After Upgrade from freeradius 2 to 3 (Debian 8 - 9): TLS Alert write:fatal:unsupported certificate
Boris Lytochkin
lytboris at yandex-team.ru
Wed Dec 20 07:41:50 CET 2017
Hi.
On 19.12.2017 20:48, Alan DeKok wrote:
> If it can't verify the CA or server cert, OpenSSL fails, and we never get to check the client cert.
>
> When the client cert gets printed, the fields get printed as "TLS-Client-Cert-Serial", not as "TLS-Cert-Serial"
Hmm. There is no TLS-Client-Cert-Serial in the debug log indeed. So
you're saying that
1) FR gets client cert from the client (not a full chain in our case,
see capture)
2) FR tries to check full cert chain and OpenSSL finds the issuer of
that client cert has wrong OIDs and raise an error flag.
Right?
--
Boris Lytochkin
Yandex NOC
+7 (495) 739 70 00 ext. 7671
More information about the Freeradius-Users
mailing list