Re: WG: TLS Error in FreeRadius - eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




> On Jan 24, 2018, at 1:33 AM, Gladewitz, Robert via openssl-users <openssl-users@xxxxxxxxxxx> wrote:
> 
> Nevertheless, a problem remains open for the Cisco CUCM users. If these use
> the certificate internally signed by Cisco, the attributes are set as in the
> discussion and can not be subsequently adapted in our case. This means that
> for these users only the change to a non openssl based application remains -
> really sad.

Can you be a bit more explicit as to why these users cannot deploy a
certificate chain via an alternate CA that does not have a problem EKU
(just as you did)?  Is it not possible to replace the intermediate CA
certificate with one that either has no EKU or has a more complete
EKU that lists both "serverAuth" and "clientAuth" (shorter OpenSSL
names for the EKUs under discussion).

There are surely some Cisco Engineers reading this list.  Ideally
someone from Cisco will reach out to the OpenSSL team (say myself)
and we can help them update the product to avoid compatibility issues.
I've posted a feedback comment at:

  https://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/212214-Tech-Note-on-CAPF-Certificate-Signed-by.html#anc7

Perhaps they'll reach out.

-- 
	Viktor.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux