After Upgrade from freeradius 2 to 3 (Debian 8 - 9): TLS Alert write:fatal:unsupported certificate
Alan DeKok
aland at deployingradius.com
Sat Dec 16 20:37:25 CET 2017
On Dec 15, 2017, at 1:28 PM, Gladewitz, Robert via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> after update to version 3 we get the followong error on module eap-tls:
It's not just FreeRADIUS that's been updated. But also OpenSSL. Which implements the TLS portion of EAP-TLS.
> (59) eap_tls: ERROR: SSL says error 26 : unsupported certificate purpose
The certificates don't have the extended key usage OIDs. Windows needs them.
The certs created by the scripts included with FreeRADIUS work.
> In do not understand, why i get this error. If i use manually openssl verify
> all seems ok.
OpenSSL doesn't verify the extended key usage fields.
> In some discusion i find out, that some think is wron with the extendet
> attributes. But in this case, why it is working fine in freeradius 2 and 1
> implemtations.
No idea.
But you didn't create the certificates correctly.
You'll need to regenerate the certs with the correct information. Use the scripts in the raddb/certs/ directory.
Alan DeKok.
More information about the Freeradius-Users
mailing list