Re: TLS Error in FreeRadius - eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed

["Gladewitz, Robert via openssl-users" <openssl-users@xxxxxxxxxxx>]

Hello Frank.

 

Thank your for helping J.

 

The CAPF certificates in cisco CUCM Systems have some functions, for example phone proxy services. Usually, you create a certificate reqest on CUCM (Callmanager) and you will signed by you internal ca. Also it is possible, that the CUCM callmanager signed by self. (On both, the problem are happening)

 

I use a signed ca certificate for CAPF, with is signed by my internal root ca, wich is bases on openssl.

 

So, for new phone, the CUCM callmanager generate and sign the phone client certificate, wich is downloaded from the phone and used for check configuration signing und in our problem case use as a client certificate for 802.1x tls authentification.

 

In freeradius, the CAPF CA certificate is installed as a CA certificatge for check the clients certs in tls authentification processes. In freeradius2 anything is working fine and the phone client certificates is verify without any error.

 

The interesst think is, that the error is display for  the ca (CAPF) certificate, not for the client certificates.

 

So, i check the attributes and extensions:

 

        X509v3 extensions:

            X509v3 Subject Key Identifier:

                58:A4:EB:D9:DD:CE:A2:99:72:3B:E1:20:19:1D:40:C1:F9:D5:C2:28

            X509v3 Authority Key Identifier:

                keyid:E2:E9:20:42:29:83:C4:77:8C:87:AB:FA:4B:A1:A9:C4:CE:00:BD:39

 

            X509v3 Basic Constraints: critical

                CA:TRUE, pathlen:0

            X509v3 Key Usage: critical

                Digital Signature, Certificate Sign, CRL Sign

            X509v3 Extended Key Usage: critical

                TLS Web Server Authentication

 

 

For my interpretation, anything ist ok. May the TLS Web Server Authentication is not usual, but it is mandodary by cisco. On the way, we use the minimal mandodary requirements from cisco.

 

Vg

Robert

 

 

 

Von: Frank Migge [mailto:fm@xxxxxxxxxxxx]
Gesendet: Samstag, 20. Januar 2018 03:30
An: Gladewitz, Robert <Robert.Gladewitz@xxxxxxx>; openssl-users@xxxxxxxxxxx
Betreff: Re: [openssl-users] TLS Error in FreeRadius - eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed

 

Hi Robert,

error 26 : unsupported certificate purpose

It seems the cert gets declined because of a problem with cert

extensions. "keyUsage" or "extendedKeyUsage" are typical candidates. In

your case, the leaf certificate "CAPF-91d43ef6" has two extensions:

Object 00: X509v3 Key Usage

  Digital Signature, Key Encipherment

Object 01: X509v3 Extended Key Usage

  TLS Web Server Authentication, TLS Web Client Authentication, IPSec End System

I would check if an extension is now missing/newly required, or no

longer recognized. Try check for differences in the openssl.cnf and

freeradius config files between the old Debian system and the new one.

Some EAP TLS guides (incl. Cisco) also list extensions "nonRepudiation" and "dataEncipherment", but this is just a guess since you mentioned it works on the old system.

I have some problems with new Cisco CAPF certs

What is the authenticating device? Cisco IP phone?

Cheers,

Frank

Attachment: cacert.capf.pem
Description: cacert.capf.pem

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users