Failed in SSLv3 read client certificate A
aland at deployingradius.com
Wed Jun 22 19:44:04 CEST 2016
On Jun 22, 2016, at 1:16 PM, Michael Martinez <mwtzzz at gmail.com> wrote:
> Ok I may have spoken too soon. I just found this online:
> "Apparently starting with iOS 9.1, if the RADIUS cert does not contain
> the "Key Encipherment" flag, iOS will reject authentication with:
> Oct 1 11:27:29.752545 TiPadAir2 eapolclient:
> [eaptls_plugin.c:292] eaptls_verify_server(): server certificate not
> trusted status 1001 -9807"
That's not *quite* what it says:
... It turns out that if you use a ClearPass-signed RADIUS certificate and you do not specify https as the certificate type when you sign the CSR, ...
I haven't seen any problems with iOS.
> I'm guessing this is probably what I need to do to get this to work.
> Anyone know what this "Key Encipherment" flag is, and how to include
> it in the Radius cert?
My guess is that you created a server certifcate without the xpextensions file. i.e. printing a *good* certificate gets me:
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 CRL Distribution Points:
Your server certificate is probably missing those extensions.
Fix that, and you won't need the key usage flag.
More information about the Freeradius-Users