After Upgrade from freeradius 2 to 3 (Debian 8 - 9): TLS Alert write:fatal:unsupported certificate
Hello, after update to version 3 we get the followong error on module eap-tls: <SNIP> (59) eap_tls: Continuing EAP-TLS (59) eap_tls: Peer indicated complete TLS record size will be 1321 bytes (59) eap_tls: Got complete TLS record (1321 bytes) (59) eap_tls: [eaptls verify] = length included (59) eap_tls: TLS_accept: SSLv3/TLS write server done (59) eap_tls: <<< recv TLS 1.0 Handshake [length 0353], Certificate (59) eap_tls: Creating attributes from certificate OIDs (59) eap_tls: TLS-Cert-Serial := "5871a15a20dc203cceb13b568ad905f9" (59) eap_tls: TLS-Cert-Expiration := "220309050842Z" (59) eap_tls: TLS-Cert-Subject := "/C=DE/O=Deutsches BiomasseForschungsZentrum gemeinnuetzige GmbH/OU=IT/CN=CAPF-1b0db5b4/ST=Sachsen/L=Leipzig" (59) eap_tls: TLS-Cert-Issuer := "/C=DE/O=Deutsches BiomasseForschungsZentrum gemeinnuetzige GmbH/OU=IT/CN=CAPF-1b0db5b4/ST=Sachsen/L=Leipzig" (59) eap_tls: TLS-Cert-Common-Name := "CAPF-1b0db5b4" (59) eap_tls: ERROR: SSL says error 26 : unsupported certificate purpose (59) eap_tls: >>> send TLS 1.0 Alert [length 0002], fatal unsupported_certificate (59) eap_tls: ERROR: TLS Alert write:fatal:unsupported certificate tls: TLS_accept: Error in error (59) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed (59) eap_tls: ERROR: System call (I/O) error (-1) (59) eap_tls: ERROR: TLS receive handshake failed during operation (59) eap_tls: ERROR: [eaptls process] = fail </SNIP> In do not understand, why i get this error. If i use manually openssl verify all seems ok. Also, freeraduus do not use the comment define in tls -> verify -> client. My relatet tls config <SNIP> tls-config tls-common { require_client_cert = no certdir = ${confdir}/certs.8021x cadir = ${confdir}/certs.ciscophone private_key_password = myspecpass private_key_file = ${certdir}/cert-srv-dbfz-radius01.pem certificate_file = ${certdir}/cert-srv-dbfz-radius01.pem ca_file = ${cadir}/CAPF.pem dh_file = ${certdir}/dh random_file = /dev/urandom check_crl = no check_all_crl = no ca_path = ${cadir} check_cert_issuer = "/C=DE/O=Deutsches BiomasseForschungsZentrum gemeinnuetzige GmbH/OU=IT/CN=CAPF-1b0db5b4/ST=Sachsen/L=Leipzig" cipher_list = "DEFAULT" ecdh_curve = "prime256v1" make_cert_command = "${certdir}/bootstrap" cache { enable = no lifetime = 24 # hours max_entries = 255 #name = "EAP module" #persist_dir = "${logdir}/tlscache" } verify { skip_if_ocsp_ok = no tmpdir = /var/lib/freeradius/temp client = "/usr/bin/openssl verify -CAfile ${confdir}/certs.8021x/CAPF.pem %{TLS-Client-Cert-Filename}" # client = "/usr/local/bin/checkcert.sh verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}" } tls { require_client_cert = no tls = tls-common # virtual_server = check-eap-tls } </SNIP> In some discusion i find out, that some think is wron with the extendet attributes. But in this case, why it is working fine in freeradius 2 and 1 implemtations. Regards Robert
On Dec 15, 2017, at 1:28 PM, Gladewitz, Robert via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
after update to version 3 we get the followong error on module eap-tls:
It's not just FreeRADIUS that's been updated. But also OpenSSL. Which implements the TLS portion of EAP-TLS.
(59) eap_tls: ERROR: SSL says error 26 : unsupported certificate purpose
The certificates don't have the extended key usage OIDs. Windows needs them. The certs created by the scripts included with FreeRADIUS work.
In do not understand, why i get this error. If i use manually openssl verify all seems ok.
OpenSSL doesn't verify the extended key usage fields.
In some discusion i find out, that some think is wron with the extendet attributes. But in this case, why it is working fine in freeradius 2 and 1 implemtations.
No idea. But you didn't create the certificates correctly. You'll need to regenerate the certs with the correct information. Use the scripts in the raddb/certs/ directory. Alan DeKok.
Hallo Alan, thank you for your answere. The problem only happening on Cisco CAPF Certificates, which will be created by cisco callmanager self for all ip phones. All other authentification (Windows client, WPA etc.) in our enviroment working fine. But on cisco call manager/CUCM, there is no option that can change the certificate attributes. Also interess is, that the openssl verify is working fine! Ist there may a possebility to skip the internal certificate check and use only an external cammand (like verify -> client)? For me it will be ok without any certificate check also. But i need eap-tls for set the voice vlan. Regards Robert -----Ursprüngliche Nachricht----- Von: Alan DeKok [mailto:aland@deployingradius.com] Gesendet: Samstag, 16. Dezember 2017 20:37 An: Gladewitz, Robert <Robert.Gladewitz@dbfz.de>; FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Betreff: Re: After Upgrade from freeradius 2 to 3 (Debian 8 - 9): TLS Alert write:fatal:unsupported certificate On Dec 15, 2017, at 1:28 PM, Gladewitz, Robert via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
after update to version 3 we get the followong error on module eap-tls:
It's not just FreeRADIUS that's been updated. But also OpenSSL. Which implements the TLS portion of EAP-TLS.
(59) eap_tls: ERROR: SSL says error 26 : unsupported certificate purpose
The certificates don't have the extended key usage OIDs. Windows needs them. The certs created by the scripts included with FreeRADIUS work.
In do not understand, why i get this error. If i use manually openssl verify all seems ok.
OpenSSL doesn't verify the extended key usage fields.
In some discusion i find out, that some think is wron with the extendet attributes. But in this case, why it is working fine in freeradius 2 and 1 implemtations.
No idea. But you didn't create the certificates correctly. You'll need to regenerate the certs with the correct information. Use the scripts in the raddb/certs/ directory. Alan DeKok.
On Dec 17, 2017, at 4:44 AM, Gladewitz, Robert via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
thank you for your answere. The problem only happening on Cisco CAPF Certificates, which will be created by cisco callmanager self for all ip phones. All other authentification (Windows client, WPA etc.) in our enviroment working fine.
That is unusual. I've never seen that before.
But on cisco call manager/CUCM, there is no option that can change the certificate attributes.
Also interess is, that the openssl verify is working fine!
As I said already... OpenSSL doesn't check the extended attributes. It verifies that the certificates are properly formatted, and contain the right signatures. It *doesn't* check (for example) that the "commonName" field is a properly formatted email address. There are many, many, things that "openssl verify" doesn't check.
Ist there may a possebility to skip the internal certificate check and use only an external cammand (like verify -> client)? For me it will be ok without any certificate check also. But i need eap-tls for set the voice vlan.
There's nothing in FreeRADIUS which checks for certificate extensions. So this error is either coming from the client, or from OpenSSL. Alan DeKok.
Hi. Can you take a SPAN capture on phone port and attach it into this thread so whole EAP-TLS session can be read (ether-type 0x888e for tcpdump filter will do)? This capture will help a lot to give you a hint how to proceed with this issue. On 17.12.2017 12:44, Gladewitz, Robert via Freeradius-Users wrote:
Hallo Alan,
thank you for your answere. The problem only happening on Cisco CAPF Certificates, which will be created by cisco callmanager self for all ip phones. All other authentification (Windows client, WPA etc.) in our enviroment working fine.
But on cisco call manager/CUCM, there is no option that can change the certificate attributes.
Also interess is, that the openssl verify is working fine!
Ist there may a possebility to skip the internal certificate check and use only an external cammand (like verify -> client)? For me it will be ok without any certificate check also. But i need eap-tls for set the voice vlan.
Regards
Robert
-----Ursprüngliche Nachricht----- Von: Alan DeKok [mailto:aland@deployingradius.com] Gesendet: Samstag, 16. Dezember 2017 20:37 An: Gladewitz, Robert <Robert.Gladewitz@dbfz.de>; FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Betreff: Re: After Upgrade from freeradius 2 to 3 (Debian 8 - 9): TLS Alert write:fatal:unsupported certificate
On Dec 15, 2017, at 1:28 PM, Gladewitz, Robert via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
after update to version 3 we get the followong error on module eap-tls: It's not just FreeRADIUS that's been updated. But also OpenSSL. Which implements the TLS portion of EAP-TLS.
(59) eap_tls: ERROR: SSL says error 26 : unsupported certificate purpose The certificates don't have the extended key usage OIDs. Windows needs them.
The certs created by the scripts included with FreeRADIUS work.
In do not understand, why i get this error. If i use manually openssl verify all seems ok. OpenSSL doesn't verify the extended key usage fields.
In some discusion i find out, that some think is wron with the extendet attributes. But in this case, why it is working fine in freeradius 2 and 1 implemtations. No idea.
But you didn't create the certificates correctly.
You'll need to regenerate the certs with the correct information. Use the scripts in the raddb/certs/ directory.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Boris Lytochkin Yandex NOC +7 (495) 739 70 00 ext. 7671
participants (3)
-
Alan DeKok -
Boris Lytochkin -
Gladewitz, Robert