Re: TLS Error in FreeRadius - eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I got it wrong. The failing cert from your log is actually the intermediate, which has five extensions:

>> Object 00: X509v3 Subject Key Identifier: 58:A4:EB:D9:DD:CE:A2:99:72:3B:E1:20:19:1D:40:C1:F9:D5:C2:28
>> Object 01: X509v3 Authority Key Identifier: keyid:E2:E9:20:42:29:83:C4:77:8C:87:AB:FA:4B:A1:A9:C4:CE:00:BD:39
>> Object 02: X509v3 Basic Constraints: CA:TRUE, pathlen:0
>> Object 03: X509v3 Key Usage: Digital Signature, Certificate Sign, CRL Sign
>> Object 04: X509v3 Extended Key Usage: TLS Web Server Authentication

This is were I would check first.

I am not fully sure, but believe that Extended Key Usage should *not* be there.

Frank

Saturday, January 20, 2018 11:29 AM
Hi Robert,


error 26 : unsupported certificate purpose

It seems the cert gets declined because of a problem with cert
extensions. "keyUsage" or "extendedKeyUsage" are typical candidates. In
your case, the leaf certificate "CAPF-91d43ef6" has two extensions:

Object 00: X509v3 Key Usage
  Digital Signature, Key Encipherment

Object 01: X509v3 Extended Key Usage
  TLS Web Server Authentication, TLS Web Client Authentication, IPSec End System

I would check if an extension is now missing/newly required, or no
longer recognized. Try check for differences in the openssl.cnf and
freeradius config files between the old Debian system and the new one.

Some EAP TLS guides (incl. Cisco) also list extensions "nonRepudiation" and "dataEncipherment", but this is just a guess since you mentioned it works on the old system.


I have some problems with new Cisco CAPF certs

What is the authenticating device? Cisco IP phone?

Cheers,
Frank
Friday, January 19, 2018 11:12 PM

Dear OpenSSL Team,

 

I have some problems with new Cisco CAPF certs and freeradius tls authentification. The point is, that freeradius users see the problem on openssl implemtiation.

 

<SNIP: DEBUG>

(69) eap_tls: Continuing EAP-TLS

(69) eap_tls: Peer indicated complete TLS record size will be 1432 bytes

(69) eap_tls: Got complete TLS record (1432 bytes)

(69) eap_tls: [eaptls verify] = length included

(69) eap_tls: TLS_accept: SSLv3/TLS write server done

(69) eap_tls: <<< recv TLS 1.0 Handshake [length 03c2], Certificate

(69) eap_tls: Creating attributes from certificate OIDs

(69) eap_tls:   TLS-Cert-Serial := "1009"

(69) eap_tls:   TLS-Cert-Expiration := "380111125719Z"

(69) eap_tls:   TLS-Cert-Subject := "/C=DE/ST=Sachsen/L=Leipzig/O=DBFZ Deutsches Biomasseforschungszentrum gGmbH/OU=IT/CN=CAPF-91d43ef6"

(69) eap_tls:   TLS-Cert-Issuer := "/C=DE/ST=Sachsen/L=Leipzig/O=DBFZ Deutsches Biomasseforschungszentrum gemeinnuetzige GmbH/OU=IT/CN=DBFZ CA INTERN ROOT/emailAddress=support@xxxxxxx"

(69) eap_tls:   TLS-Cert-Common-Name := "CAPF-91d43ef6"

(69) eap_tls:   ERROR: SSL says error 26 : unsupported certificate purpose

(69) eap_tls: >>> send TLS 1.0 Alert [length 0002], fatal unsupported_certificate

(69) eap_tls: ERROR: TLS Alert write:fatal:unsupported certificate

tls: TLS_accept: Error in error

(69) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed

(69) eap_tls: ERROR: System call (I/O) error (-1)

(69) eap_tls: ERROR: TLS receive handshake failed during operation

(69) eap_tls: ERROR: [eaptls process] = fail </DEBUG>

</SNIP>

 

This means, that the check of ca certificate is failed. So, bu I do not see, why. If i check the certificate by command openssl –verify, all sems to be right.

# openssl verify -verbose -CAfile /etc/freeradius/3.0/certs.8021x.ciscophone/cacert.capf.pem SEP64A0E714844E-L1.pem

# SEP64A0E714844E-L1.pem: OK

 

 

The openssl version is Debian based 1.1.0g-2. But the same error is happening on 1.1.0f also.

 

Older freeradius version 2 on Debian 8/openssl 1.0.1t-1+deb8u7 working fine without this problem (by using the same certificates)

 

The ca certificate are signed by an intern ca. Can anyone see the error??

 

Robert

 

 

 


-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux