[openssl-users] TLS Error in FreeRadius - eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
Jeffrey Walton
noloader at gmail.com
Sun Jan 21 23:04:58 UTC 2018
On Sun, Jan 21, 2018 at 5:59 PM, Viktor Dukhovni
<openssl-users at dukhovni.org> wrote:
>
>
>> On Jan 21, 2018, at 2:40 PM, Jeffrey Walton <noloader at gmail.com> wrote:
>>
>>> OpenSSL interprets the "extendedKeyUsage" extension in CA certificates
>>> as a restriction on the allowed extended key usages of leaf certificates
>>> that can be issued by that CA.
>>>
>>> You should typically not specify extended key usage for CA certificates
>>> at all, unless you mean to restrict them to specific purposes.
>>
>> The behavior is inconsistent with RFC 5280:
>>
>> 4.2.1.12. Extended Key Usage
>>
>> This extension indicates one or more purposes for which the certified
>> public key may be used, in addition to or in place of the basic
>> purposes indicated in the key usage extension. In general, this
>> extension will appear only in end entity certificates. This
>> extension is defined as follows ...
>
> We're well aware of this, but this is the de-facto behaviour of
> multiple implementations. This is an area in which RFC5280 fails
> to match the real world.
Apparently everyone did not get the memo :)
Maybe OpenSSL should allow users to choose between IETF issuing
policies and CA/Browser BR issuing policies.
Jeff
More information about the openssl-users
mailing list