Hi. Alan, you are absolutely correct about OIDs. But one thing drives me crazy. Robert sent me a full capture (attached) and it is really weird if you compare it to FreeRADIUS logs. Here's client cert from capture (RADIUS protocol dump, frame #10): Certificate: 30820345308202aea003020102020200f1300d06092a8648... (id-at-commonName=SEP64A0E7147412,id-at-organizationalUnitName=IT,id-at-organizationName=Deutsches BiomasseForschungsZentrum geme,id-at-countryName=DE) signedCertificate version: v3 (2) serialNumber: 241 And this is how it is presented in logs: ... Tue Dec 19 17:03:01 2017 : Debug: (21) Received Access-Request Id 32 from 172.24.3.197:1645 to 172.28.0.65:1912 length 1619 Tue Dec 19 17:03:01 2017 : Debug: (21) User-Name = "CP-7965G-SEP0008308BD7A4" Tue Dec 19 17:03:01 2017 : Debug: (21) Service-Type = Framed-User ... Tue Dec 19 17:03:02 2017 : Debug: (22) eap_tls: TLS-Cert-Serial := "5871a15a20dc203cceb13b568ad905f9" Tue Dec 19 17:03:02 2017 : Debug: (22) eap_tls: TLS-Cert-Expiration := "220309050842Z" Tue Dec 19 17:03:02 2017 : Debug: (22) eap_tls: TLS-Cert-Subject := "/C=DE/O=Deutsches BiomasseForschungsZentrum gemeinnuetzige GmbH/OU=IT/CN=CAPF-1b0db5b4/ST=Sachsen/L=Leipzig" Tue Dec 19 17:03:02 2017 : Debug: (22) eap_tls: TLS-Cert-Issuer := "/C=DE/O=Deutsches BiomasseForschungsZentrum gemeinnuetzige GmbH/OU=IT/CN=CAPF-1b0db5b4/ST=Sachsen/L=Leipzig" Tue Dec 19 17:03:02 2017 : Debug: (22) eap_tls: TLS-Cert-Common-Name := "CAPF-1b0db5b4" ... I have no idea why FreeRADIUS peeks issuer's cert instead of real client's one. I guess something is broken in server's configuration... On 19.12.2017 19:15, Alan DeKok wrote:
On Dec 19, 2017, at 5:22 AM, Gladewitz, Robert via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
If I understand this logs rights, the error happening on ca certificate? No.
They're about the server certificate.
Mon Dec 18 14:41:44 2017 : ERROR: (2) eap_tls: SSL says error 26 : unsupported certificate purpose As I said before, OpenSSL doesn't like the X509 OIDs in the certificate.
The "openssl verify" returns OK, because it verifies the cert for a different purpose.
No amount of poking FreeRADIUS will fix the OpenSSL code which sanity checks the certificate.
Your choices are:
a) fix the Cisco equipment to produce certs that OpenSSL likes
b) fix the new version OpenSSL to remove this extra sanity checking
c) downgrade the whole OS + OpenSSL to a version of OpenSSL which doesn't have this extra check.
You can post messages to this list all you want, but nothing we can do to help. We CANNOT work around this in FreeRADIUS, because it's an OpenSSL limitation.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Boris Lytochkin Yandex NOC +7 (495) 739 70 00 ext. 7671