Hello Michael, So, i think there is a lot of problems for many infrastrucure in the feature, if all software use functions based on openssl >1.1.0. But a am using a own root ca based on creation time in openssl 1.0.0. What ca i do, when cisco need the Extended Key Usage? Robert -----Ursprüngliche Nachricht----- Von: openssl-users [mailto:openssl-users-bounces@xxxxxxxxxxx] Im Auftrag von Michael Ströder Gesendet: Samstag, 20. Januar 2018 11:59 An: openssl-users@xxxxxxxxxxx; Viktor Dukhovni <openssl-users@xxxxxxxxxxxx> Betreff: Re: TLS Error in FreeRadius - eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed Viktor Dukhovni wrote: >> On Jan 19, 2018, at 10:09 PM, Frank Migge <fm@xxxxxxxxxxxx> wrote: >> >>>> Object 04: X509v3 Extended Key Usage: TLS Web Server Authentication >> >> This is were I would check first. >> >> I am not fully sure, but believe that Extended Key Usage should *not* be there. > > Indeed the intermediate CA should either not have an extendedKeyUsage, > or that keyUsage should include the desired "purpose". Full ack. But unfortunately M$ implemented this requirement to add such a value to Extended Key Usage of intermediate CA certs violating X.509 and RFC 5280. And now all PKI lemmings are following this crap. => use your own CA Ciao, Michael. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
