Re: TLS Error in FreeRadius - eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello Vikor,

hmm, we have only a self signed root ca and the CAPF ist directly minor. And the extended key usage is mandodary by cisco. 

You mean, the only solution are, the the root ca also have the same extendedKeyUsage?

Robert



 

-----Ursprüngliche Nachricht-----
Von: openssl-users [mailto:openssl-users-bounces@xxxxxxxxxxx] Im Auftrag von Viktor Dukhovni
Gesendet: Samstag, 20. Januar 2018 05:34
An: openssl-users@xxxxxxxxxxx
Betreff: Re:  TLS Error in FreeRadius - eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed



> On Jan 19, 2018, at 10:09 PM, Frank Migge <fm@xxxxxxxxxxxx> wrote:
> 
> >> Object 04: X509v3 Extended Key Usage: TLS Web Server Authentication
> 
> This is were I would check first. 
> 
> I am not fully sure, but believe that Extended Key Usage should *not* be there.

Indeed the intermediate CA should either not have an extendedKeyUsage, or that keyUsage should include the desired "purpose".  The handling of the purpose of intermediate certificates was made more uniform in OpenSSL 1.1.0 (whether the certificate is from the cert store or the remote peer is no longer material).
This and related changes can affect whether a chain is still valid with 1.1.0 and beyond.

-- 
	Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux