After Upgrade from freeradius 2 to 3 (Debian 8 - 9): TLS Alert write:fatal:unsupported certificate
Gladewitz, Robert
Robert.Gladewitz at dbfz.de
Fri Dec 15 19:28:22 CET 2017
Hello,
after update to version 3 we get the followong error on module eap-tls:
<SNIP>
(59) eap_tls: Continuing EAP-TLS
(59) eap_tls: Peer indicated complete TLS record size will be 1321 bytes
(59) eap_tls: Got complete TLS record (1321 bytes)
(59) eap_tls: [eaptls verify] = length included
(59) eap_tls: TLS_accept: SSLv3/TLS write server done
(59) eap_tls: <<< recv TLS 1.0 Handshake [length 0353], Certificate
(59) eap_tls: Creating attributes from certificate OIDs
(59) eap_tls: TLS-Cert-Serial := "5871a15a20dc203cceb13b568ad905f9"
(59) eap_tls: TLS-Cert-Expiration := "220309050842Z"
(59) eap_tls: TLS-Cert-Subject := "/C=DE/O=Deutsches
BiomasseForschungsZentrum gemeinnuetzige
GmbH/OU=IT/CN=CAPF-1b0db5b4/ST=Sachsen/L=Leipzig"
(59) eap_tls: TLS-Cert-Issuer := "/C=DE/O=Deutsches
BiomasseForschungsZentrum gemeinnuetzige
GmbH/OU=IT/CN=CAPF-1b0db5b4/ST=Sachsen/L=Leipzig"
(59) eap_tls: TLS-Cert-Common-Name := "CAPF-1b0db5b4"
(59) eap_tls: ERROR: SSL says error 26 : unsupported certificate purpose
(59) eap_tls: >>> send TLS 1.0 Alert [length 0002], fatal
unsupported_certificate
(59) eap_tls: ERROR: TLS Alert write:fatal:unsupported certificate
tls: TLS_accept: Error in error
(59) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL
routines:tls_process_client_certificate:certificate verify failed
(59) eap_tls: ERROR: System call (I/O) error (-1)
(59) eap_tls: ERROR: TLS receive handshake failed during operation
(59) eap_tls: ERROR: [eaptls process] = fail
</SNIP>
In do not understand, why i get this error. If i use manually openssl verify
all seems ok. Also, freeraduus do not use the comment define in tls ->
verify -> client.
My relatet tls config
<SNIP>
tls-config tls-common {
require_client_cert = no
certdir = ${confdir}/certs.8021x
cadir = ${confdir}/certs.ciscophone
private_key_password = myspecpass
private_key_file = ${certdir}/cert-srv-dbfz-radius01.pem
certificate_file = ${certdir}/cert-srv-dbfz-radius01.pem
ca_file = ${cadir}/CAPF.pem
dh_file = ${certdir}/dh
random_file = /dev/urandom
check_crl = no
check_all_crl = no
ca_path = ${cadir}
check_cert_issuer = "/C=DE/O=Deutsches
BiomasseForschungsZentrum gemeinnuetzige
GmbH/OU=IT/CN=CAPF-1b0db5b4/ST=Sachsen/L=Leipzig"
cipher_list = "DEFAULT"
ecdh_curve = "prime256v1"
make_cert_command = "${certdir}/bootstrap"
cache {
enable = no
lifetime = 24 # hours
max_entries = 255
#name = "EAP module"
#persist_dir = "${logdir}/tlscache"
}
verify {
skip_if_ocsp_ok = no
tmpdir = /var/lib/freeradius/temp
client = "/usr/bin/openssl verify -CAfile
${confdir}/certs.8021x/CAPF.pem %{TLS-Client-Cert-Filename}"
# client = "/usr/local/bin/checkcert.sh verify -CApath
${..ca_path} %{TLS-Client-Cert-Filename}"
}
tls {
require_client_cert = no
tls = tls-common
# virtual_server = check-eap-tls
}
</SNIP>
In some discusion i find out, that some think is wron with the extendet
attributes. But in this case, why it is working fine in freeradius 2 and 1
implemtations.
Regards
Robert
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6245 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20171215/415f90c7/attachment-0003.bin>
More information about the Freeradius-Users
mailing list