Thanks Alan B and Alan K. I generated key and certificate using the openssl.cnf and below steps: openssl genrsa -aes256 -out key.pem openssl req -config openssl.cnf -key key.pem new -sha256 -out csr.pem openssl ca -config openssl.cnf -extensions usr_cert -days 375 -notext -md sha256 -in csr.pem -out cert.pem This generation is done in a linux box with openssl 1.0.2. While verifying with openssl 1.1.0 (also using 1.0.2) using below steps - in the ubuntu where freeradius is running - it shows OK. openssl verify -CAfile cacert.pem cert.pem cert.pem: OK But only freeradius is throwing the error on purpose. Still i generated a new client certificate without the 'digital signature' key usage. X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: DD:4A:55:26:9E:7F:27:E9:F6:14:63:CE:95:A3:AD:78:68:7F:56:A6 X509v3 Authority Key Identifier: keyid:44:C9:8D:CB:50:17:D2:33:60:4F:96:1A:76:34:99:A4:0D:FA:A1:8D X509v3 Extended Key Usage: TLS Web Client Authentication But result is same. 0) TLS_accept: SSLv3/TLS write server done (0) <<< recv TLS 1.2 [length 07ac] (0) Creating attributes from certificate OIDs (0) ERROR: SSL says error 26 : unsupported certificate purpose (0) >>> send TLS 1.2 [length 0002] (0) ERROR: TLS Alert write:fatal:unsupported certificate tls: TLS_accept: Error in error (0) ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed (0) ERROR: System call (I/O) error (-1) (0) FAILED in TLS handshake receive Closing TLS socket from client port 57851 Should I generate again with openssl 1.1.0 ? But I wonder how the "openssl verify" works good with openssl 1.1.0; but not freeradius's SSL Read. Thanks in advance. Thanks murugesh On 10/30/20, Alan DeKok <aland@deployingradius.com> wrote:
On Oct 30, 2020, at 8:21 AM, murugesh pitchaiah <murugesh.pitchaiah@gmail.com> wrote:
while trying for radsec I see freeradius throwing below error on TLS handshake:
(0) TLS_accept: SSLv3/TLS write server done (0) <<< recv TLS 1.2 [length 07b9] (0) Creating attributes from certificate OIDs (0) ERROR: SSL says error 26 : unsupported certificate purpose
That seems relatively clear.
(0) >>> send TLS 1.2 [length 0002] (0) ERROR: TLS Alert write:fatal:unsupported certificate tls: TLS_accept: Error in error (0) ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
So it's the client certificate which is failing here. That's at least better than some of the other OpenSSL error messages. :(
Here is the client certificate's purpose details:
X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature
Is the client certificate signing other certificates? I suspect not...
Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: AE:C8:80:61:1C:AB:99:03:8F:13:4F:14:95:EA:61:52:4D:8C:37:E8 X509v3 Authority Key Identifier:
keyid:44:C9:8D:CB:50:17:D2:33:60:4F:96:1A:76:34:99:A4:0D:FA:A1:8D
X509v3 Extended Key Usage: TLS Web Client Authentication
That should work.
I see the key usage and Extended usage look good; still unable to find whats reason for freeradius rejecting the client certificate
It's not. :( OpenSSL is rejecting the client certificate.
client openssl ; 1.0.2 freeradius: 3.0.16 and i see this has openssl 1.1.0
How did you generate the certificates?
If you copy the client certificate to the OpenSSL machine, you can verify it there using the "openssl" command-line too.
What's likely happening is that OpenSSL 1.1.0 is doing more stringent checks than OpenSSL 1.0.2. So you'll need to regenerate the certificate, without the offending OIDs.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html