After Upgrade from freeradius 2 to 3 (Debian 8 - 9): TLS Alert write:fatal:unsupported certificate

Alan DeKok aland at
Tue Dec 19 18:48:51 CET 2017

> On Dec 19, 2017, at 12:18 PM, Boris Lytochkin <lytboris at> wrote:
> Alan, you are absolutely correct about OIDs. But one thing drives me crazy. Robert sent me a full capture (attached) and it is really weird if you compare it to FreeRADIUS logs.
> ...
> I have no idea why FreeRADIUS peeks issuer's cert instead of real client's one. I guess something is broken in server's configuration...

  EAP-TLS sends over the entire certificate chain.  OpenSSL walks down the certificate chain, verifying each cert in sequence.

  If it can't verify the CA or server cert, OpenSSL fails, and we never get to check the client cert.

  When the client cert gets printed, the fields get printed as "TLS-Client-Cert-Serial", not as "TLS-Cert-Serial"

  Alan DeKok.

More information about the Freeradius-Users mailing list