[openssl-users] TLS Error in FreeRadius - eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed

Jeffrey Walton noloader at gmail.com
Tue Jan 23 02:39:15 UTC 2018


On Mon, Jan 22, 2018 at 9:27 PM, Salz, Rich <rsalz at akamai.com> wrote:
> ➢ I don't see CA/Browser Forums listed, but I do see RFC 3280 listed.
>
> The page also says it’s “casually maintained.”  Feel free to create a PR on openssl/web repo. :)
>
> IETF RFC’s aren’t perfect; that’s why there are errata.  Dragging this all the way to “we’re ignoring the words” is not nor accurate.  Someone who wants to argue that OpenSSL is doing the wrong thing here, should go to the IETF LAMPS WG and raise the issue.

If OpenSSL want to change the standard so that it aligns with the
project's implementation then the project should go to LAMP.
Otherwise, the project is acting without authority. OpenSSL cannot
arbitrarily decide to do something else on a suggestion or a whim.

You know, this issue could have been side stepped by providing both
behaviors, making one default, and allowing the user to make the
choice. Instead, the project wrapped its arms around the solution that
broke interop.

I can't help but wonder, doesn't anyone think these decisions through?

Thank god Andy has not broken AES interop by whitening AES keys
because some people think it is a good idea.

Jeff


More information about the openssl-users mailing list