After Upgrade from freeradius 2 to 3 (Debian 8 - 9): TLS Alert write:fatal:unsupported certificate

Alan DeKok aland at
Sat Dec 16 20:37:25 CET 2017

On Dec 15, 2017, at 1:28 PM, Gladewitz, Robert via Freeradius-Users <freeradius-users at> wrote:
> after update to version 3 we get the followong error on module eap-tls:

  It's not just FreeRADIUS that's been updated.  But also OpenSSL.  Which implements the TLS portion of EAP-TLS.

> (59) eap_tls:   ERROR: SSL says error 26 : unsupported certificate purpose

  The certificates don't have the extended key usage OIDs.  Windows needs them.

  The certs created by the scripts included with FreeRADIUS work.

> In do not understand, why i get this error. If i use manually openssl verify
> all seems ok.

  OpenSSL doesn't verify the extended key usage fields.

> In some discusion i find out, that some think is wron with the extendet
> attributes. But in this case, why it is working fine in freeradius 2 and 1
> implemtations. 

  No idea.

  But you didn't create the certificates correctly.

  You'll need to regenerate the certs with the correct information.  Use the scripts in the raddb/certs/ directory.

  Alan DeKok.

More information about the Freeradius-Users mailing list