Why this error (should, from what I understand, be ok)

[Karl Denninger <karl@xxxxxxxxxxxxx>]

Environment is a client/server, with both ends checking the certificates.

Compiled under OpenSSL 1.1.1s (yes, I know it needs updating and it will be, but gotta fix this first.)

Server certificate has the following extensions:

        X509v3 extensions:
            Authority Information Access:
                OCSP - URI:http://ocsp.cudasystems.net:8888

            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Cert Type:
                SSL Server
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            Netscape Comment:
                OpenSSL Generated Server Certificate
            X509v3 Subject Key Identifier:
                53:60:7B:09:2C:DF:4A:E9:F3:1F:1D:66:B9:21:D4:F1:0E:EC:61:68
            X509v3 Authority Key Identifier:
                keyid:5D:C0:5E:C2:A7:8D:D3:CD:0F:9F:9B:C5:51:02:18:AB:5C:D3:8E:CF
                DirName:/C=US/ST=Florida/L=Niceville/O=Cuda Systems LLC/OU=Cuda Systems CA/CN=Cuda Systems LLC 2017 CA
                serial:E4:48:8A:82:10:CE:5E:BB:DF:C5:8C:63:21:35:D8:0D:D8:48

            X509v3 Subject Alternative Name:
                email:karl@xxxxxxxxxxxxx, DNS:tnhouse.homedaemon.org

The client is able to follow the signature and verifies it.  However, the client certificate with the same extensions:

        X509v3 extensions:
            Authority Information Access:
                OCSP - URI:http://ocsp.cudasystems.net:8888

            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Cert Type:
                SSL Server
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            Netscape Comment:
                OpenSSL Generated Server Certificate
            X509v3 Subject Key Identifier:
                D0:34:4E:C7:2B:A1:52:A3:3A:DF:89:6F:FD:03:1C:E2:C8:2D:B5:45
            X509v3 Authority Key Identifier:
                keyid:5D:C0:5E:C2:A7:8D:D3:CD:0F:9F:9B:C5:51:02:18:AB:5C:D3:8E:CF
                DirName:/C=US/ST=Florida/L=Niceville/O=Cuda Systems LLC/OU=Cuda Systems CA/CN=Cuda Systems LLC 2017 CA
                serial:E4:48:8A:82:10:CE:5E:BB:DF:C5:8C:63:21:35:D8:0D:D8:48

            X509v3 Subject Alternative Name:
                email:karl@xxxxxxxxxxxxx, DNS:tnhouse-wm.homedaemon.org

Connects, but the server complains on verification that the client cert supplied has "invalid purpose."

"TLS Web Client Authentication" should be ok as a client certificate I'd expect -- but it isn't, and the server throws up on it.  Or is it that I must have the *type* defined as "client" in "nsCertType"?

Feb 13 19:00:50 TnHouse HD-MCP[60420]: SSL ACCEPT Error [certificate verify failed] on [::ffff:192.168.10.215] 26
Feb 13 19:00:50 TnHouse HD-MCP[60420]: Slave do_accept SSL failed for handle 13

Return code 26 is "invalid purpose"

# define         X509_V_ERR_INVALID_PURPOSE                      26

Thanks in advance.

--
Karl Denninger
karl@xxxxxxxxxxxxx
The Market Ticker
[S/MIME encrypted email preferred]

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature