Re: TLS Error in FreeRadius - eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




> On Jan 22, 2018, at 3:42 PM, Jeffrey Walton <noloader@xxxxxxxxx> wrote:
> 
>> Your problem is a misconfigured CA certificate.  Make sure your *CA*
>> certificate has no extended key usage specified, OR has *all* the key
>> usages specified that are required by any leaf certificate it will issue.
> 
> This is wrong. The CA is not misconfigured.

You might say so, and yet, with more than just OpenSSL, the CA is not
suitable for issuing leaf certificates that are not included in its
extended key usage.  This is a de facto standard.

>>> For my understanding, CA certificate may have these exteded keys - it's just
>>> something out of the ordinary.
>> 
>> The extended key usages on the CA are interpreted to LIMIT the key usages
>> of certificates it can issue.  You can certainly use this extension, but
>> then expect the CA to be invalid for key usages you did not list.
> 
> This is wrong. The KU and EKU bits are not interpreted that way.

They plainly *are* interpreted in that way, just not by RFC5280, but
that's not the point.

> Here's the standards OpenSSL claims to implement:
> https://www.openssl.org/docs/standards.html.

So do many others, and yet when the RFC is impractical, a more practical
alternative is implemented.

-- 
	Viktor.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux