After Upgrade from freeradius 2 to 3 (Debian 8 - 9): TLS Alert write:fatal:unsupported certificate

Alan DeKok aland at
Tue Dec 19 23:39:41 CET 2017

On Dec 19, 2017, at 5:09 PM, Gladewitz, Robert via Freeradius-Users <freeradius-users at> wrote:
> so, i find out that you are right. I find out, that the certificate check ends with an warning, because of following openssl function in v3_purp.c?


> But it is documented as a warning, not an error!? 

  The return codes tell the application about the certificate.  They're not errors or warnings.

> It is possible, to add an workarround for mistake in conf / tls.c

  It's possible to change FreeRADIUS to do anything.

  The question is whether it's a good idea.  In this case, I don't think so.

  For one, "invalid purpose" is an error which I've never seen before, in 20 years of working with FreeRADIUS.  It strongly indicates that there's something unusual about the certificates.

  For another, working around "invalid purpose" is a bad idea.  Those checks are there for a reason.  Avoiding them means you're essentially ignoring the certificate contents.

  You're free to put the patch into your local version of FreeRADIUS.  But until it's clear that the patch won't cause problems... it can't go into the main distribution.

> I hope, my mail not sounds arogant :-( 


  Alan DeKok.

More information about the Freeradius-Users mailing list