On Oct 30, 2020, at 8:21 AM, murugesh pitchaiah <murugesh.pitchaiah@gmail.com> wrote:
while trying for radsec I see freeradius throwing below error on TLS handshake:
(0) TLS_accept: SSLv3/TLS write server done (0) <<< recv TLS 1.2 [length 07b9] (0) Creating attributes from certificate OIDs (0) ERROR: SSL says error 26 : unsupported certificate purpose
That seems relatively clear.
(0) >>> send TLS 1.2 [length 0002] (0) ERROR: TLS Alert write:fatal:unsupported certificate tls: TLS_accept: Error in error (0) ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
So it's the client certificate which is failing here. That's at least better than some of the other OpenSSL error messages. :(
Here is the client certificate's purpose details:
X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature
Is the client certificate signing other certificates? I suspect not...
Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: AE:C8:80:61:1C:AB:99:03:8F:13:4F:14:95:EA:61:52:4D:8C:37:E8 X509v3 Authority Key Identifier:
keyid:44:C9:8D:CB:50:17:D2:33:60:4F:96:1A:76:34:99:A4:0D:FA:A1:8D
X509v3 Extended Key Usage: TLS Web Client Authentication
That should work.
I see the key usage and Extended usage look good; still unable to find whats reason for freeradius rejecting the client certificate
It's not. :( OpenSSL is rejecting the client certificate.
client openssl ; 1.0.2 freeradius: 3.0.16 and i see this has openssl 1.1.0
How did you generate the certificates? If you copy the client certificate to the OpenSSL machine, you can verify it there using the "openssl" command-line too. What's likely happening is that OpenSSL 1.1.0 is doing more stringent checks than OpenSSL 1.0.2. So you'll need to regenerate the certificate, without the offending OIDs. Alan DeKok.