Failed in SSLv3 read client certificate A

Alan DeKok aland at
Wed Jun 22 19:44:04 CEST 2016

On Jun 22, 2016, at 1:16 PM, Michael Martinez <mwtzzz at> wrote:
> Ok I may have spoken too soon. I just found this online:
> "Apparently starting with iOS 9.1, if the RADIUS cert does not contain
> the "Key Encipherment" flag, iOS will reject authentication with:
> Oct  1 11:27:29.752545 TiPadAir2 eapolclient[455]:
> [eaptls_plugin.c:292] eaptls_verify_server(): server certificate not
> trusted status 1001 -9807"

  That's not *quite* what it says:

 ... It turns out that if you use a ClearPass-signed RADIUS certificate and you do not specify https as the certificate type when you sign the CSR, ...

  I haven't seen any problems with iOS.

> I'm guessing this is probably what I need to do to get this to work.
> Anyone know what this "Key Encipherment" flag is, and how to include
> it in the Radius cert?

  My guess is that you created a server certifcate without the xpextensions file.  i.e. printing a *good* certificate gets me:

        X509v3 extensions:
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
            X509v3 CRL Distribution Points:

  Your server certificate is probably missing those extensions.

  Fix that, and you won't need the key usage flag.

  Alan DeKok.

More information about the Freeradius-Users mailing list