Hi all- trying to understand a particular failure/error. I've been using dd-wrt, freeradius and strongswan together for almost a year (mostly) without issue. Freeradius provides my eap-tls functionality passed either through the wifi router (dd-wrt) or VPN (strongswan). Recently my macbook was upgraded to MacOS Mojave and I appear to no longer auth to wireless with the same cert. The cert still works for strongswan auth. Below are my logs for either scenario: [dd-wrt client auth failure] (993) eap: Expiring EAP session with state 0xaa3880f3ad308d40 (993) eap: Finished EAP session with state 0xaa3880f3ad308d40 (993) eap: Previous EAP request found for state 0xaa3880f3ad308d40, released from the list (993) eap: Peer sent packet with method EAP TLS (13) (993) eap: Calling submodule eap_tls to process data (993) eap_tls: Continuing EAP-TLS (993) eap_tls: Peer indicated complete TLS record size will be 7 bytes (993) eap_tls: Got complete TLS record (7 bytes) (993) eap_tls: [eaptls verify] = length included (993) eap_tls: <<< recv TLS 1.2 [length 0002] (993) eap_tls: ERROR: TLS_accept: Failed in SSLv3 read client certificate A (993) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:140350E5:SSL routines:ACCEPT_SR_CERT:ssl handshake failure (993) eap_tls: ERROR: System call (I/O) error (-1) (993) eap_tls: ERROR: TLS receive handshake failed during operation (993) eap_tls: ERROR: [eaptls process] = fail (993) eap: ERROR: Failed continuing EAP TLS (13) session. EAP sub-module failed (993) eap: Sending EAP Failure (code 4) ID 8 length 4 (993) eap: Failed in EAP select --- [strongswan client auth success] (2171) eap: Expiring EAP session with state 0x92fe72999ff07f67 (2171) eap: Finished EAP session with state 0x92fe72999ff07f67 (2171) eap: Previous EAP request found for state 0x92fe72999ff07f67, released from the list (2171) eap: Peer sent packet with method EAP TLS (13) (2171) eap: Calling submodule eap_tls to process data (2171) eap_tls: Continuing EAP-TLS (2171) eap_tls: Got final TLS record fragment (272 bytes) (2171) eap_tls: [eaptls verify] = ok (2171) eap_tls: Done initial handshake (2171) eap_tls: <<< recv TLS 1.2 [length 1458] (2171) eap_tls: TLS - Creating attributes from certificate OIDs (2171) eap_tls: TLS-Cert-Serial := "<omitted>" (2171) eap_tls: TLS-Cert-Expiration := "<omitted>" (2171) eap_tls: TLS-Cert-Subject := "/C=ZL/ST=Null/L=Nowhere/O=Nulllabs/OU=Root CA/CN=server.mgmt/emailAddress=poseidon@services.mgmt" (2171) eap_tls: TLS-Cert-Issuer := "/C=ZL/ST=Null/L=Nowhere/O=Nulllabs/OU=Root CA/CN=server.mgmt/emailAddress=poseidon@services.mgmt" (2171) eap_tls: TLS-Cert-Common-Name := "server.mgmt" (2171) eap_tls: TLS - Creating attributes from certificate OIDs (2171) eap_tls: TLS-Client-Cert-Serial := "<omitted>" (2171) eap_tls: TLS-Client-Cert-Expiration := "<omitted>" (2171) eap_tls: TLS-Client-Cert-Subject := "/C=ZL/ST=Zero/L=Nowhere/O=Nulllabs/O=Endpoint/OU=Nulllabs-Endpoints/CN=mbp.home/emailAddress=poseidon@services.mgmt" (2171) eap_tls: TLS-Client-Cert-Issuer := "/C=ZL/ST=Null/L=Nowhere/O=Nulllabs/OU=Root CA/CN=server.mgmt/emailAddress=poseidon@services.mgmt" (2171) eap_tls: TLS-Client-Cert-Common-Name := "mbp.home" (2171) eap_tls: TLS-Client-Cert-X509v3-Authority-Key-Identifier += "<omitted>" (2171) eap_tls: TLS-Client-Cert-X509v3-Basic-Constraints += "CA:FALSE" (2171) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Client Authentication, IPSec User, IPSec End System, E-mail Protection, Code Signing" (2171) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.5.5.7.3.2" (2171) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.5.5.7.3.7" (2171) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.5.5.7.3.5" (2171) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.5.5.7.3.4" (2171) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.5.5.7.3.3" (2171) eap_tls: TLS_accept: SSLv3 read client certificate A What I should be seeing is the following: [dd-wrt client success] (1015) eap: Expiring EAP session with state 0xbd2980f9b0278d8b (1015) eap: Finished EAP session with state 0xbd2980f9b0278d8b (1015) eap: Previous EAP request found for state 0xbd2980f9b0278d8b, released from the list (1015) eap: Peer sent packet with method EAP TLS (13) (1015) eap: Calling submodule eap_tls to process data (1015) eap_tls: Continuing EAP-TLS (1015) eap_tls: Peer ACKed our handshake fragment. handshake is finished (1015) eap_tls: [eaptls verify] = success (1015) eap_tls: [eaptls process] = success (1015) eap: Sending EAP Success (code 3) ID 14 length 4 (1015) eap: Freeing handler This was shown by another dd-wrt client on the same setup (High Sierra). Anyone else seeing similar issues with MacOS Mojave? Am I missing an extended key usage parameter or am I doing something else wrong? Thanks in advance.