote:
> 
> Hello Vikor,
> 
> hmm, we have only a self signed root ca and the CAPF ist directly minor. And the extended key usage is mandodary by cisco. 
> 
> You mean, the only solution are, the the root ca also have the same extendedKeyUsage?

The intermediate CA you posted:

   Subject: C = DE, ST = Sachsen, L = Leipzig, O = DBFZ Deutsches Biomasseforschungszentrum gGmbH, OU = IT, CN = CAPF-91d43ef6

has extensions:

        X509v3 extensions:
            X509v3 Subject Key Identifier: ...
            X509v3 Authority Key Identifier: ...
            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:0
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign
            X509v3 Extended Key Usage: critical
                TLS Web Server Authentication

The last of these limits the CA to just "TLS Web Server Authentication".
The leaf certificate has:

            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication, IPSec End System

which works if you're authenticating it as a "TLS server" (the "Web" part is irrelevant), but fails when used for a "TLS client" or "IPSec End System", because those purposes are not included in the issuing CA certificate.

Presumably the problem in this case is that this CA is being used to validate a "TLS client" certificate.  You'll need an intermediate CA that either has no "X509v3 Extended Key Usage" or has one that includes both "TLS Web Server Authentication" and "TLS Web Client Authentication".

-- 
	Viktor.

More information about the openssl-users mailing list