Re: TLS Error in FreeRadius - eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello Frank.

 

Thank your for helping J.

 

The CAPF certificates in cisco CUCM Systems have some functions, for example phone proxy services. Usually, you create a certificate reqest on CUCM (Callmanager) and you will signed by you internal ca. Also it is possible, that the CUCM callmanager signed by self. (On both, the problem are happening)

 

I use a signed ca certificate for CAPF, with is signed by my internal root ca, wich is bases on openssl.

 

So, for new phone, the CUCM callmanager generate and sign the phone client certificate, wich is downloaded from the phone and used for check configuration signing und in our problem case use as a client certificate for 802.1x tls authentification.

 

In freeradius, the CAPF CA certificate is installed as a CA certificatge for check the clients certs in tls authentification processes. In freeradius2 anything is working fine and the phone client certificates is verify without any error.

 

The interesst think is, that the error is display for  the ca (CAPF) certificate, not for the client certificates.

 

So, i check the attributes and extensions:

 

        X509v3 extensions:

            X509v3 Subject Key Identifier:

                58:A4:EB:D9:DD:CE:A2:99:72:3B:E1:20:19:1D:40:C1:F9:D5:C2:28

            X509v3 Authority Key Identifier:

                keyid:E2:E9:20:42:29:83:C4:77:8C:87:AB:FA:4B:A1:A9:C4:CE:00:BD:39

 

            X509v3 Basic Constraints: critical

                CA:TRUE, pathlen:0

            X509v3 Key Usage: critical

                Digital Signature, Certificate Sign, CRL Sign

            X509v3 Extended Key Usage: critical

                TLS Web Server Authentication

 

 

For my interpretation, anything ist ok. May the TLS Web Server Authentication is not usual, but it is mandodary by cisco. On the way, we use the minimal mandodary requirements from cisco.

 

Vg

Robert

 

 

 

Von: Frank Migge [mailto:fm@xxxxxxxxxxxx]
Gesendet: Samstag, 20. Januar 2018 03:30
An: Gladewitz, Robert <Robert.Gladewitz@xxxxxxx>; openssl-users@xxxxxxxxxxx
Betreff: Re: [openssl-users] TLS Error in FreeRadius - eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed

 

Hi Robert,
 
error 26 : unsupported certificate purpose
 
It seems the cert gets declined because of a problem with cert
extensions. "keyUsage" or "extendedKeyUsage" are typical candidates. In
your case, the leaf certificate "CAPF-91d43ef6" has two extensions:
 
Object 00: X509v3 Key Usage
  Digital Signature, Key Encipherment
 
Object 01: X509v3 Extended Key Usage
  TLS Web Server Authentication, TLS Web Client Authentication, IPSec End System
 
I would check if an extension is now missing/newly required, or no
longer recognized. Try check for differences in the openssl.cnf and
freeradius config files between the old Debian system and the new one.
 
Some EAP TLS guides (incl. Cisco) also list extensions "nonRepudiation" and "dataEncipherment", but this is just a guess since you mentioned it works on the old system.
 
I have some problems with new Cisco CAPF certs
 
What is the authenticating device? Cisco IP phone?
 
Cheers,
Frank

Attachment: cacert.capf.pem
Description: cacert.capf.pem

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux