After Upgrade from freeradius 2 to 3 (Debian 8 - 9): TLS Alert write:fatal:unsupported certificate

Alan DeKok aland at
Tue Dec 19 17:15:51 CET 2017

> On Dec 19, 2017, at 5:22 AM, Gladewitz, Robert via Freeradius-Users <freeradius-users at> wrote:
> If I understand this logs rights, the error happening on ca certificate?


  They're about the server certificate.

> Mon Dec 18 14:41:44 2017 : ERROR: (2) eap_tls:   SSL says error 26 : 
> unsupported certificate purpose

  As I said before, OpenSSL doesn't like the X509 OIDs in the certificate.

  The "openssl verify" returns OK, because it verifies the cert for a different purpose.

  No amount of poking FreeRADIUS will fix the OpenSSL code which sanity checks the certificate.

  Your choices are:

a) fix the Cisco equipment to produce certs that OpenSSL likes

b) fix the new version OpenSSL to remove this extra sanity checking

c) downgrade the whole OS + OpenSSL to a version of OpenSSL which doesn't have this extra check.

  You can post messages to this list all you want, but nothing we can do to help.  We CANNOT work around this in FreeRADIUS, because it's an OpenSSL limitation.

  Alan DeKok.

More information about the Freeradius-Users mailing list