unsupported certificate purpose
Hi while trying for radsec I see freeradius throwing below error on TLS handshake: (0) TLS_accept: SSLv3/TLS write server done (0) <<< recv TLS 1.2 [length 07b9] (0) Creating attributes from certificate OIDs (0) ERROR: SSL says error 26 : unsupported certificate purpose (0) >>> send TLS 1.2 [length 0002] (0) ERROR: TLS Alert write:fatal:unsupported certificate tls: TLS_accept: Error in error (0) ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed (0) ERROR: System call (I/O) error (-1) (0) FAILED in TLS handshake receive Here is the client certificate's purpose details: X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: AE:C8:80:61:1C:AB:99:03:8F:13:4F:14:95:EA:61:52:4D:8C:37:E8 X509v3 Authority Key Identifier: keyid:44:C9:8D:CB:50:17:D2:33:60:4F:96:1A:76:34:99:A4:0D:FA:A1:8D X509v3 Extended Key Usage: TLS Web Client Authentication I see the key usage and Extended usage look good; still unable to find whats reason for freeradius rejecting the client certificate client openssl ; 1.0.2 freeradius: 3.0.16 and i see this has openssl 1.1.0 any help please ? Thanks murugesh
hi, "TLS Web Client Authentication" - okay, its a client X509v3 Key Usage: Digital Signature not okay - this cert isnt being used for just a signature - I expect OpenSSL > 1.0.2 is now doing the right thing and not being happy with the presented cert being used for more than its assigned task. alan
On Oct 30, 2020, at 8:21 AM, murugesh pitchaiah <murugesh.pitchaiah@gmail.com> wrote:
while trying for radsec I see freeradius throwing below error on TLS handshake:
(0) TLS_accept: SSLv3/TLS write server done (0) <<< recv TLS 1.2 [length 07b9] (0) Creating attributes from certificate OIDs (0) ERROR: SSL says error 26 : unsupported certificate purpose
That seems relatively clear.
(0) >>> send TLS 1.2 [length 0002] (0) ERROR: TLS Alert write:fatal:unsupported certificate tls: TLS_accept: Error in error (0) ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
So it's the client certificate which is failing here. That's at least better than some of the other OpenSSL error messages. :(
Here is the client certificate's purpose details:
X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature
Is the client certificate signing other certificates? I suspect not...
Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: AE:C8:80:61:1C:AB:99:03:8F:13:4F:14:95:EA:61:52:4D:8C:37:E8 X509v3 Authority Key Identifier:
keyid:44:C9:8D:CB:50:17:D2:33:60:4F:96:1A:76:34:99:A4:0D:FA:A1:8D
X509v3 Extended Key Usage: TLS Web Client Authentication
That should work.
I see the key usage and Extended usage look good; still unable to find whats reason for freeradius rejecting the client certificate
It's not. :( OpenSSL is rejecting the client certificate.
client openssl ; 1.0.2 freeradius: 3.0.16 and i see this has openssl 1.1.0
How did you generate the certificates? If you copy the client certificate to the OpenSSL machine, you can verify it there using the "openssl" command-line too. What's likely happening is that OpenSSL 1.1.0 is doing more stringent checks than OpenSSL 1.0.2. So you'll need to regenerate the certificate, without the offending OIDs. Alan DeKok.
Thanks Alan B and Alan K. I generated key and certificate using the openssl.cnf and below steps: openssl genrsa -aes256 -out key.pem openssl req -config openssl.cnf -key key.pem new -sha256 -out csr.pem openssl ca -config openssl.cnf -extensions usr_cert -days 375 -notext -md sha256 -in csr.pem -out cert.pem This generation is done in a linux box with openssl 1.0.2. While verifying with openssl 1.1.0 (also using 1.0.2) using below steps - in the ubuntu where freeradius is running - it shows OK. openssl verify -CAfile cacert.pem cert.pem cert.pem: OK But only freeradius is throwing the error on purpose. Still i generated a new client certificate without the 'digital signature' key usage. X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: DD:4A:55:26:9E:7F:27:E9:F6:14:63:CE:95:A3:AD:78:68:7F:56:A6 X509v3 Authority Key Identifier: keyid:44:C9:8D:CB:50:17:D2:33:60:4F:96:1A:76:34:99:A4:0D:FA:A1:8D X509v3 Extended Key Usage: TLS Web Client Authentication But result is same. 0) TLS_accept: SSLv3/TLS write server done (0) <<< recv TLS 1.2 [length 07ac] (0) Creating attributes from certificate OIDs (0) ERROR: SSL says error 26 : unsupported certificate purpose (0) >>> send TLS 1.2 [length 0002] (0) ERROR: TLS Alert write:fatal:unsupported certificate tls: TLS_accept: Error in error (0) ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed (0) ERROR: System call (I/O) error (-1) (0) FAILED in TLS handshake receive Closing TLS socket from client port 57851 Should I generate again with openssl 1.1.0 ? But I wonder how the "openssl verify" works good with openssl 1.1.0; but not freeradius's SSL Read. Thanks in advance. Thanks murugesh On 10/30/20, Alan DeKok <aland@deployingradius.com> wrote:
On Oct 30, 2020, at 8:21 AM, murugesh pitchaiah <murugesh.pitchaiah@gmail.com> wrote:
while trying for radsec I see freeradius throwing below error on TLS handshake:
(0) TLS_accept: SSLv3/TLS write server done (0) <<< recv TLS 1.2 [length 07b9] (0) Creating attributes from certificate OIDs (0) ERROR: SSL says error 26 : unsupported certificate purpose
That seems relatively clear.
(0) >>> send TLS 1.2 [length 0002] (0) ERROR: TLS Alert write:fatal:unsupported certificate tls: TLS_accept: Error in error (0) ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
So it's the client certificate which is failing here. That's at least better than some of the other OpenSSL error messages. :(
Here is the client certificate's purpose details:
X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature
Is the client certificate signing other certificates? I suspect not...
Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: AE:C8:80:61:1C:AB:99:03:8F:13:4F:14:95:EA:61:52:4D:8C:37:E8 X509v3 Authority Key Identifier:
keyid:44:C9:8D:CB:50:17:D2:33:60:4F:96:1A:76:34:99:A4:0D:FA:A1:8D
X509v3 Extended Key Usage: TLS Web Client Authentication
That should work.
I see the key usage and Extended usage look good; still unable to find whats reason for freeradius rejecting the client certificate
It's not. :( OpenSSL is rejecting the client certificate.
client openssl ; 1.0.2 freeradius: 3.0.16 and i see this has openssl 1.1.0
How did you generate the certificates?
If you copy the client certificate to the OpenSSL machine, you can verify it there using the "openssl" command-line too.
What's likely happening is that OpenSSL 1.1.0 is doing more stringent checks than OpenSSL 1.0.2. So you'll need to regenerate the certificate, without the offending OIDs.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Oct 30, 2020, at 1:47 PM, murugesh pitchaiah <murugesh.pitchaiah@gmail.com> wrote:
I generated key and certificate using the openssl.cnf and below steps:
FreeRADIUS comes with certificate creation scripts in raddb/certs. The certificates created with those scripts *work*.
openssl genrsa -aes256 -out key.pem openssl req -config openssl.cnf -key key.pem new -sha256 -out csr.pem openssl ca -config openssl.cnf -extensions usr_cert -days 375 -notext -md sha256 -in csr.pem -out cert.pem
We don't know what's in the "openssl.cnf" file you're using. We suggest just using the scripts that are included with FreeRADIUS.
This generation is done in a linux box with openssl 1.0.2.
While verifying with openssl 1.1.0 (also using 1.0.2) using below steps - in the ubuntu where freeradius is running - it shows OK.
openssl verify -CAfile cacert.pem cert.pem cert.pem: OK
That's good.
But only freeradius is throwing the error on purpose.
Again... it's *openssl* which is giving the error to FreeRADIUS. The server is just reporting it.
Still i generated a new client certificate without the 'digital signature' key usage.
OpenSSL doesn't like one of the other extensions. Which one? I don't know... OpenSSL won't tell us. Use the scripts included with FreeRADIUS. If you need extra OIDs, create certs *without* them, and test. If that works (and it will), then add OIDs one by one, until it doesn't work. That's the OID which is failing. Why? OpenSSL won't tell us. Alan DeKok.
participants (3)
-
Alan Buxey -
Alan DeKok -
murugesh pitchaiah