[openssl-users] TLS Error in FreeRadius - eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed

[Viktor Dukhovni]

> On Jan 22, 2018, at 12:07 PM, Gladewitz, Robert via openssl-users <openssl-users at openssl.org> wrote:
> 
> the problem is, that i cant change the cisco implementation :-(.

YOU DO NOT need to change the Cisco implementation.

> Cisco tell me, the capf implemtation is following all rfc documents.

Nothing Cisco is telling you requires your issuing CA to have an
extended key usage listing just "TLS Web Server Authentication".

> If you are right,
> i cant use any freeradius implementation, because there are based on
> openssl. There is no option in freeradius, to ignore some think like this.

Your problem is a misconfigured CA certificate.  Make sure your *CA*
certificate has no extended key usage specified, OR has *all* the key
usages specified that are required by any leaf certificate it will issue.

> For my understanding, CA certificate may have these exteded keys - it's just
> something out of the ordinary.

The extended key usages on the CA are interpreted to LIMIT the key usages
of certificates it can issue.  You can certainly use this extension, but
then expect the CA to be invalid for key usages you did not list.

> So, you mean, there is no chance to get this correct rfc interpretation
> to openssl?

"Correct" is in the eye of the beholder.  The RFC5280 alternative to
using the extended key usage (X.509 policy) is a complex mess.  Many
implementations do the sensible thing and overload the extended key
usage instead.  OpenSSL is among these and this is unlikely to change.

-- 
	Viktor.