Solved: After Upgrade from freeradius 2 to 3 (Debian 8 - 9): TLS Alert write:fatal:unsupported certificate

[Alan DeKok]

  To anyone else reading this thread, the explanation from the OpenSSL people is here:

https://mta.openssl.org/pipermail/openssl-users/2018-January/007357.html

* the intermediate CA has "TLS Web Server Authentication" extended key usage OID

* the intermediate CA does NOT have "TLS Web Client Authentication" EKU OID

* this intermediate CA signed another, final CA

* the final CA which signs the client certificate has BOTH "TLS Web Server Authentication" and  "TLS Web Client Authentication".

   When you have an intermediate CA with usage restrictions, those restrictions apply to *all* certificates derived from that CA.  So you can't have a parent CA which says "no EAP-TLS", and then a child CA saying "Yeah, we'll do EAP-TLS anyways".

  Older versions of OpenSSL didn't enforce these permissions.  Version from 1.1.0 onwards do enforce these permissions.  And that's the right thing to do.

  Unfortunately, some commercial vendors produce CAs which are broken and insecure.  We *will not* be putting patches into FreeRADIUS to "work around" this issue.  The simple reason is that the CAs are wrong, and the commercial vendors are wrong.

  Anyone who wants to skip these checks is free to edit either the OpenSSL or FreeRADIUS source code, and to build local versions.

  As for the OP, he's taken to emailing me off-list expressing surprise that he's gone, and claiming that it's not clear what the problem is, and that FreeRADIUS is still wrong.

  Alan DeKok.