[openssl-users] TLS Error in FreeRadius - eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed

Viktor Dukhovni openssl-users at dukhovni.org
Sun Jan 21 18:31:40 UTC 2018



> On Jan 21, 2018, at 7:34 AM, Gladewitz, Robert via openssl-users <openssl-users at openssl.org> wrote:
> 
> If I understand your right, then I need to add "TLS Web Client Authentication"
> to the CAPF certificate.

Or better still, remove the "ExtendedKeyUsage" extension from the CA
certificate and thus specify neither "TLS Web Client Authentication",
nor ""TLS Web Server Authentication".  When you "tag" a CA certificate
with a given list of "purpose" OIDs, it is then not considered valid
for the purposes that are not listed.

> But I have a question. In Freeradius I use the CAPF cert only as a CA
> cert, not as a server or client cert. The only function is to check
> the client cert is signed from CAPF. For only check this, the CA need
> "TLS Web Client Authentication"?? 

OpenSSL interprets the "extendedKeyUsage" extension in CA certificates
as a restriction on the allowed extended key usages of leaf certificates
that can be issued by that CA.

You should typically not specify extended key usage for CA certificates
at all, unless you mean to restrict them to specific purposes.

-- 
	Viktor.



More information about the openssl-users mailing list