Why this error (should, from what I understand, be ok)
Karl Denninger
karl at denninger.net
Tue Feb 14 00:56:22 UTC 2023
Environment is a client/server, with both ends checking the certificates.
Compiled under OpenSSL 1.1.1s (yes, I know it needs updating and it will
be, but gotta fix this first.)
Server certificate has the following extensions:
X509v3 extensions:
Authority Information Access:
OCSP - URI:http://ocsp.cudasystems.net:8888
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client
Authentication
Netscape Comment:
OpenSSL Generated Server Certificate
X509v3 Subject Key Identifier:
53:60:7B:09:2C:DF:4A:E9:F3:1F:1D:66:B9:21:D4:F1:0E:EC:61:68
X509v3 Authority Key Identifier:
keyid:5D:C0:5E:C2:A7:8D:D3:CD:0F:9F:9B:C5:51:02:18:AB:5C:D3:8E:CF
DirName:/C=US/ST=Florida/L=Niceville/O=Cuda Systems
LLC/OU=Cuda Systems CA/CN=Cuda Systems LLC 2017 CA
serial:E4:48:8A:82:10:CE:5E:BB:DF:C5:8C:63:21:35:D8:0D:D8:48
X509v3 Subject Alternative Name:
email:karl at denninger.net, DNS:tnhouse.homedaemon.org
The client is able to follow the signature and verifies it. However, the
client certificate with the same extensions:
X509v3 extensions:
Authority Information Access:
OCSP - URI:http://ocsp.cudasystems.net:8888
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client
Authentication
Netscape Comment:
OpenSSL Generated Server Certificate
X509v3 Subject Key Identifier:
D0:34:4E:C7:2B:A1:52:A3:3A:DF:89:6F:FD:03:1C:E2:C8:2D:B5:45
X509v3 Authority Key Identifier:
keyid:5D:C0:5E:C2:A7:8D:D3:CD:0F:9F:9B:C5:51:02:18:AB:5C:D3:8E:CF
DirName:/C=US/ST=Florida/L=Niceville/O=Cuda Systems
LLC/OU=Cuda Systems CA/CN=Cuda Systems LLC 2017 CA
serial:E4:48:8A:82:10:CE:5E:BB:DF:C5:8C:63:21:35:D8:0D:D8:48
X509v3 Subject Alternative Name:
email:karl at denninger.net, DNS:tnhouse-wm.homedaemon.org
Connects, but the server complains on verification that the client cert
supplied has "invalid purpose."
"TLS Web Client Authentication" /should /be ok as a client certificate
I'd expect -- but it isn't, and the server throws up on it. Or is it
that I must have the *type* defined as "client" in "nsCertType"?
Feb 13 19:00:50 TnHouse HD-MCP[60420]: SSL ACCEPT Error [certificate
verify failed] on [::ffff:192.168.10.215] 26
Feb 13 19:00:50 TnHouse HD-MCP[60420]: Slave do_accept SSL failed for
handle 13
Return code 26 is "invalid purpose"
# define X509_V_ERR_INVALID_PURPOSE 26
Thanks in advance.
--
Karl Denninger
karl at denninger.net
/The Market Ticker/
/[S/MIME encrypted email preferred]/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20230213/a6e70749/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4864 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20230213/a6e70749/attachment.p7s>
More information about the openssl-users
mailing list