[openssl-users] TLS Error in FreeRadius - eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed

Gladewitz, Robert Robert.Gladewitz at dbfz.de
Mon Jan 22 20:21:55 UTC 2018


Hello Viktor,

Sorry, I did not mean to upset you.

Somehow I seem to have misunderstood something.

The CAPF certificate is the CA certificate he goes for? 
Cisco states that this certificate requires both CA and the extended key "TLS Web Server Authentification"?

Viktor, can you please write me directly??

Robert

-----Ursprüngliche Nachricht-----
Von: openssl-users [mailto:openssl-users-bounces at openssl.org] Im Auftrag von Viktor Dukhovni
Gesendet: Montag, 22. Januar 2018 20:50
An: openssl-users at openssl.org
Betreff: Re: [openssl-users] TLS Error in FreeRadius - eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed



> On Jan 22, 2018, at 12:07 PM, Gladewitz, Robert via openssl-users <openssl-users at openssl.org> wrote:
> 
> the problem is, that i cant change the cisco implementation :-(.

YOU DO NOT need to change the Cisco implementation.

> Cisco tell me, the capf implemtation is following all rfc documents.

Nothing Cisco is telling you requires your issuing CA to have an extended key usage listing just "TLS Web Server Authentication".

> If you are right,
> i cant use any freeradius implementation, because there are based on 
> openssl. There is no option in freeradius, to ignore some think like this.

Your problem is a misconfigured CA certificate.  Make sure your *CA* certificate has no extended key usage specified, OR has *all* the key usages specified that are required by any leaf certificate it will issue.

> For my understanding, CA certificate may have these exteded keys - 
> it's just something out of the ordinary.

The extended key usages on the CA are interpreted to LIMIT the key usages of certificates it can issue.  You can certainly use this extension, but then expect the CA to be invalid for key usages you did not list.

> So, you mean, there is no chance to get this correct rfc 
> interpretation to openssl?

"Correct" is in the eye of the beholder.  The RFC5280 alternative to using the extended key usage (X.509 policy) is a complex mess.  Many implementations do the sensible thing and overload the extended key usage instead.  OpenSSL is among these and this is unlikely to change.

-- 
	Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


More information about the openssl-users mailing list