Failed in SSLv3 read client certificate A

Alan DeKok aland at deployingradius.com
Wed Jun 22 19:44:04 CEST 2016


On Jun 22, 2016, at 1:16 PM, Michael Martinez <mwtzzz at gmail.com> wrote:
> 
> Ok I may have spoken too soon. I just found this online:
> "Apparently starting with iOS 9.1, if the RADIUS cert does not contain
> the "Key Encipherment" flag, iOS will reject authentication with:
> Oct  1 11:27:29.752545 TiPadAir2 eapolclient[455]:
> [eaptls_plugin.c:292] eaptls_verify_server(): server certificate not
> trusted status 1001 -9807"

  That's not *quite* what it says:

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/iOS-OSX-Security-Changes-and-ClearPass/td-p/247291

 ... It turns out that if you use a ClearPass-signed RADIUS certificate and you do not specify https as the certificate type when you sign the CSR, ...

  I haven't seen any problems with iOS.

> I'm guessing this is probably what I need to do to get this to work.
> Anyone know what this "Key Encipherment" flag is, and how to include
> it in the Radius cert?

  My guess is that you created a server certifcate without the xpextensions file.  i.e. printing a *good* certificate gets me:

...
        X509v3 extensions:
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
            X509v3 CRL Distribution Points:
                URI:http://www.example.com/example_ca.crl
...

  Your server certificate is probably missing those extensions.

  Fix that, and you won't need the key usage flag.

  Alan DeKok.




More information about the Freeradius-Users mailing list