Re: TLS Error in FreeRadius - eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




> On Jan 22, 2018, at 3:21 PM, Gladewitz, Robert via openssl-users <openssl-users@xxxxxxxxxxx> wrote:
> 
> Sorry, I did not mean to upset you.

I am not at all upset, just trying to be clear.

> Somehow I seem to have misunderstood something.

Yes.  Your CA has an EKU extension.  It should either not be present,
or list *all* the purposes for which the CA will issue leaf certificates.

If you're right (I don't think this is actually true) that the CA must
have "TLS Web Server Authentication" in its EKU (why?), then it must
also have at least "TLS Web Client Authentication", to allow the CA to
be used to authenticate TLS clients.

> The CAPF certificate is the CA certificate he goes for?
> Cisco states that this certificate requires both CA and
> the extended key "TLS Web Server Authentification"?

I bet that only the leaf certificate needs "TLS Web Server Authentification",
but if for some reason the CA certificate also needs "TLS Web Server Authentification"
then you'll need to also include "TLS Web Client Authentification" (in the
CA certificate).

-- 
	Viktor.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux