Hello Viktor, the problem is, that i cant change the cisco implementation :-(. Cisco tell me, the capf implemtation is following all rfc documents. If you are right, i cant use any freeradius implementation, because there are based on openssl. There is no option in freeradius, to ignore some think like this. For my understanding, CA certificate may have these exteded keys - it's just something out of the ordinary. So, you mean, there is no chance to get this correct rfc interpretation to openssl?? Cisco: https://www.cisco.com/c/en/us/support/docs/unified-communications/unified-co mmunications-manager-callmanager/212214-Tech-Note-on-CAPF-Certificate-Signed -by.pdf https://www.cisco.com/c/en/us/support/docs/unified-communications/unified-co mmunications-manager-callmanager/212214-Tech-Note-on-CAPF-Certificate-Signed -by.html Regards Robert -----Ursprüngliche Nachricht----- Von: openssl-users [mailto:openssl-users-bounces@xxxxxxxxxxx] Im Auftrag von Viktor Dukhovni Gesendet: Montag, 22. Januar 2018 17:01 An: openssl-users@xxxxxxxxxxx Betreff: Re: TLS Error in FreeRadius - eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed > On Jan 22, 2018, at 1:57 AM, Gladewitz, Robert via openssl-users <openssl-users@xxxxxxxxxxx> wrote: > > Does you already know when a version of OpenSSL will be released that follows this RFC? The RFC is out of touch with real-world practice by multiple implementations. There are no plans to "follow the RFC". -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
