Hi, well, I wouldn't have needed the private key, but ok :-) I have an openssl 1.0.2 on my box, which validates this server and CA against the purpose of TLS Server just fine (and as a counter-test, does not validate it as TLS Client): swinter@aragorn:~/scratch/FR-debug> openssl verify -CApath ./CA/ -purpose sslserver server.pem server.pem: OK swinter@aragorn:~/scratch/FR-debug> openssl verify -CApath ./CA/ -purpose sslclient server.pem server.pem: C = FR, ST = Radius, O = Example Inc., CN = Example Server Certificate, emailAddress = admin@example.org error 26 at 0 depth lookup:unsupported certificate purpose OK Compiling 1.1.0h, this still works: swinter@aragorn:~/scratch/FR-debug> LD_LIBRARY_PATH=/usr/local/lib64 /usr/local/bin/openssl verify -CApath ./CA/ -purpose sslserver server.pem server.pem: OK swinter@aragorn:~/scratch/FR-debug> LD_LIBRARY_PATH=/usr/local/lib64 /usr/local/bin/openssl verify -CApath ./CA/ -purpose sslclient server.pem C = FR, ST = Radius, O = Example Inc., CN = Example Server Certificate, emailAddress = admin@example.org error 26 at 0 depth lookup: unsupported certificate purpose error server.pem: verification failed swinter@aragorn:~/scratch/FR-debug> LD_LIBRARY_PATH=/usr/local/lib64 /usr/local/bin/openssl version OpenSSL 1.1.0h 27 Mar 2018 (but one can see that the failure test in 1.0.x was somewhat graceful ("OK") while 1.1.0 throws an actual error at the end) Which still leaves us at the question why things don't work for you with eapol_test. The first, obvious question: is eapol_test compiled to use openssl at all? Or is it using a different engine? If it's using openssl, what version of openssl is on the system? Is there anything ... peculiar in the wpa_supplicant.conf file regarding server cert validation? You could paste the file here, but without your password. I want it as little as I wanted the PEM key file, you know ;-) Greetings, Stefan Winter Am 18.04.2018 um 13:36 schrieb Nick Howitt:
On 18/04/2018 12:23, Stefan Winter wrote:
Hi,
I've reverted the set up to use the standard Freeradius certs and I've been through the certs README, deleting all certificates and recreating the ca.pem and server certs (btw I think the order in the README is wrong as you need to create the server.csr before the server.pem) and I've hit the same "(6) eap_tls: ERROR: SSL says error 26 : unsupported certificate purpose" issue when running eapol_test with the new certs. Can you paste both the CA's and the server's PEM representation into a mail on the list?
Stefan
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I've just recreated them as I had to remove the extension for testing. Note I have increased the validity of both in the cnf files to 3650d; everything else is at default. From "history": 994 cd /etc/raddb/certs 995 rm -f *.pem *.der *.csr *.crt *.key *.p12 serial* index.txt* 996 make ca.pem 997 server.csr 998 make server.csr 999 make server.pem 1000 openssl x509 -text -noout -in server.pem 1001 history
ca.pem: -----BEGIN CERTIFICATE----- MIIE5DCCA8ygAwIBAgIJANMWAroiOxufMA0GCSqGSIb3DQEBCwUAMIGTMQswCQYD VQQGEwJGUjEPMA0GA1UECAwGUmFkaXVzMRIwEAYDVQQHDAlTb21ld2hlcmUxFTAT BgNVBAoMDEV4YW1wbGUgSW5jLjEgMB4GCSqGSIb3DQEJARYRYWRtaW5AZXhhbXBs ZS5vcmcxJjAkBgNVBAMMHUV4YW1wbGUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4X DTE4MDQxODExMjczM1oXDTI4MDQxNTExMjczM1owgZMxCzAJBgNVBAYTAkZSMQ8w DQYDVQQIDAZSYWRpdXMxEjAQBgNVBAcMCVNvbWV3aGVyZTEVMBMGA1UECgwMRXhh bXBsZSBJbmMuMSAwHgYJKoZIhvcNAQkBFhFhZG1pbkBleGFtcGxlLm9yZzEmMCQG A1UEAwwdRXhhbXBsZSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqGSIb3 DQEBAQUAA4IBDwAwggEKAoIBAQC5jRl/IZsBPOvH1Vdua8yCt1NchL8j9aWAth7v z+mw7gG+pZegojz97M1+wQZiTeZwuR5XclAc/zpsv3u9stU+fR2hfMOBse9/bzaz wRUrhtN6kKPNGA0lMmbbNwus6AQnrgRXQOyvgmET0B+OHsVBqtWTGzq7IA7X0c5Y jcHj6zN4PwTg/2PfM59Ir2vcVO5hpLVYda0qK3GDoh8WfwpCvWgjt5YsFd7ARSUY Nf2hmHETzXSxx0tAFF+Hk/iFwXGeQFSXbrvh18Trgs3lmX4d0ehKXwgPjF4kY5IG 2yAjcTQWWGnoRE8fl9/yG6hBIOd6xNrabSIh2eiKreui1oZdAgMBAAGjggE3MIIB MzAdBgNVHQ4EFgQUOYtRuUCNkemvqYjtAokDb0sAHEYwgcgGA1UdIwSBwDCBvYAU OYtRuUCNkemvqYjtAokDb0sAHEahgZmkgZYwgZMxCzAJBgNVBAYTAkZSMQ8wDQYD VQQIDAZSYWRpdXMxEjAQBgNVBAcMCVNvbWV3aGVyZTEVMBMGA1UECgwMRXhhbXBs ZSBJbmMuMSAwHgYJKoZIhvcNAQkBFhFhZG1pbkBleGFtcGxlLm9yZzEmMCQGA1UE AwwdRXhhbXBsZSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHmCCQDTFgK6IjsbnzAPBgNV HRMBAf8EBTADAQH/MDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly93d3cuZXhhbXBs ZS5vcmcvZXhhbXBsZV9jYS5jcmwwDQYJKoZIhvcNAQELBQADggEBACfUwu20Djg4 Vz80P3Q5LtzLLQ+M8ndEn8QaWDEbQKP60Wlj3nD3FT+jCNovov2xgH18z2d6q2bE vqCN8884Sy0xIjuROwPhG1CFJ4oJ9rJmcjKqBcpr81UiM0hCf2OqLFPCHZRfAjMb RMmF0Vf3Cb/44Xqf10zYLe1fT++3Kj3QYGgn2YKVkmB++XH4FRux2pNoeImlKaP3 78KZB4GobraydEpxGJbvoD58TJ7/b1NGlPFgaC07aDZLhSfiSsRoN0Dt95VOZpWO vSxh8Yv6h9g9kxU6Nx0Up0LS23qvWcIhkbQkF0H7gQ2ECH6UN4CNdNvpLPPX5kjZ 0eCj1CL9j4g= -----END CERTIFICATE-----
server.pem: Bag Attributes localKeyID: AD A7 E8 29 BB 2F C9 69 4F 75 2E F4 EF 80 70 99 B1 75 04 37 subject=/C=FR/ST=Radius/O=Example Inc./CN=Example Server Certificate/emailAddress=admin@example.org issuer=/C=FR/ST=Radius/L=Somewhere/O=Example Inc./emailAddress=admin@example.org/CN=Example Certificate Authority -----BEGIN CERTIFICATE----- MIID2jCCAsKgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBkzELMAkGA1UEBhMCRlIx DzANBgNVBAgMBlJhZGl1czESMBAGA1UEBwwJU29tZXdoZXJlMRUwEwYDVQQKDAxF eGFtcGxlIEluYy4xIDAeBgkqhkiG9w0BCQEWEWFkbWluQGV4YW1wbGUub3JnMSYw JAYDVQQDDB1FeGFtcGxlIENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xODA0MTgx MTI4MDhaFw0yODA0MTUxMTI4MDhaMHwxCzAJBgNVBAYTAkZSMQ8wDQYDVQQIDAZS YWRpdXMxFTATBgNVBAoMDEV4YW1wbGUgSW5jLjEjMCEGA1UEAwwaRXhhbXBsZSBT ZXJ2ZXIgQ2VydGlmaWNhdGUxIDAeBgkqhkiG9w0BCQEWEWFkbWluQGV4YW1wbGUu b3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApAY39TBW76KKMYQ3 CSeXT7PtoRB1FtWKE1qVKRQOP2y/I9hSBJxbknKdhcpE3diORoWKh0qwjFKY+7as Ehq9zVELbcO7fvTT663Cn9uBIwQ517RMJZjf6ks7N3LB9nmwi2iC0lmq/OS8mMNF hZdK2QfWoDxRwBcT0z/WIrNJyYluJAtKISzejqP27rjh1ZI/WnxY/S+8VXdCwcR4 PtuyqSdOhC7q8EF8vIjG6H13G2V2/vmVrXQ7VokxWQ8F83vmRZVC2vcgYd5Qp813 /7YVL6C5g6CJgbz7AcJVwmT5P1W7xY9lOCz7bavdbPGewV7kONxQQrub+ZdKrJKX uP13GwIDAQABo08wTTATBgNVHSUEDDAKBggrBgEFBQcDATA2BgNVHR8ELzAtMCug KaAnhiVodHRwOi8vd3d3LmV4YW1wbGUuY29tL2V4YW1wbGVfY2EuY3JsMA0GCSqG SIb3DQEBCwUAA4IBAQBBTf/njNLVZdM4ZoLQnO+GLLTN335PXGL4ufYtA38kncQJ doSGaJTKllJdqCs+CRwNGVd2LE7Ahx0Rfj3m0J9YRmGzd5fdHRoWyqbED4nIrswd ErhTbM7e34GnyhXeFcFYdEH8kczysOsKzRFSBQQKkKg7dIxE9AUyB13wsMeWWEcQ DmINh6oan458/eXInqIvv7mc0JTJh+TuYFXYk738rSj6Tj4KloasG0rvCcTNmHWd ojouFuypcJQASPUvIfM6zkkdKtnTI4OJYbidy/rI6LcPj2m1MV7poGwibVhuxmcK jYb8EaNYormuKJ19HEXoKxLp5AM2wgDwCGae762k -----END CERTIFICATE----- Bag Attributes localKeyID: AD A7 E8 29 BB 2F C9 69 4F 75 2E F4 EF 80 70 99 B1 75 04 37 Key Attributes: <No Attributes> -----BEGIN ENCRYPTED PRIVATE KEY----- MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIDXoPxieDQy0CAggA MBQGCCqGSIb3DQMHBAhvyXKp13L/JASCBMiuLfezZw39A9Z9YppLHYfxh9rhBHm/ vgUUzsiybokGnXJOCa/W8noUOTL3xF0rdsZmjo+B/eoOAdMUyYBLAxZYbZOutlBH XFZhVxWdkT2H0+SWn2opT7sRIxWfjsSfZQDHYJ3YLng3kNkDjUaiet+3SVs/30j1 sobLZviGLftWqo5vnlWP6BpzvWruge0qFaSy3BMO5dF0G7J6ZHs1vnxseT9NUvHo p+z8di3P3fpv8cBnA4lA/4PPEeKw7A6vcklvilKlFzYoNbwQaoPRxyT7yRODbINs 44Ypd+agDRpxWjZoNKFLlEViCOkt2d6twU5ngi8u2Cy67NhhbuuXbPDUO25sAzAl myRwnEJkc77801fus8PncyAQlD1gyEiFaaMo4xSbJpa8de31Z6FLzpReLetRE+In 7gtXdHvSArkYP6KkveuywBZ3w73tmpQ8hFaP8fpf0/DbqQpMI2AWd1mYvmOMl4oW 6skl/Pw6HOrrpQEnFY22uvyhac6dlOghlbKRpXfM/IXqmkxBiM7oaOcCwk3D14++ 2rfQB7O9fbD/BceSbFgC9Q8yHEWTEh5q6075I27nYjvR3XOxgkMGty/X7nQ/pNLz YDw7zwW+RAQ5u23NNikrwXFBx9T8DjizpcMIR+3HK78XaVyyHBaek5OWXQpm/q3Z 89odhJVRhAE/zc+lW+r3HmT99TY7o2pPPboU/yJJSpNimYiBJdAYgHOS58Cs5WW0 6dKvZl9LLfWJ6xgvxcf6wXsSLQyErkorAwuI2gL8jx5CKAmGKWICmhggzOhNNTEX RUzXMaqjwEH3pvr9/431U5xscuFf6JKveqUVEDDkRAV7IEaCxr1uCBlpTGjx/ltQ 0WRyTos1Zmfxru3qSUm4Xltwl9ZMJs5VInw6wl1hOK4ktIVPuZ2/okkbiF6bsYyt fvCaBZyOn9rBnPcMD7gx8Q5wPqMXipDKhgciN90b5kG3OI26pFz4u7YsTKclXrFC pDn86/t8twBtP2ML4yl9XMfPcoIfWhDFmKZRHhSlfFM9d55PABD1Tg0CPE+/RdSq Ayh0xB/Iw9AVxJFK9LM8IJGCAgm+0Zw8nnIfJ6HJLCno8yIySpR7HfvxZpEAhdUv EUSkuMukkJUR0vNMmuNoJWXWaV4o+yZXIvB7wtwlFBbTjLddZtVZ45IRly8rmP7F V/8gz2QLTRVz9GJM46nPS9U+zTbTPPi/76r/sfrtW6Rwlt2cw0V29JrUNW0GNXig eZS0iS1P69VBOGLXRA95heteDoDcCnspuEQedD8nPdogOFRbBSR8REFFpxuZU7vf m9FdluJ+U5SwZUBu+QEIMZmOBtqxQAa7HThSVjMujUmdejl2irhVoL1V4X9rKbML 8VvOdkuhaNSp8v1PehYM2+P4GdDw8wSgOldpu1FcPXbA7q1ZVhXVOfLlPi/GCxcF jBGKCn7hcsp/55dNo68dLTaqB3KY5d64rn9gjEuBOHpGj2gn6RdrESaGGQnuGI0S 20cSEiAf3JqcBcPektjYNbiTpwsE0StiQQEdrT7Oo/lrZqPmu7yD32W/QKwSr/a6 IXOfcCSdMo9V7Iyti9LV/rfTkmXuUHetAtVQGJqdZjevSz5ct5UeLeGIuDGXDCsk cn4= -----END ENCRYPTED PRIVATE KEY-----
It is a temporary cert so I don't mind publishing the key which is in the server.pem. Regards, Nick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 2, avenue de l'Université L-4365 Esch-sur-Alzette Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66