Re: TLS Error in FreeRadius - eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




> On Jan 21, 2018, at 7:34 AM, Gladewitz, Robert via openssl-users <openssl-users@xxxxxxxxxxx> wrote:
> 
> If I understand your right, then I need to add "TLS Web Client Authentication"
> to the CAPF certificate.

Or better still, remove the "ExtendedKeyUsage" extension from the CA
certificate and thus specify neither "TLS Web Client Authentication",
nor ""TLS Web Server Authentication".  When you "tag" a CA certificate
with a given list of "purpose" OIDs, it is then not considered valid
for the purposes that are not listed.

> But I have a question. In Freeradius I use the CAPF cert only as a CA
> cert, not as a server or client cert. The only function is to check
> the client cert is signed from CAPF. For only check this, the CA need
> "TLS Web Client Authentication"?? 

OpenSSL interprets the "extendedKeyUsage" extension in CA certificates
as a restriction on the allowed extended key usages of leaf certificates
that can be issued by that CA.

You should typically not specify extended key usage for CA certificates
at all, unless you mean to restrict them to specific purposes.

-- 
	Viktor.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux