Hello, after update to version 3 we get the followong error on module eap-tls: <SNIP> (59) eap_tls: Continuing EAP-TLS (59) eap_tls: Peer indicated complete TLS record size will be 1321 bytes (59) eap_tls: Got complete TLS record (1321 bytes) (59) eap_tls: [eaptls verify] = length included (59) eap_tls: TLS_accept: SSLv3/TLS write server done (59) eap_tls: <<< recv TLS 1.0 Handshake [length 0353], Certificate (59) eap_tls: Creating attributes from certificate OIDs (59) eap_tls: TLS-Cert-Serial := "5871a15a20dc203cceb13b568ad905f9" (59) eap_tls: TLS-Cert-Expiration := "220309050842Z" (59) eap_tls: TLS-Cert-Subject := "/C=DE/O=Deutsches BiomasseForschungsZentrum gemeinnuetzige GmbH/OU=IT/CN=CAPF-1b0db5b4/ST=Sachsen/L=Leipzig" (59) eap_tls: TLS-Cert-Issuer := "/C=DE/O=Deutsches BiomasseForschungsZentrum gemeinnuetzige GmbH/OU=IT/CN=CAPF-1b0db5b4/ST=Sachsen/L=Leipzig" (59) eap_tls: TLS-Cert-Common-Name := "CAPF-1b0db5b4" (59) eap_tls: ERROR: SSL says error 26 : unsupported certificate purpose (59) eap_tls: >>> send TLS 1.0 Alert [length 0002], fatal unsupported_certificate (59) eap_tls: ERROR: TLS Alert write:fatal:unsupported certificate tls: TLS_accept: Error in error (59) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed (59) eap_tls: ERROR: System call (I/O) error (-1) (59) eap_tls: ERROR: TLS receive handshake failed during operation (59) eap_tls: ERROR: [eaptls process] = fail </SNIP> In do not understand, why i get this error. If i use manually openssl verify all seems ok. Also, freeraduus do not use the comment define in tls -> verify -> client. My relatet tls config <SNIP> tls-config tls-common { require_client_cert = no certdir = ${confdir}/certs.8021x cadir = ${confdir}/certs.ciscophone private_key_password = myspecpass private_key_file = ${certdir}/cert-srv-dbfz-radius01.pem certificate_file = ${certdir}/cert-srv-dbfz-radius01.pem ca_file = ${cadir}/CAPF.pem dh_file = ${certdir}/dh random_file = /dev/urandom check_crl = no check_all_crl = no ca_path = ${cadir} check_cert_issuer = "/C=DE/O=Deutsches BiomasseForschungsZentrum gemeinnuetzige GmbH/OU=IT/CN=CAPF-1b0db5b4/ST=Sachsen/L=Leipzig" cipher_list = "DEFAULT" ecdh_curve = "prime256v1" make_cert_command = "${certdir}/bootstrap" cache { enable = no lifetime = 24 # hours max_entries = 255 #name = "EAP module" #persist_dir = "${logdir}/tlscache" } verify { skip_if_ocsp_ok = no tmpdir = /var/lib/freeradius/temp client = "/usr/bin/openssl verify -CAfile ${confdir}/certs.8021x/CAPF.pem %{TLS-Client-Cert-Filename}" # client = "/usr/local/bin/checkcert.sh verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}" } tls { require_client_cert = no tls = tls-common # virtual_server = check-eap-tls } </SNIP> In some discusion i find out, that some think is wron with the extendet attributes. But in this case, why it is working fine in freeradius 2 and 1 implemtations. Regards Robert