Server certificate confusion

[Nick Howitt]

On 18/04/2018 15:39, Nick Howitt wrote:
>
>
> On 18/04/2018 15:03, Stefan Winter wrote:
>> Hi,
>>
>> well, I wouldn't have needed the private key, but ok :-)
>>
>> I have an openssl 1.0.2 on my box, which validates this server and CA
>> against the purpose of TLS Server just fine (and as a counter-test, does
>> not validate it as TLS Client):
>>
>> swinter at aragorn:~/scratch/FR-debug> openssl verify -CApath ./CA/
>> -purpose sslserver server.pem
>> server.pem: OK
>> swinter at aragorn:~/scratch/FR-debug> openssl verify -CApath ./CA/
>> -purpose sslclient server.pem
>> server.pem: C = FR, ST = Radius, O = Example Inc., CN = Example Server
>> Certificate, emailAddress = admin at example.org
>> error 26 at 0 depth lookup:unsupported certificate purpose
>> OK
>>
>> Compiling 1.1.0h, this still works:
>>
>> swinter at aragorn:~/scratch/FR-debug> LD_LIBRARY_PATH=/usr/local/lib64
>> /usr/local/bin/openssl verify -CApath ./CA/ -purpose sslserver 
>> server.pem
>> server.pem: OK
>> swinter at aragorn:~/scratch/FR-debug> LD_LIBRARY_PATH=/usr/local/lib64
>> /usr/local/bin/openssl verify -CApath ./CA/ -purpose sslclient 
>> server.pem
>> C = FR, ST = Radius, O = Example Inc., CN = Example Server Certificate,
>> emailAddress = admin at example.org
>> error 26 at 0 depth lookup: unsupported certificate purpose
>> error server.pem: verification failed
>> swinter at aragorn:~/scratch/FR-debug> LD_LIBRARY_PATH=/usr/local/lib64
>> /usr/local/bin/openssl version
>> OpenSSL 1.1.0h  27 Mar 2018
>>
>> (but one can see that the failure test in 1.0.x was somewhat graceful
>> ("OK") while 1.1.0 throws an actual error at the end)
>>
>> Which still leaves us at the question why things don't work for you with
>> eapol_test.
>>
>> The first, obvious question: is eapol_test compiled to use openssl at
>> all? Or is it using a different engine?
>>
>> If it's using openssl, what version of openssl is on the system?
>>
>> Is there anything ... peculiar in the wpa_supplicant.conf file regarding
>> server cert validation? You could paste the file here, but without your
>> password. I want it as little as I wanted the PEM key file, you know ;-)
>>
>> Greetings,
>>
>> Stefan Winter
>>
>>
>> Am 18.04.2018 um 13:36 schrieb Nick Howitt:
>>>
>>> On 18/04/2018 12:23, Stefan Winter wrote:
>>>> Hi,
>>>>
>>>>> I've reverted the set up to use the standard Freeradius certs and 
>>>>> I've
>>>>> been through the certs README, deleting all certificates and 
>>>>> recreating
>>>>> the ca.pem and server certs (btw I think the order in the README is
>>>>> wrong as you need to create the server.csr before the server.pem) and
>>>>> I've hit the same "(6) eap_tls:   ERROR: SSL says error 26 : 
>>>>> unsupported
>>>>> certificate purpose" issue when running eapol_test with the new 
>>>>> certs.
>>>> Can you paste both the CA's and the server's PEM representation into a
>>>> mail on the list?
>>>>
>>>> Stefan
>>>>
>>>>
>>>>
>>>> -
>>>> List info/subscribe/unsubscribe? See
>>>> http://www.freeradius.org/list/users.html
>>> I've just recreated them as I had to remove the extension for testing.
>>> Note I have increased the validity of both in the cnf files to 3650d;
>>> everything else is at default.
>>>  From "history":
>>>    994  cd /etc/raddb/certs
>>>    995  rm -f *.pem *.der *.csr *.crt *.key *.p12 serial* index.txt*
>>>    996  make ca.pem
>>>    997  server.csr
>>>    998  make server.csr
>>>    999  make server.pem
>>>   1000  openssl x509 -text -noout -in server.pem
>>>   1001  history
>>>
>>> ca.pem:
>>> -----BEGIN CERTIFICATE-----
>>> MIIE5DCCA8ygAwIBAgIJANMWAroiOxufMA0GCSqGSIb3DQEBCwUAMIGTMQswCQYD
>>> VQQGEwJGUjEPMA0GA1UECAwGUmFkaXVzMRIwEAYDVQQHDAlTb21ld2hlcmUxFTAT
>>> BgNVBAoMDEV4YW1wbGUgSW5jLjEgMB4GCSqGSIb3DQEJARYRYWRtaW5AZXhhbXBs
>>> ZS5vcmcxJjAkBgNVBAMMHUV4YW1wbGUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4X
>>> DTE4MDQxODExMjczM1oXDTI4MDQxNTExMjczM1owgZMxCzAJBgNVBAYTAkZSMQ8w
>>> DQYDVQQIDAZSYWRpdXMxEjAQBgNVBAcMCVNvbWV3aGVyZTEVMBMGA1UECgwMRXhh
>>> bXBsZSBJbmMuMSAwHgYJKoZIhvcNAQkBFhFhZG1pbkBleGFtcGxlLm9yZzEmMCQG
>>> A1UEAwwdRXhhbXBsZSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqGSIb3
>>> DQEBAQUAA4IBDwAwggEKAoIBAQC5jRl/IZsBPOvH1Vdua8yCt1NchL8j9aWAth7v
>>> z+mw7gG+pZegojz97M1+wQZiTeZwuR5XclAc/zpsv3u9stU+fR2hfMOBse9/bzaz
>>> wRUrhtN6kKPNGA0lMmbbNwus6AQnrgRXQOyvgmET0B+OHsVBqtWTGzq7IA7X0c5Y
>>> jcHj6zN4PwTg/2PfM59Ir2vcVO5hpLVYda0qK3GDoh8WfwpCvWgjt5YsFd7ARSUY
>>> Nf2hmHETzXSxx0tAFF+Hk/iFwXGeQFSXbrvh18Trgs3lmX4d0ehKXwgPjF4kY5IG
>>> 2yAjcTQWWGnoRE8fl9/yG6hBIOd6xNrabSIh2eiKreui1oZdAgMBAAGjggE3MIIB
>>> MzAdBgNVHQ4EFgQUOYtRuUCNkemvqYjtAokDb0sAHEYwgcgGA1UdIwSBwDCBvYAU
>>> OYtRuUCNkemvqYjtAokDb0sAHEahgZmkgZYwgZMxCzAJBgNVBAYTAkZSMQ8wDQYD
>>> VQQIDAZSYWRpdXMxEjAQBgNVBAcMCVNvbWV3aGVyZTEVMBMGA1UECgwMRXhhbXBs
>>> ZSBJbmMuMSAwHgYJKoZIhvcNAQkBFhFhZG1pbkBleGFtcGxlLm9yZzEmMCQGA1UE
>>> AwwdRXhhbXBsZSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHmCCQDTFgK6IjsbnzAPBgNV
>>> HRMBAf8EBTADAQH/MDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly93d3cuZXhhbXBs
>>> ZS5vcmcvZXhhbXBsZV9jYS5jcmwwDQYJKoZIhvcNAQELBQADggEBACfUwu20Djg4
>>> Vz80P3Q5LtzLLQ+M8ndEn8QaWDEbQKP60Wlj3nD3FT+jCNovov2xgH18z2d6q2bE
>>> vqCN8884Sy0xIjuROwPhG1CFJ4oJ9rJmcjKqBcpr81UiM0hCf2OqLFPCHZRfAjMb
>>> RMmF0Vf3Cb/44Xqf10zYLe1fT++3Kj3QYGgn2YKVkmB++XH4FRux2pNoeImlKaP3
>>> 78KZB4GobraydEpxGJbvoD58TJ7/b1NGlPFgaC07aDZLhSfiSsRoN0Dt95VOZpWO
>>> vSxh8Yv6h9g9kxU6Nx0Up0LS23qvWcIhkbQkF0H7gQ2ECH6UN4CNdNvpLPPX5kjZ
>>> 0eCj1CL9j4g=
>>> -----END CERTIFICATE-----
>>>
>>> server.pem:
>>> Bag Attributes
>>>      localKeyID: AD A7 E8 29 BB 2F C9 69 4F 75 2E F4 EF 80 70 99 B1 
>>> 75 04 37
>>> subject=/C=FR/ST=Radius/O=Example Inc./CN=Example Server
>>> Certificate/emailAddress=admin at example.org
>>> issuer=/C=FR/ST=Radius/L=Somewhere/O=Example
>>> Inc./emailAddress=admin at example.org/CN=Example Certificate Authority
>>> -----BEGIN CERTIFICATE-----
>>> MIID2jCCAsKgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBkzELMAkGA1UEBhMCRlIx
>>> DzANBgNVBAgMBlJhZGl1czESMBAGA1UEBwwJU29tZXdoZXJlMRUwEwYDVQQKDAxF
>>> eGFtcGxlIEluYy4xIDAeBgkqhkiG9w0BCQEWEWFkbWluQGV4YW1wbGUub3JnMSYw
>>> JAYDVQQDDB1FeGFtcGxlIENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xODA0MTgx
>>> MTI4MDhaFw0yODA0MTUxMTI4MDhaMHwxCzAJBgNVBAYTAkZSMQ8wDQYDVQQIDAZS
>>> YWRpdXMxFTATBgNVBAoMDEV4YW1wbGUgSW5jLjEjMCEGA1UEAwwaRXhhbXBsZSBT
>>> ZXJ2ZXIgQ2VydGlmaWNhdGUxIDAeBgkqhkiG9w0BCQEWEWFkbWluQGV4YW1wbGUu
>>> b3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApAY39TBW76KKMYQ3
>>> CSeXT7PtoRB1FtWKE1qVKRQOP2y/I9hSBJxbknKdhcpE3diORoWKh0qwjFKY+7as
>>> Ehq9zVELbcO7fvTT663Cn9uBIwQ517RMJZjf6ks7N3LB9nmwi2iC0lmq/OS8mMNF
>>> hZdK2QfWoDxRwBcT0z/WIrNJyYluJAtKISzejqP27rjh1ZI/WnxY/S+8VXdCwcR4
>>> PtuyqSdOhC7q8EF8vIjG6H13G2V2/vmVrXQ7VokxWQ8F83vmRZVC2vcgYd5Qp813
>>> /7YVL6C5g6CJgbz7AcJVwmT5P1W7xY9lOCz7bavdbPGewV7kONxQQrub+ZdKrJKX
>>> uP13GwIDAQABo08wTTATBgNVHSUEDDAKBggrBgEFBQcDATA2BgNVHR8ELzAtMCug
>>> KaAnhiVodHRwOi8vd3d3LmV4YW1wbGUuY29tL2V4YW1wbGVfY2EuY3JsMA0GCSqG
>>> SIb3DQEBCwUAA4IBAQBBTf/njNLVZdM4ZoLQnO+GLLTN335PXGL4ufYtA38kncQJ
>>> doSGaJTKllJdqCs+CRwNGVd2LE7Ahx0Rfj3m0J9YRmGzd5fdHRoWyqbED4nIrswd
>>> ErhTbM7e34GnyhXeFcFYdEH8kczysOsKzRFSBQQKkKg7dIxE9AUyB13wsMeWWEcQ
>>> DmINh6oan458/eXInqIvv7mc0JTJh+TuYFXYk738rSj6Tj4KloasG0rvCcTNmHWd
>>> ojouFuypcJQASPUvIfM6zkkdKtnTI4OJYbidy/rI6LcPj2m1MV7poGwibVhuxmcK
>>> jYb8EaNYormuKJ19HEXoKxLp5AM2wgDwCGae762k
>>> -----END CERTIFICATE-----
>>>
>>
>>
>>
>> -
>> List info/subscribe/unsubscribe? See 
>> http://www.freeradius.org/list/users.html
> [root at 7 certs]# rpm -q openssl
> openssl-1.0.2k-8.el7.x86_64
>
> I don't have wpa_supplicant installed on the system so no 
> wpa_supplicant.conf. In order to get eapol_test I pulled down the 
> latest 2.6 sources and ran make following the instructions at 
> http://blog.rchapman.org/posts/Troubleshooting_EAP-TLS_with_freeradius/. 
> I was under the impression that eapol_test was not compiled in the 
> distro, but I've just been checking and I think I have been 
> incorrectly informed. I'll install wpa_supplicant and test again.
>
> FWIW it is not eapol_test which is giving the certificate error but 
> "radiusd -X".
>
> BTW you only got the key because it is in the pem file so I was not 
> sure if you wanted the whole file or just the certificate part
>
> Nick
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
"radiusd -X" still errors with the Centos 
wpa_supplicant-2.6-5.el7_4.1.x86_64 installed with a default 
wpa_supplicant.conf:
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=wheel