Server certificate confusion

Nick Howitt nick at howitts.co.uk
Wed Apr 18 16:39:08 CEST 2018



On 18/04/2018 15:03, Stefan Winter wrote:
> Hi,
>
> well, I wouldn't have needed the private key, but ok :-)
>
> I have an openssl 1.0.2 on my box, which validates this server and CA
> against the purpose of TLS Server just fine (and as a counter-test, does
> not validate it as TLS Client):
>
> swinter at aragorn:~/scratch/FR-debug> openssl verify -CApath ./CA/
> -purpose sslserver server.pem
> server.pem: OK
> swinter at aragorn:~/scratch/FR-debug> openssl verify -CApath ./CA/
> -purpose sslclient server.pem
> server.pem: C = FR, ST = Radius, O = Example Inc., CN = Example Server
> Certificate, emailAddress = admin at example.org
> error 26 at 0 depth lookup:unsupported certificate purpose
> OK
>
> Compiling 1.1.0h, this still works:
>
> swinter at aragorn:~/scratch/FR-debug> LD_LIBRARY_PATH=/usr/local/lib64
> /usr/local/bin/openssl verify -CApath ./CA/ -purpose sslserver server.pem
> server.pem: OK
> swinter at aragorn:~/scratch/FR-debug> LD_LIBRARY_PATH=/usr/local/lib64
> /usr/local/bin/openssl verify -CApath ./CA/ -purpose sslclient server.pem
> C = FR, ST = Radius, O = Example Inc., CN = Example Server Certificate,
> emailAddress = admin at example.org
> error 26 at 0 depth lookup: unsupported certificate purpose
> error server.pem: verification failed
> swinter at aragorn:~/scratch/FR-debug> LD_LIBRARY_PATH=/usr/local/lib64
> /usr/local/bin/openssl version
> OpenSSL 1.1.0h  27 Mar 2018
>
> (but one can see that the failure test in 1.0.x was somewhat graceful
> ("OK") while 1.1.0 throws an actual error at the end)
>
> Which still leaves us at the question why things don't work for you with
> eapol_test.
>
> The first, obvious question: is eapol_test compiled to use openssl at
> all? Or is it using a different engine?
>
> If it's using openssl, what version of openssl is on the system?
>
> Is there anything ... peculiar in the wpa_supplicant.conf file regarding
> server cert validation? You could paste the file here, but without your
> password. I want it as little as I wanted the PEM key file, you know ;-)
>
> Greetings,
>
> Stefan Winter
>
>
> Am 18.04.2018 um 13:36 schrieb Nick Howitt:
>>
>> On 18/04/2018 12:23, Stefan Winter wrote:
>>> Hi,
>>>
>>>> I've reverted the set up to use the standard Freeradius certs and I've
>>>> been through the certs README, deleting all certificates  and recreating
>>>> the ca.pem and server certs (btw I think the order in the README is
>>>> wrong as you need to create the server.csr before the server.pem) and
>>>> I've hit the same "(6) eap_tls:   ERROR: SSL says error 26 : unsupported
>>>> certificate purpose" issue when running eapol_test with the new certs.
>>> Can you paste both the CA's and the server's PEM representation into a
>>> mail on the list?
>>>
>>> Stefan
>>>
>>>
>>>
>>> -
>>> List info/subscribe/unsubscribe? See
>>> http://www.freeradius.org/list/users.html
>> I've just recreated them as I had to remove the extension for testing.
>> Note I have increased the validity of both in the cnf files to 3650d;
>> everything else is at default.
>>  From "history":
>>    994  cd /etc/raddb/certs
>>    995  rm -f *.pem *.der *.csr *.crt *.key *.p12 serial* index.txt*
>>    996  make ca.pem
>>    997  server.csr
>>    998  make server.csr
>>    999  make server.pem
>>   1000  openssl x509 -text -noout -in server.pem
>>   1001  history
>>
>> ca.pem:
>> -----BEGIN CERTIFICATE-----
>> MIIE5DCCA8ygAwIBAgIJANMWAroiOxufMA0GCSqGSIb3DQEBCwUAMIGTMQswCQYD
>> VQQGEwJGUjEPMA0GA1UECAwGUmFkaXVzMRIwEAYDVQQHDAlTb21ld2hlcmUxFTAT
>> BgNVBAoMDEV4YW1wbGUgSW5jLjEgMB4GCSqGSIb3DQEJARYRYWRtaW5AZXhhbXBs
>> ZS5vcmcxJjAkBgNVBAMMHUV4YW1wbGUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4X
>> DTE4MDQxODExMjczM1oXDTI4MDQxNTExMjczM1owgZMxCzAJBgNVBAYTAkZSMQ8w
>> DQYDVQQIDAZSYWRpdXMxEjAQBgNVBAcMCVNvbWV3aGVyZTEVMBMGA1UECgwMRXhh
>> bXBsZSBJbmMuMSAwHgYJKoZIhvcNAQkBFhFhZG1pbkBleGFtcGxlLm9yZzEmMCQG
>> A1UEAwwdRXhhbXBsZSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqGSIb3
>> DQEBAQUAA4IBDwAwggEKAoIBAQC5jRl/IZsBPOvH1Vdua8yCt1NchL8j9aWAth7v
>> z+mw7gG+pZegojz97M1+wQZiTeZwuR5XclAc/zpsv3u9stU+fR2hfMOBse9/bzaz
>> wRUrhtN6kKPNGA0lMmbbNwus6AQnrgRXQOyvgmET0B+OHsVBqtWTGzq7IA7X0c5Y
>> jcHj6zN4PwTg/2PfM59Ir2vcVO5hpLVYda0qK3GDoh8WfwpCvWgjt5YsFd7ARSUY
>> Nf2hmHETzXSxx0tAFF+Hk/iFwXGeQFSXbrvh18Trgs3lmX4d0ehKXwgPjF4kY5IG
>> 2yAjcTQWWGnoRE8fl9/yG6hBIOd6xNrabSIh2eiKreui1oZdAgMBAAGjggE3MIIB
>> MzAdBgNVHQ4EFgQUOYtRuUCNkemvqYjtAokDb0sAHEYwgcgGA1UdIwSBwDCBvYAU
>> OYtRuUCNkemvqYjtAokDb0sAHEahgZmkgZYwgZMxCzAJBgNVBAYTAkZSMQ8wDQYD
>> VQQIDAZSYWRpdXMxEjAQBgNVBAcMCVNvbWV3aGVyZTEVMBMGA1UECgwMRXhhbXBs
>> ZSBJbmMuMSAwHgYJKoZIhvcNAQkBFhFhZG1pbkBleGFtcGxlLm9yZzEmMCQGA1UE
>> AwwdRXhhbXBsZSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHmCCQDTFgK6IjsbnzAPBgNV
>> HRMBAf8EBTADAQH/MDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly93d3cuZXhhbXBs
>> ZS5vcmcvZXhhbXBsZV9jYS5jcmwwDQYJKoZIhvcNAQELBQADggEBACfUwu20Djg4
>> Vz80P3Q5LtzLLQ+M8ndEn8QaWDEbQKP60Wlj3nD3FT+jCNovov2xgH18z2d6q2bE
>> vqCN8884Sy0xIjuROwPhG1CFJ4oJ9rJmcjKqBcpr81UiM0hCf2OqLFPCHZRfAjMb
>> RMmF0Vf3Cb/44Xqf10zYLe1fT++3Kj3QYGgn2YKVkmB++XH4FRux2pNoeImlKaP3
>> 78KZB4GobraydEpxGJbvoD58TJ7/b1NGlPFgaC07aDZLhSfiSsRoN0Dt95VOZpWO
>> vSxh8Yv6h9g9kxU6Nx0Up0LS23qvWcIhkbQkF0H7gQ2ECH6UN4CNdNvpLPPX5kjZ
>> 0eCj1CL9j4g=
>> -----END CERTIFICATE-----
>>
>> server.pem:
>> Bag Attributes
>>      localKeyID: AD A7 E8 29 BB 2F C9 69 4F 75 2E F4 EF 80 70 99 B1 75 04 37
>> subject=/C=FR/ST=Radius/O=Example Inc./CN=Example Server
>> Certificate/emailAddress=admin at example.org
>> issuer=/C=FR/ST=Radius/L=Somewhere/O=Example
>> Inc./emailAddress=admin at example.org/CN=Example Certificate Authority
>> -----BEGIN CERTIFICATE-----
>> MIID2jCCAsKgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBkzELMAkGA1UEBhMCRlIx
>> DzANBgNVBAgMBlJhZGl1czESMBAGA1UEBwwJU29tZXdoZXJlMRUwEwYDVQQKDAxF
>> eGFtcGxlIEluYy4xIDAeBgkqhkiG9w0BCQEWEWFkbWluQGV4YW1wbGUub3JnMSYw
>> JAYDVQQDDB1FeGFtcGxlIENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xODA0MTgx
>> MTI4MDhaFw0yODA0MTUxMTI4MDhaMHwxCzAJBgNVBAYTAkZSMQ8wDQYDVQQIDAZS
>> YWRpdXMxFTATBgNVBAoMDEV4YW1wbGUgSW5jLjEjMCEGA1UEAwwaRXhhbXBsZSBT
>> ZXJ2ZXIgQ2VydGlmaWNhdGUxIDAeBgkqhkiG9w0BCQEWEWFkbWluQGV4YW1wbGUu
>> b3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApAY39TBW76KKMYQ3
>> CSeXT7PtoRB1FtWKE1qVKRQOP2y/I9hSBJxbknKdhcpE3diORoWKh0qwjFKY+7as
>> Ehq9zVELbcO7fvTT663Cn9uBIwQ517RMJZjf6ks7N3LB9nmwi2iC0lmq/OS8mMNF
>> hZdK2QfWoDxRwBcT0z/WIrNJyYluJAtKISzejqP27rjh1ZI/WnxY/S+8VXdCwcR4
>> PtuyqSdOhC7q8EF8vIjG6H13G2V2/vmVrXQ7VokxWQ8F83vmRZVC2vcgYd5Qp813
>> /7YVL6C5g6CJgbz7AcJVwmT5P1W7xY9lOCz7bavdbPGewV7kONxQQrub+ZdKrJKX
>> uP13GwIDAQABo08wTTATBgNVHSUEDDAKBggrBgEFBQcDATA2BgNVHR8ELzAtMCug
>> KaAnhiVodHRwOi8vd3d3LmV4YW1wbGUuY29tL2V4YW1wbGVfY2EuY3JsMA0GCSqG
>> SIb3DQEBCwUAA4IBAQBBTf/njNLVZdM4ZoLQnO+GLLTN335PXGL4ufYtA38kncQJ
>> doSGaJTKllJdqCs+CRwNGVd2LE7Ahx0Rfj3m0J9YRmGzd5fdHRoWyqbED4nIrswd
>> ErhTbM7e34GnyhXeFcFYdEH8kczysOsKzRFSBQQKkKg7dIxE9AUyB13wsMeWWEcQ
>> DmINh6oan458/eXInqIvv7mc0JTJh+TuYFXYk738rSj6Tj4KloasG0rvCcTNmHWd
>> ojouFuypcJQASPUvIfM6zkkdKtnTI4OJYbidy/rI6LcPj2m1MV7poGwibVhuxmcK
>> jYb8EaNYormuKJ19HEXoKxLp5AM2wgDwCGae762k
>> -----END CERTIFICATE-----
>>
>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[root at 7 certs]# rpm -q openssl
openssl-1.0.2k-8.el7.x86_64

I don't have wpa_supplicant installed on the system so no 
wpa_supplicant.conf. In order to get eapol_test I pulled down the latest 
2.6 sources and ran make following the instructions at 
http://blog.rchapman.org/posts/Troubleshooting_EAP-TLS_with_freeradius/. 
I was under the impression that eapol_test was not compiled in the 
distro, but I've just been checking and I think I have been incorrectly 
informed. I'll install wpa_supplicant and test again.

FWIW it is not eapol_test which is giving the certificate error but 
"radiusd -X".

BTW you only got the key because it is in the pem file so I was not sure 
if you wanted the whole file or just the certificate part

Nick


More information about the Freeradius-Users mailing list