[openssl-users] TLS Error in FreeRadius - eap_tls: ERROR: Failed in FUNCTION (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed

Mon Jan 22 22:11:01 UTC 2018

> On Jan 22, 2018, at 3:21 PM, Gladewitz, Robert via openssl-users <openssl-users at openssl.org> wrote:
> 
> Sorry, I did not mean to upset you.

I am not at all upset, just trying to be clear.

> Somehow I seem to have misunderstood something.

Yes.  Your CA has an EKU extension.  It should either not be present,
or list *all* the purposes for which the CA will issue leaf certificates.

If you're right (I don't think this is actually true) that the CA must
have "TLS Web Server Authentication" in its EKU (why?), then it must
also have at least "TLS Web Client Authentication", to allow the CA to
be used to authenticate TLS clients.

> The CAPF certificate is the CA certificate he goes for?
> Cisco states that this certificate requires both CA and
> the extended key "TLS Web Server Authentification"?

I bet that only the leaf certificate needs "TLS Web Server Authentification",
but if for some reason the CA certificate also needs "TLS Web Server Authentification"
then you'll need to also include "TLS Web Client Authentification" (in the
CA certificate).

-- 
	Viktor.

[openssl-users] TLS Error in FreeRadius - eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed

[openssl-users] TLS Error in FreeRadius - eap_tls: ERROR: Failed in FUNCTION (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed