After Upgrade from freeradius 2 to 3 (Debian 8 - 9): TLS Alert write:fatal:unsupported certificate

Thu Dec 21 14:52:16 CET 2017

Hi,

> It's much better to fix your "CA" cert (which is not).
> ================
>             X509v3 Basic Constraints: critical
>                 CA:TRUE
> ================
> is missing.

Out of curiosity (I didn't think Cisco can be so stupid to make CAs
which aren't actually CAs...) I searched, and my search engine of choice
gave me this link:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCut82798/?referring_site=bugquickviewredir

(needs free registration to view)

So, indeed, Cisco WAS that stupid. For an extended amount of time and
multiple major version releases.

FWIW, if the OP can upgrade his system to release 11.5 and re-generate
the CAPF CA, then he should get a real CA.

Which then makes tinkering with source code obsolete.

(If the answer is that you need to edit the source code, then you are
asking the wrong question :-) )

Greetings,

Stefan Winter

Am 20.12.2017 um 07:51 schrieb Boris Lytochkin:
> Hi.
>

> See http://www.alvestrand.no/objectid/2.5.29.19.html
> 
> On 20.12.2017 1:09, Gladewitz, Robert via Freeradius-Users wrote:
>> Hello Alan,
>>
>> so, i find out that you are right. I find out, that the certificate
>> check ends with an warning, because of following openssl function in
>> v3_purp.c?
>>
>> 495 /*-
>>   496  * CA checks common to all purposes
>>   497  * return codes:
>>   498  * 0 not a CA
>>   499  * 1 is a CA
>>   500  * 2 basicConstraints absent so "maybe" a CA
>>   501  * 3 basicConstraints absent but self signed V1.
>>   502  * 4 basicConstraints absent but keyUsage present and
>> keyCertSign asserted.
>>   503  */
>>   504
>>   505 static int check_ca(const X509 *x)
>>   506 {
>>   507     /* keyUsage if present should allow cert signing */
>>   508     if (ku_reject(x, KU_KEY_CERT_SIGN))
>>   509         return 0;
>>   510     if (x->ex_flags & EXFLAG_BCONS) {
>>   511         if (x->ex_flags & EXFLAG_CA)
>>   512             return 1;
>>   513         /* If basicConstraints says not a CA then say so */
>>   514         else
>>   515             return 0;
>>   516     } else {
>>   517         /* we support V1 roots for...  uh, I don't really know
>> why. */
>>   518         if ((x->ex_flags & V1_ROOT) == V1_ROOT)
>>   519             return 3;
>>   520         /*
>>   521          * If key usage present it must have certSign so
>> tolerate it
>>   522          */
>>   523         else if (x->ex_flags & EXFLAG_KUSAGE)
>>   524             return 4;
>>   525         /* Older certificates could have Netscape-specific CA
>> types */
>>   526         else if (x->ex_flags & EXFLAG_NSCERT && x->ex_nscert &
>> NS_ANY_CA)
>>   527             return 5;
>>   528         /* can this still be regarded a CA certificate?  I doubt
>> it */
>>   529         return 0;
>>   530     }
>>   531 }
>>
>> But it is documented as a warning, not an error!?
>>
>> It is possible, to add an workarround for mistake in conf / tls.c
>>
>> <DIFF tls.c>
>>     if (!my_ok &&
>>         (conf->allow_expired_crl) &&
>>         (err == X509_V_ERR_CRL_HAS_EXPIRED)) {
>>         my_ok = 1;
>>         X509_STORE_CTX_set_error( ctx, 0 );
>>     }
>>
>>     + if (!my_ok &&
>>     +    (conf->allow_wrong_purposed) &&
>>     +    (err == X509_V_ERR_INVALID_PURPOSE)) {
>>     +    my_ok = 1;
>>     +    X509_STORE_CTX_set_error( ctx, 0 );
>>     + }
>>     
>>                 if (!my_ok) {
>>
>> </DIFF>
>>
>> I hope, my mail not sounds arogant :-(
>>
>> Robert
>>
>>
>> -----Ursprüngliche Nachricht-----
>> Von: Freeradius-Users
>> [mailto:freeradius-users-bounces+robert.gladewitz=dbfz.de at lists.freeradius.org]
>> Im Auftrag von Alan DeKok
>> Gesendet: Dienstag, 19. Dezember 2017 18:49
>> An: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
>> Betreff: Re: After Upgrade from freeradius 2 to 3 (Debian 8 - 9): TLS
>> Alert write:fatal:unsupported certificate
>>
>>
>>> On Dec 19, 2017, at 12:18 PM, Boris Lytochkin
>>> <lytboris at yandex-team.ru> wrote:
>>> Alan, you are absolutely correct about OIDs. But one thing drives me
>>> crazy. Robert sent me a full capture (attached) and it is really
>>> weird if you compare it to FreeRADIUS logs.
>>> ...
>>> I have no idea why FreeRADIUS peeks issuer's cert instead of real
>>> client's one. I guess something is broken in server's configuration...
>>    EAP-TLS sends over the entire certificate chain.  OpenSSL walks
>> down the certificate chain, verifying each cert in sequence.
>>
>>    If it can't verify the CA or server cert, OpenSSL fails, and we
>> never get to check the client cert.
>>
>>    When the client cert gets printed, the fields get printed as
>> "TLS-Client-Cert-Serial", not as "TLS-Cert-Serial"
>>
>>    Alan DeKok.
>>
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
> 

-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20171221/c9b20843/attachment.sig>