On 18/04/2018 15:03, Stefan Winter wrote:
Hi,
well, I wouldn't have needed the private key, but ok :-)
I have an openssl 1.0.2 on my box, which validates this server and CA against the purpose of TLS Server just fine (and as a counter-test, does not validate it as TLS Client):
swinter@aragorn:~/scratch/FR-debug> openssl verify -CApath ./CA/ -purpose sslserver server.pem server.pem: OK swinter@aragorn:~/scratch/FR-debug> openssl verify -CApath ./CA/ -purpose sslclient server.pem server.pem: C = FR, ST = Radius, O = Example Inc., CN = Example Server Certificate, emailAddress = admin@example.org error 26 at 0 depth lookup:unsupported certificate purpose OK
Compiling 1.1.0h, this still works:
swinter@aragorn:~/scratch/FR-debug> LD_LIBRARY_PATH=/usr/local/lib64 /usr/local/bin/openssl verify -CApath ./CA/ -purpose sslserver server.pem server.pem: OK swinter@aragorn:~/scratch/FR-debug> LD_LIBRARY_PATH=/usr/local/lib64 /usr/local/bin/openssl verify -CApath ./CA/ -purpose sslclient server.pem C = FR, ST = Radius, O = Example Inc., CN = Example Server Certificate, emailAddress = admin@example.org error 26 at 0 depth lookup: unsupported certificate purpose error server.pem: verification failed swinter@aragorn:~/scratch/FR-debug> LD_LIBRARY_PATH=/usr/local/lib64 /usr/local/bin/openssl version OpenSSL 1.1.0h 27 Mar 2018
(but one can see that the failure test in 1.0.x was somewhat graceful ("OK") while 1.1.0 throws an actual error at the end)
Which still leaves us at the question why things don't work for you with eapol_test.
The first, obvious question: is eapol_test compiled to use openssl at all? Or is it using a different engine?
If it's using openssl, what version of openssl is on the system?
Is there anything ... peculiar in the wpa_supplicant.conf file regarding server cert validation? You could paste the file here, but without your password. I want it as little as I wanted the PEM key file, you know ;-)
Greetings,
Stefan Winter
Am 18.04.2018 um 13:36 schrieb Nick Howitt:
On 18/04/2018 12:23, Stefan Winter wrote:
Hi,
I've reverted the set up to use the standard Freeradius certs and I've been through the certs README, deleting all certificates and recreating the ca.pem and server certs (btw I think the order in the README is wrong as you need to create the server.csr before the server.pem) and I've hit the same "(6) eap_tls: ERROR: SSL says error 26 : unsupported certificate purpose" issue when running eapol_test with the new certs. Can you paste both the CA's and the server's PEM representation into a mail on the list?
Stefan
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I've just recreated them as I had to remove the extension for testing. Note I have increased the validity of both in the cnf files to 3650d; everything else is at default. From "history": 994 cd /etc/raddb/certs 995 rm -f *.pem *.der *.csr *.crt *.key *.p12 serial* index.txt* 996 make ca.pem 997 server.csr 998 make server.csr 999 make server.pem 1000 openssl x509 -text -noout -in server.pem 1001 history
ca.pem: -----BEGIN CERTIFICATE----- MIIE5DCCA8ygAwIBAgIJANMWAroiOxufMA0GCSqGSIb3DQEBCwUAMIGTMQswCQYD VQQGEwJGUjEPMA0GA1UECAwGUmFkaXVzMRIwEAYDVQQHDAlTb21ld2hlcmUxFTAT BgNVBAoMDEV4YW1wbGUgSW5jLjEgMB4GCSqGSIb3DQEJARYRYWRtaW5AZXhhbXBs ZS5vcmcxJjAkBgNVBAMMHUV4YW1wbGUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4X DTE4MDQxODExMjczM1oXDTI4MDQxNTExMjczM1owgZMxCzAJBgNVBAYTAkZSMQ8w DQYDVQQIDAZSYWRpdXMxEjAQBgNVBAcMCVNvbWV3aGVyZTEVMBMGA1UECgwMRXhh bXBsZSBJbmMuMSAwHgYJKoZIhvcNAQkBFhFhZG1pbkBleGFtcGxlLm9yZzEmMCQG A1UEAwwdRXhhbXBsZSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqGSIb3 DQEBAQUAA4IBDwAwggEKAoIBAQC5jRl/IZsBPOvH1Vdua8yCt1NchL8j9aWAth7v z+mw7gG+pZegojz97M1+wQZiTeZwuR5XclAc/zpsv3u9stU+fR2hfMOBse9/bzaz wRUrhtN6kKPNGA0lMmbbNwus6AQnrgRXQOyvgmET0B+OHsVBqtWTGzq7IA7X0c5Y jcHj6zN4PwTg/2PfM59Ir2vcVO5hpLVYda0qK3GDoh8WfwpCvWgjt5YsFd7ARSUY Nf2hmHETzXSxx0tAFF+Hk/iFwXGeQFSXbrvh18Trgs3lmX4d0ehKXwgPjF4kY5IG 2yAjcTQWWGnoRE8fl9/yG6hBIOd6xNrabSIh2eiKreui1oZdAgMBAAGjggE3MIIB MzAdBgNVHQ4EFgQUOYtRuUCNkemvqYjtAokDb0sAHEYwgcgGA1UdIwSBwDCBvYAU OYtRuUCNkemvqYjtAokDb0sAHEahgZmkgZYwgZMxCzAJBgNVBAYTAkZSMQ8wDQYD VQQIDAZSYWRpdXMxEjAQBgNVBAcMCVNvbWV3aGVyZTEVMBMGA1UECgwMRXhhbXBs ZSBJbmMuMSAwHgYJKoZIhvcNAQkBFhFhZG1pbkBleGFtcGxlLm9yZzEmMCQGA1UE AwwdRXhhbXBsZSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHmCCQDTFgK6IjsbnzAPBgNV HRMBAf8EBTADAQH/MDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly93d3cuZXhhbXBs ZS5vcmcvZXhhbXBsZV9jYS5jcmwwDQYJKoZIhvcNAQELBQADggEBACfUwu20Djg4 Vz80P3Q5LtzLLQ+M8ndEn8QaWDEbQKP60Wlj3nD3FT+jCNovov2xgH18z2d6q2bE vqCN8884Sy0xIjuROwPhG1CFJ4oJ9rJmcjKqBcpr81UiM0hCf2OqLFPCHZRfAjMb RMmF0Vf3Cb/44Xqf10zYLe1fT++3Kj3QYGgn2YKVkmB++XH4FRux2pNoeImlKaP3 78KZB4GobraydEpxGJbvoD58TJ7/b1NGlPFgaC07aDZLhSfiSsRoN0Dt95VOZpWO vSxh8Yv6h9g9kxU6Nx0Up0LS23qvWcIhkbQkF0H7gQ2ECH6UN4CNdNvpLPPX5kjZ 0eCj1CL9j4g= -----END CERTIFICATE-----
server.pem: Bag Attributes localKeyID: AD A7 E8 29 BB 2F C9 69 4F 75 2E F4 EF 80 70 99 B1 75 04 37 subject=/C=FR/ST=Radius/O=Example Inc./CN=Example Server Certificate/emailAddress=admin@example.org issuer=/C=FR/ST=Radius/L=Somewhere/O=Example Inc./emailAddress=admin@example.org/CN=Example Certificate Authority -----BEGIN CERTIFICATE----- MIID2jCCAsKgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBkzELMAkGA1UEBhMCRlIx DzANBgNVBAgMBlJhZGl1czESMBAGA1UEBwwJU29tZXdoZXJlMRUwEwYDVQQKDAxF eGFtcGxlIEluYy4xIDAeBgkqhkiG9w0BCQEWEWFkbWluQGV4YW1wbGUub3JnMSYw JAYDVQQDDB1FeGFtcGxlIENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xODA0MTgx MTI4MDhaFw0yODA0MTUxMTI4MDhaMHwxCzAJBgNVBAYTAkZSMQ8wDQYDVQQIDAZS YWRpdXMxFTATBgNVBAoMDEV4YW1wbGUgSW5jLjEjMCEGA1UEAwwaRXhhbXBsZSBT ZXJ2ZXIgQ2VydGlmaWNhdGUxIDAeBgkqhkiG9w0BCQEWEWFkbWluQGV4YW1wbGUu b3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApAY39TBW76KKMYQ3 CSeXT7PtoRB1FtWKE1qVKRQOP2y/I9hSBJxbknKdhcpE3diORoWKh0qwjFKY+7as Ehq9zVELbcO7fvTT663Cn9uBIwQ517RMJZjf6ks7N3LB9nmwi2iC0lmq/OS8mMNF hZdK2QfWoDxRwBcT0z/WIrNJyYluJAtKISzejqP27rjh1ZI/WnxY/S+8VXdCwcR4 PtuyqSdOhC7q8EF8vIjG6H13G2V2/vmVrXQ7VokxWQ8F83vmRZVC2vcgYd5Qp813 /7YVL6C5g6CJgbz7AcJVwmT5P1W7xY9lOCz7bavdbPGewV7kONxQQrub+ZdKrJKX uP13GwIDAQABo08wTTATBgNVHSUEDDAKBggrBgEFBQcDATA2BgNVHR8ELzAtMCug KaAnhiVodHRwOi8vd3d3LmV4YW1wbGUuY29tL2V4YW1wbGVfY2EuY3JsMA0GCSqG SIb3DQEBCwUAA4IBAQBBTf/njNLVZdM4ZoLQnO+GLLTN335PXGL4ufYtA38kncQJ doSGaJTKllJdqCs+CRwNGVd2LE7Ahx0Rfj3m0J9YRmGzd5fdHRoWyqbED4nIrswd ErhTbM7e34GnyhXeFcFYdEH8kczysOsKzRFSBQQKkKg7dIxE9AUyB13wsMeWWEcQ DmINh6oan458/eXInqIvv7mc0JTJh+TuYFXYk738rSj6Tj4KloasG0rvCcTNmHWd ojouFuypcJQASPUvIfM6zkkdKtnTI4OJYbidy/rI6LcPj2m1MV7poGwibVhuxmcK jYb8EaNYormuKJ19HEXoKxLp5AM2wgDwCGae762k -----END CERTIFICATE-----
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html [root@7 certs]# rpm -q openssl openssl-1.0.2k-8.el7.x86_64
I don't have wpa_supplicant installed on the system so no wpa_supplicant.conf. In order to get eapol_test I pulled down the latest 2.6 sources and ran make following the instructions at http://blog.rchapman.org/posts/Troubleshooting_EAP-TLS_with_freeradius/. I was under the impression that eapol_test was not compiled in the distro, but I've just been checking and I think I have been incorrectly informed. I'll install wpa_supplicant and test again. FWIW it is not eapol_test which is giving the certificate error but "radiusd -X". BTW you only got the key because it is in the pem file so I was not sure if you wanted the whole file or just the certificate part Nick