Hello, in first discusion, the errors seems tob e on a wrong ca certificate. Now, all certifices a changed an the errror still happening: <SNIP: DEBUG> (69) eap_tls: Continuing EAP-TLS (69) eap_tls: Peer indicated complete TLS record size will be 1432 bytes (69) eap_tls: Got complete TLS record (1432 bytes) (69) eap_tls: [eaptls verify] = length included (69) eap_tls: TLS_accept: SSLv3/TLS write server done (69) eap_tls: <<< recv TLS 1.0 Handshake [length 03c2], Certificate (69) eap_tls: Creating attributes from certificate OIDs (69) eap_tls: TLS-Cert-Serial := "1009" (69) eap_tls: TLS-Cert-Expiration := "380111125719Z" (69) eap_tls: TLS-Cert-Subject := "/C=DE/ST=Sachsen/L=Leipzig/O=DBFZ Deutsches Biomasseforschungszentrum gGmbH/OU=IT/CN=CAPF-91d43ef6" (69) eap_tls: TLS-Cert-Issuer := "/C=DE/ST=Sachsen/L=Leipzig/O=DBFZ Deutsches Biomasseforschungszentrum gemeinnuetzige GmbH/OU=IT/CN=DBFZ CA INTERN ROOT/emailAddress=support@dbfz.de" (69) eap_tls: TLS-Cert-Common-Name := "CAPF-91d43ef6" (69) eap_tls: ERROR: SSL says error 26 : unsupported certificate purpose (69) eap_tls: >>> send TLS 1.0 Alert [length 0002], fatal unsupported_certificate (69) eap_tls: ERROR: TLS Alert write:fatal:unsupported certificate tls: TLS_accept: Error in error (69) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed (69) eap_tls: ERROR: System call (I/O) error (-1) (69) eap_tls: ERROR: TLS receive handshake failed during operation (69) eap_tls: ERROR: [eaptls process] = fail </DEBUG> openssl -verify have no warning, if I do cert check manually. Fo testing, I append the certs. # openssl verify -verbose -CAfile /etc/freeradius/3.0/certs.8021x.ciscophone/cacert.capf.pem SEP64A0E714844E-L1.pem # SEP64A0E714844E-L1.pem: OK Regards Robert -----Ursprüngliche Nachricht----- Von: Stefan Winter [mailto:stefan.winter@restena.lu] Gesendet: Donnerstag, 21. Dezember 2017 14:52 An: FreeRadius users mailing list <freeradius-users@lists.freeradius.org>; Boris Lytochkin <lytboris@yandex-team.ru>; Gladewitz, Robert <Robert.Gladewitz@dbfz.de> Betreff: Re: After Upgrade from freeradius 2 to 3 (Debian 8 - 9): TLS Alert write:fatal:unsupported certificate Hi,
It's much better to fix your "CA" cert (which is not). ================ X509v3 Basic Constraints: critical CA:TRUE ================ is missing.
Out of curiosity (I didn't think Cisco can be so stupid to make CAs which aren't actually CAs...) I searched, and my search engine of choice gave me this link: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCut82798/?referring_site=bug... (needs free registration to view) So, indeed, Cisco WAS that stupid. For an extended amount of time and multiple major version releases. FWIW, if the OP can upgrade his system to release 11.5 and re-generate the CAPF CA, then he should get a real CA. Which then makes tinkering with source code obsolete. (If the answer is that you need to edit the source code, then you are asking the wrong question :-) ) Greetings, Stefan Winter Am 20.12.2017 um 07:51 schrieb Boris Lytochkin:
Hi.
See http://www.alvestrand.no/objectid/2.5.29.19.html
On 20.12.2017 1:09, Gladewitz, Robert via Freeradius-Users wrote:
Hello Alan,
so, i find out that you are right. I find out, that the certificate check ends with an warning, because of following openssl function in v3_purp.c?
495 /*- 496 * CA checks common to all purposes 497 * return codes: 498 * 0 not a CA 499 * 1 is a CA 500 * 2 basicConstraints absent so "maybe" a CA 501 * 3 basicConstraints absent but self signed V1. 502 * 4 basicConstraints absent but keyUsage present and keyCertSign asserted. 503 */ 504 505 static int check_ca(const X509 *x) 506 { 507 /* keyUsage if present should allow cert signing */ 508 if (ku_reject(x, KU_KEY_CERT_SIGN)) 509 return 0; 510 if (x->ex_flags & EXFLAG_BCONS) { 511 if (x->ex_flags & EXFLAG_CA) 512 return 1; 513 /* If basicConstraints says not a CA then say so */ 514 else 515 return 0; 516 } else { 517 /* we support V1 roots for... uh, I don't really know why. */ 518 if ((x->ex_flags & V1_ROOT) == V1_ROOT) 519 return 3; 520 /* 521 * If key usage present it must have certSign so tolerate it 522 */ 523 else if (x->ex_flags & EXFLAG_KUSAGE) 524 return 4; 525 /* Older certificates could have Netscape-specific CA types */ 526 else if (x->ex_flags & EXFLAG_NSCERT && x->ex_nscert & NS_ANY_CA) 527 return 5; 528 /* can this still be regarded a CA certificate? I doubt it */ 529 return 0; 530 } 531 }
But it is documented as a warning, not an error!?
It is possible, to add an workarround for mistake in conf / tls.c
<DIFF tls.c> if (!my_ok && (conf->allow_expired_crl) && (err == X509_V_ERR_CRL_HAS_EXPIRED)) { my_ok = 1; X509_STORE_CTX_set_error( ctx, 0 ); }
+ if (!my_ok && + (conf->allow_wrong_purposed) && + (err == X509_V_ERR_INVALID_PURPOSE)) { + my_ok = 1; + X509_STORE_CTX_set_error( ctx, 0 ); + }
if (!my_ok) {
</DIFF>
I hope, my mail not sounds arogant :-(
Robert
-----Ursprüngliche Nachricht----- Von: Freeradius-Users [mailto:freeradius-users-bounces+robert.gladewitz=dbfz.de@lists.freer adius.org] Im Auftrag von Alan DeKok Gesendet: Dienstag, 19. Dezember 2017 18:49 An: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Betreff: Re: After Upgrade from freeradius 2 to 3 (Debian 8 - 9): TLS Alert write:fatal:unsupported certificate
On Dec 19, 2017, at 12:18 PM, Boris Lytochkin <lytboris@yandex-team.ru> wrote: Alan, you are absolutely correct about OIDs. But one thing drives me crazy. Robert sent me a full capture (attached) and it is really weird if you compare it to FreeRADIUS logs. ... I have no idea why FreeRADIUS peeks issuer's cert instead of real client's one. I guess something is broken in server's configuration... EAP-TLS sends over the entire certificate chain. OpenSSL walks down the certificate chain, verifying each cert in sequence.
If it can't verify the CA or server cert, OpenSSL fails, and we never get to check the client cert.
When the client cert gets printed, the fields get printed as "TLS-Client-Cert-Serial", not as "TLS-Cert-Serial"
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 2, avenue de l'Université L-4365 Esch-sur-Alzette Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66