Hello Alen, it seems to me, you have not read the openssl thread completely. The openssl interpretation is not rfc compliant. We have already switched to the latest callmanager version! Originally since you here in the forum assumed that the ku "CA" is missing. This error is actually fixed. Nevertheless, the CAPF CA certificates are still issued with the eku "TLS WEB SERVER Authentification", or predefined in the csr. Cisco apparently also needs this option, for whatever reason. That's why I've documented the whole thing for this forum - because I've also gotten two direct requests with the same problem. I also think that this problem is coming to bear more and more because many customers are only now gradually switching to systems based on openssl1.1.0 or higher. To be honest, I can not understand why you are allowed to criticize yourself a lot, but you do not concede any criticisms or mistakes yourself. Really sad, because freeradius ansich is a very good pruduct. When annotations and suggestions for improvement are always treated in this way, at some point nobody dares to make any suggestions. That's a pity. -----Ursprüngliche Nachricht----- Von: Alan DeKok [mailto:aland@deployingradius.com] Gesendet: Mittwoch, 24. Januar 2018 09:13 An: Gladewitz, Robert <Robert.Gladewitz@dbfz.de>; FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Betreff: Re: Solved: After Upgrade from freeradius 2 to 3 (Debian 8 - 9): TLS Alert write:fatal:unsupported certificate On Jan 24, 2018, at 2:16 AM, Gladewitz, Robert via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
I would like to summarize the topic for FreeRadius.
The error discussed is actually due to a change in OpenSSL1.1. My request
in the OpenSSL user group on this topic has led to a controversial discussion.
Of course the certificates are RFC compliant. Unfortunately, OpenSSL does
not evaluate the ExtendedKeyUsage (eku) as defined in the RFC in question.\ The OpenSSL team gave you very clear reasons why on their mailing list. One of which is that the RFCs are probably being updated to match current implementations. As someone who's written many RFCs, they're not perfect. See RFC 5080, for example, which points out errors in earlier RFCs, and describes the correct behaviour. The "correct" behaviour in many cases is "what the implementations have been doing for a decade". There are cases where FreeRADIUS does not follow the RFCs. These are cases where the RFCs are broken or wrong.
In the case discussed here, ExtednedKeyUsage (eku) is set to TLS "Web Server Authentication" for the CA (CAPF) certificate.
This would be allowable under RFC, but is not allowed by the openssl client certificate validation functions.
Or by most implementations, as you were told on the OpenSSL list. And that they believe the RFCs are wrong.
Unfortunately, this is not a solution for customers who use the certificate signed by Cisco CallManagers themselves, as the eku for the freeradius can not simply be deleted here. This means, that there is no chance to authenticate the phones with a freeradius version based on openssl libraries> = 1.1.0 - at least not with tls.
How about complaining to Cisco, and getting their implementation fixed? Oh wait, Stefan already told you how to fix it. You can:
upgrade his system to release 11.5 and re-generate the CAPF CA, then he should get a real CA.
Remedy would only create a correctly patched openssl version or the correct implementation of an openssl_verify function (as discussed in openssl thread).
Stop trolling. It's rude, and will result in you getting kicked off of the list. I've already warned you once off-list. This is your last, and final warning. You're claiming here that the "correct" implementation of OpenSSL is whatever you think it is, and that the OpenSSL developers are wrong. You're making that same claim about FreeRADIUS. You *could* choose to upgrade the Cisco software to a version which is fixed. Instead, you insist on claiming that you know better than everyone else, and that everyone's software is wrong. There is no language problem here. You're choosing to be obnoxious. Stop it. Alan DeKok.