AW: Solved: After Upgrade from freeradius 2 to 3 (Debian 8 - 9): TLS Alert write:fatal:unsupported certificate

Gladewitz, Robert Robert.Gladewitz at dbfz.de
Wed Jan 24 11:15:53 CET 2018


Hello Alen, it seems to me, you have not read the openssl thread completely.
The openssl interpretation is not rfc compliant.

We have already switched to the latest callmanager version! Originally since
you here in the forum assumed that the ku "CA" is missing. This error is
actually fixed.

Nevertheless, the CAPF CA certificates are still issued with the eku "TLS
WEB SERVER Authentification", or predefined in the csr. Cisco apparently
also needs this option, for whatever reason.

That's why I've documented the whole thing for this forum - because I've
also gotten two direct requests with the same problem. I also think that
this problem is coming to bear more and more because many customers are only
now gradually switching to systems based on openssl1.1.0 or higher.

To be honest, I can not understand why you are allowed to criticize yourself
a lot, but you do not concede any criticisms or mistakes yourself. Really
sad, because freeradius ansich is a very good pruduct. When annotations and
suggestions for improvement are always treated in this way, at some point
nobody dares to make any suggestions. That's a pity.


-----Urspr√ľngliche Nachricht-----
Von: Alan DeKok [mailto:aland at deployingradius.com] 
Gesendet: Mittwoch, 24. Januar 2018 09:13
An: Gladewitz, Robert <Robert.Gladewitz at dbfz.de>; FreeRadius users mailing
list <freeradius-users at lists.freeradius.org>
Betreff: Re: Solved: After Upgrade from freeradius 2 to 3 (Debian 8 - 9):
TLS Alert write:fatal:unsupported certificate

On Jan 24, 2018, at 2:16 AM, Gladewitz, Robert via Freeradius-Users
<freeradius-users at lists.freeradius.org> wrote:
> 
> 
> I would like to summarize the topic for FreeRadius.
> 
> The error discussed is actually due to a change in OpenSSL1.1. My request
in the OpenSSL user group on this topic has led to a controversial
discussion.
> 
> Of course the certificates are RFC compliant. Unfortunately, OpenSSL does
not evaluate the ExtendedKeyUsage (eku) as defined in the RFC in question.\

  The OpenSSL team gave you very clear reasons why on their mailing list.
One of which is that the RFCs are probably being updated to match current
implementations.

  As someone who's written many RFCs, they're not perfect.  See RFC 5080,
for example, which points out errors in earlier RFCs, and describes the
correct behaviour.

  The "correct" behaviour in many cases is "what the implementations have
been doing for a decade".

  There are cases where FreeRADIUS does not follow the RFCs.  These are
cases where the RFCs are broken or wrong.

> In the case discussed here, ExtednedKeyUsage (eku) is set to TLS "Web
Server Authentication" for the CA (CAPF) certificate.
> 
> This would be allowable under RFC, but is not allowed by the openssl
client certificate validation functions.

  Or by most implementations, as you were told on the OpenSSL list.  And
that they believe the RFCs are wrong.

> Unfortunately, this is not a solution for customers who use the
certificate signed by Cisco CallManagers themselves, as the eku for the
freeradius can not simply be deleted here. This means, that there is no
chance to authenticate the phones with a freeradius version based on openssl
libraries> = 1.1.0 - at least not with tls.

  How about complaining to Cisco, and getting their implementation fixed?
Oh wait, Stefan already told you how to fix it.  You can:

>> upgrade his system to release 11.5 and re-generate the CAPF CA, then he
should get a real CA.


> Remedy would only create a correctly patched openssl version or the
correct implementation of an openssl_verify function (as discussed in
openssl thread).

  Stop trolling.  It's rude, and will result in you getting kicked off of
the list.  I've already warned you once off-list.  This is your last, and
final warning.

  You're claiming here that the "correct" implementation of OpenSSL is
whatever you think it is, and that the OpenSSL developers are wrong.  You're
making that same claim about FreeRADIUS.

  You *could* choose to upgrade the Cisco software to a version which is
fixed.  Instead, you insist on claiming that you know better than everyone
else, and that everyone's software is wrong.

  There is no language problem here.  You're choosing to be obnoxious.  Stop
it.

  Alan DeKok.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6245 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20180124/edbbbd6c/attachment-0001.bin>


More information about the Freeradius-Users mailing list