[openssl-users] TLS Error in FreeRadius - eap_tls: ERROR: Failed in FUNCTION (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed

Sun Jan 21 22:59:03 UTC 2018

> On Jan 21, 2018, at 2:40 PM, Jeffrey Walton <noloader at gmail.com> wrote:
> 
>> OpenSSL interprets the "extendedKeyUsage" extension in CA certificates
>> as a restriction on the allowed extended key usages of leaf certificates
>> that can be issued by that CA.
>> 
>> You should typically not specify extended key usage for CA certificates
>> at all, unless you mean to restrict them to specific purposes.
> 
> The behavior is inconsistent with RFC 5280:
> 
> 4.2.1.12.  Extended Key Usage
> 
>   This extension indicates one or more purposes for which the certified
>   public key may be used, in addition to or in place of the basic
>   purposes indicated in the key usage extension.  In general, this
>   extension will appear only in end entity certificates.  This
>   extension is defined as follows ...

We're well aware of this, but this is the de-facto behaviour of
multiple implementations.  This is an area in which RFC5280 fails
to match the real world.

-- 
	Viktor.

[openssl-users] TLS Error in FreeRadius - eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed

[openssl-users] TLS Error in FreeRadius - eap_tls: ERROR: Failed in FUNCTION (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed