<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Environment is a client/server, with both ends checking the
certificates.</p>
<p>Compiled under OpenSSL 1.1.1s (yes, I know it needs updating and
it will be, but gotta fix this first.)</p>
<p>Server certificate has the following extensions:</p>
<p> X509v3 extensions:<br>
Authority Information Access:<br>
OCSP - URI:<a class="moz-txt-link-freetext" href="http://ocsp.cudasystems.net:8888">http://ocsp.cudasystems.net:8888</a><br>
<br>
X509v3 Basic Constraints:<br>
CA:FALSE<br>
Netscape Cert Type:<br>
SSL Server<br>
X509v3 Key Usage: critical<br>
Digital Signature, Key Encipherment<br>
X509v3 Extended Key Usage:<br>
TLS Web Server Authentication, TLS Web Client
Authentication<br>
Netscape Comment:<br>
OpenSSL Generated Server Certificate<br>
X509v3 Subject Key Identifier:<br>
53:60:7B:09:2C:DF:4A:E9:F3:1F:1D:66:B9:21:D4:F1:0E:EC:61:68<br>
X509v3 Authority Key Identifier:<br>
keyid:5D:C0:5E:C2:A7:8D:D3:CD:0F:9F:9B:C5:51:02:18:AB:5C:D3:8E:CF<br>
DirName:/C=US/ST=Florida/L=Niceville/O=Cuda
Systems LLC/OU=Cuda Systems CA/CN=Cuda Systems LLC 2017 CA<br>
serial:E4:48:8A:82:10:CE:5E:BB:DF:C5:8C:63:21:35:D8:0D:D8:48<br>
<br>
X509v3 Subject Alternative Name:<br>
<a class="moz-txt-link-abbreviated" href="mailto:email:karl@denninger.net">email:karl@denninger.net</a>,
DNS:tnhouse.homedaemon.org<br>
</p>
<p><br>
</p>
<p>The client is able to follow the signature and verifies it.
However, the client certificate with the same extensions:</p>
<p> X509v3 extensions:<br>
Authority Information Access:<br>
OCSP - URI:<a class="moz-txt-link-freetext" href="http://ocsp.cudasystems.net:8888">http://ocsp.cudasystems.net:8888</a><br>
<br>
X509v3 Basic Constraints:<br>
CA:FALSE<br>
Netscape Cert Type:<br>
SSL Server<br>
X509v3 Key Usage: critical<br>
Digital Signature, Key Encipherment<br>
X509v3 Extended Key Usage:<br>
TLS Web Server Authentication, TLS Web Client
Authentication<br>
Netscape Comment:<br>
OpenSSL Generated Server Certificate<br>
X509v3 Subject Key Identifier:<br>
D0:34:4E:C7:2B:A1:52:A3:3A:DF:89:6F:FD:03:1C:E2:C8:2D:B5:45<br>
X509v3 Authority Key Identifier:<br>
keyid:5D:C0:5E:C2:A7:8D:D3:CD:0F:9F:9B:C5:51:02:18:AB:5C:D3:8E:CF<br>
DirName:/C=US/ST=Florida/L=Niceville/O=Cuda
Systems LLC/OU=Cuda Systems CA/CN=Cuda Systems LLC 2017 CA<br>
serial:E4:48:8A:82:10:CE:5E:BB:DF:C5:8C:63:21:35:D8:0D:D8:48<br>
<br>
X509v3 Subject Alternative Name:<br>
<a class="moz-txt-link-abbreviated" href="mailto:email:karl@denninger.net">email:karl@denninger.net</a>,
DNS:tnhouse-wm.homedaemon.org<br>
</p>
<p>Connects, but the server complains on verification that the
client cert supplied has "invalid purpose."</p>
<p>"TLS Web Client Authentication" <i>should </i>be ok as a client
certificate I'd expect -- but it isn't, and the server throws up
on it. Or is it that I must have the *type* defined as "client"
in "nsCertType"?<br>
</p>
<p>Feb 13 19:00:50 TnHouse HD-MCP[60420]: SSL ACCEPT Error
[certificate verify failed] on [::ffff:192.168.10.215] 26<br>
Feb 13 19:00:50 TnHouse HD-MCP[60420]: Slave do_accept SSL failed
for handle 13</p>
<p>Return code 26 is "invalid purpose"</p>
<p># define X509_V_ERR_INVALID_PURPOSE
26</p>
<p>Thanks in advance.</p>
<div class="moz-signature">-- <br>
Karl Denninger<br>
<a href="mailto:karl@denninger.net" class="moz-txt-link-freetext">karl@denninger.net</a><br>
<i>The Market Ticker</i><br>
<font size="-2"><i>[S/MIME encrypted email preferred]</i></font></div>
</body>
</html>