After Upgrade from freeradius 2 to 3 (Debian 8 - 9): TLS Alert write:fatal:unsupported certificate

Boris Lytochkin lytboris at
Wed Dec 20 07:41:50 CET 2017


On 19.12.2017 20:48, Alan DeKok wrote:
>    If it can't verify the CA or server cert, OpenSSL fails, and we never get to check the client cert.
>    When the client cert gets printed, the fields get printed as "TLS-Client-Cert-Serial", not as "TLS-Cert-Serial"
Hmm. There is no TLS-Client-Cert-Serial in the debug log indeed. So 
you're saying that
1) FR gets client cert from the client (not a full chain in our case, 
see capture)
2) FR tries to check full cert chain and OpenSSL finds the issuer of 
that client cert has wrong OIDs and raise an error flag.

Boris Lytochkin
Yandex NOC
+7 (495) 739 70 00 ext. 7671

More information about the Freeradius-Users mailing list