AW: AW: AW: After Upgrade from freeradius 2 to 3 (Debian 8 - 9): TLS Alert write:fatal:unsupported certificate

Gladewitz, Robert Robert.Gladewitz at dbfz.de
Tue Dec 19 11:14:54 CET 2017


Hello Boris,

so a create a pcap and also an log. I hope, you will found some think :-(

Robert


-----Ursprüngliche Nachricht-----
Von: Boris Lytochkin [mailto:lytboris at yandex-team.ru] 
Gesendet: Sonntag, 17. Dezember 2017 20:44
An: Gladewitz, Robert <Robert.Gladewitz at dbfz.de>
Betreff: Re: AW: AW: After Upgrade from freeradius 2 to 3 (Debian 8 - 9): TLS Alert write:fatal:unsupported certificate

Hi.

Should be.

On 17.12.2017 22:30, Gladewitz, Robert wrote:
> Hello Boris,
>
> are the dumps from radius service interface also ok??
>
> Regards
> Robert
>
> -----Ursprüngliche Nachricht-----
> Von: Boris Lytochkin [mailto:lytboris at yandex-team.ru]
> Gesendet: Sonntag, 17. Dezember 2017 16:44
> An: Gladewitz, Robert <Robert.Gladewitz at dbfz.de>; FreeRadius users 
> mailing list <freeradius-users at lists.freeradius.org>
> Betreff: Re: AW: After Upgrade from freeradius 2 to 3 (Debian 8 - 9): 
> TLS Alert write:fatal:unsupported certificate
>
> Hi.
>
> Can you take a SPAN capture on phone port and attach it into this thread so whole EAP-TLS session can be read (ether-type 0x888e for tcpdump filter will do)? This capture will help a lot to give you a hint how to proceed with this issue.
>
> On 17.12.2017 12:44, Gladewitz, Robert via Freeradius-Users wrote:
>> Hallo Alan,
>>
>> thank you for your answere. The problem only happening on Cisco CAPF Certificates, which will be created by cisco callmanager self for all ip phones. All other authentification (Windows client, WPA etc.) in our enviroment working fine.
>>
>> But on cisco call manager/CUCM, there is no option that can change the certificate attributes.
>>
>> Also interess is, that the openssl verify is working fine!
>>
>> Ist there may a possebility to skip the internal certificate check and use only an external cammand (like verify -> client)?  For me it will be ok without any certificate check also. But i need eap-tls for set the voice vlan.
>>
>> Regards
>>
>> Robert
>>    
>>
>>
>> -----Ursprüngliche Nachricht-----
>> Von: Alan DeKok [mailto:aland at deployingradius.com]
>> Gesendet: Samstag, 16. Dezember 2017 20:37
>> An: Gladewitz, Robert <Robert.Gladewitz at dbfz.de>; FreeRadius users 
>> mailing list <freeradius-users at lists.freeradius.org>
>> Betreff: Re: After Upgrade from freeradius 2 to 3 (Debian 8 - 9): TLS 
>> Alert write:fatal:unsupported certificate
>>
>> On Dec 15, 2017, at 1:28 PM, Gladewitz, Robert via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
>>> after update to version 3 we get the followong error on module eap-tls:
>>     It's not just FreeRADIUS that's been updated.  But also OpenSSL.  Which implements the TLS portion of EAP-TLS.
>>
>>> (59) eap_tls:   ERROR: SSL says error 26 : unsupported certificate purpose
>>     The certificates don't have the extended key usage OIDs.  Windows needs them.
>>
>>     The certs created by the scripts included with FreeRADIUS work.
>>
>>> In do not understand, why i get this error. If i use manually 
>>> openssl verify all seems ok.
>>     OpenSSL doesn't verify the extended key usage fields.
>>
>>> In some discusion i find out, that some think is wron with the 
>>> extendet attributes. But in this case, why it is working fine in 
>>> freeradius 2 and 1 implemtations.
>>     No idea.
>>
>>     But you didn't create the certificates correctly.
>>
>>     You'll need to regenerate the certs with the correct information.  Use the scripts in the raddb/certs/ directory.
>>
>>     Alan DeKok.
>>
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
> --
> Boris Lytochkin
> Yandex NOC
> +7 (495) 739 70 00 ext. 7671
>

--
Boris Lytochkin
Yandex NOC
+7 (495) 739 70 00 ext. 7671

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: FreeradiusDebuxXxxx.txt
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20171219/004fd71f/attachment-0001.txt>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: radius.1912.pcap
Type: application/octet-stream
Size: 5846 bytes
Desc: radius.1912.pcap
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20171219/004fd71f/attachment-0001.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6245 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20171219/004fd71f/attachment-0001.bin>


More information about the Freeradius-Users mailing list