AW: After Upgrade from freeradius 2 to 3 (Debian 8 - 9): TLS Alert write:fatal:unsupported certificate
Boris Lytochkin
lytboris at yandex-team.ru
Wed Dec 20 07:51:18 CET 2017
Hi.
It's much better to fix your "CA" cert (which is not).
================
X509v3 Basic Constraints: critical
CA:TRUE
================
is missing.
See http://www.alvestrand.no/objectid/2.5.29.19.html
On 20.12.2017 1:09, Gladewitz, Robert via Freeradius-Users wrote:
> Hello Alan,
>
> so, i find out that you are right. I find out, that the certificate check ends with an warning, because of following openssl function in v3_purp.c?
>
> 495 /*-
> 496 * CA checks common to all purposes
> 497 * return codes:
> 498 * 0 not a CA
> 499 * 1 is a CA
> 500 * 2 basicConstraints absent so "maybe" a CA
> 501 * 3 basicConstraints absent but self signed V1.
> 502 * 4 basicConstraints absent but keyUsage present and keyCertSign asserted.
> 503 */
> 504
> 505 static int check_ca(const X509 *x)
> 506 {
> 507 /* keyUsage if present should allow cert signing */
> 508 if (ku_reject(x, KU_KEY_CERT_SIGN))
> 509 return 0;
> 510 if (x->ex_flags & EXFLAG_BCONS) {
> 511 if (x->ex_flags & EXFLAG_CA)
> 512 return 1;
> 513 /* If basicConstraints says not a CA then say so */
> 514 else
> 515 return 0;
> 516 } else {
> 517 /* we support V1 roots for... uh, I don't really know why. */
> 518 if ((x->ex_flags & V1_ROOT) == V1_ROOT)
> 519 return 3;
> 520 /*
> 521 * If key usage present it must have certSign so tolerate it
> 522 */
> 523 else if (x->ex_flags & EXFLAG_KUSAGE)
> 524 return 4;
> 525 /* Older certificates could have Netscape-specific CA types */
> 526 else if (x->ex_flags & EXFLAG_NSCERT && x->ex_nscert & NS_ANY_CA)
> 527 return 5;
> 528 /* can this still be regarded a CA certificate? I doubt it */
> 529 return 0;
> 530 }
> 531 }
>
> But it is documented as a warning, not an error!?
>
> It is possible, to add an workarround for mistake in conf / tls.c
>
> <DIFF tls.c>
> if (!my_ok &&
> (conf->allow_expired_crl) &&
> (err == X509_V_ERR_CRL_HAS_EXPIRED)) {
> my_ok = 1;
> X509_STORE_CTX_set_error( ctx, 0 );
> }
>
> + if (!my_ok &&
> + (conf->allow_wrong_purposed) &&
> + (err == X509_V_ERR_INVALID_PURPOSE)) {
> + my_ok = 1;
> + X509_STORE_CTX_set_error( ctx, 0 );
> + }
>
> if (!my_ok) {
>
> </DIFF>
>
> I hope, my mail not sounds arogant :-(
>
> Robert
>
>
> -----Ursprüngliche Nachricht-----
> Von: Freeradius-Users [mailto:freeradius-users-bounces+robert.gladewitz=dbfz.de at lists.freeradius.org] Im Auftrag von Alan DeKok
> Gesendet: Dienstag, 19. Dezember 2017 18:49
> An: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
> Betreff: Re: After Upgrade from freeradius 2 to 3 (Debian 8 - 9): TLS Alert write:fatal:unsupported certificate
>
>
>> On Dec 19, 2017, at 12:18 PM, Boris Lytochkin <lytboris at yandex-team.ru> wrote:
>> Alan, you are absolutely correct about OIDs. But one thing drives me crazy. Robert sent me a full capture (attached) and it is really weird if you compare it to FreeRADIUS logs.
>> ...
>> I have no idea why FreeRADIUS peeks issuer's cert instead of real client's one. I guess something is broken in server's configuration...
> EAP-TLS sends over the entire certificate chain. OpenSSL walks down the certificate chain, verifying each cert in sequence.
>
> If it can't verify the CA or server cert, OpenSSL fails, and we never get to check the client cert.
>
> When the client cert gets printed, the fields get printed as "TLS-Client-Cert-Serial", not as "TLS-Cert-Serial"
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Boris Lytochkin
Yandex NOC
+7 (495) 739 70 00 ext. 7671
More information about the Freeradius-Users
mailing list