Server certificate confusion

Stefan Winter stefan.winter at restena.lu
Wed Apr 18 16:03:21 CEST 2018


Hi,

well, I wouldn't have needed the private key, but ok :-)

I have an openssl 1.0.2 on my box, which validates this server and CA
against the purpose of TLS Server just fine (and as a counter-test, does
not validate it as TLS Client):

swinter at aragorn:~/scratch/FR-debug> openssl verify -CApath ./CA/
-purpose sslserver server.pem
server.pem: OK
swinter at aragorn:~/scratch/FR-debug> openssl verify -CApath ./CA/
-purpose sslclient server.pem
server.pem: C = FR, ST = Radius, O = Example Inc., CN = Example Server
Certificate, emailAddress = admin at example.org
error 26 at 0 depth lookup:unsupported certificate purpose
OK

Compiling 1.1.0h, this still works:

swinter at aragorn:~/scratch/FR-debug> LD_LIBRARY_PATH=/usr/local/lib64
/usr/local/bin/openssl verify -CApath ./CA/ -purpose sslserver server.pem
server.pem: OK
swinter at aragorn:~/scratch/FR-debug> LD_LIBRARY_PATH=/usr/local/lib64
/usr/local/bin/openssl verify -CApath ./CA/ -purpose sslclient server.pem
C = FR, ST = Radius, O = Example Inc., CN = Example Server Certificate,
emailAddress = admin at example.org
error 26 at 0 depth lookup: unsupported certificate purpose
error server.pem: verification failed
swinter at aragorn:~/scratch/FR-debug> LD_LIBRARY_PATH=/usr/local/lib64
/usr/local/bin/openssl version
OpenSSL 1.1.0h  27 Mar 2018

(but one can see that the failure test in 1.0.x was somewhat graceful
("OK") while 1.1.0 throws an actual error at the end)

Which still leaves us at the question why things don't work for you with
eapol_test.

The first, obvious question: is eapol_test compiled to use openssl at
all? Or is it using a different engine?

If it's using openssl, what version of openssl is on the system?

Is there anything ... peculiar in the wpa_supplicant.conf file regarding
server cert validation? You could paste the file here, but without your
password. I want it as little as I wanted the PEM key file, you know ;-)

Greetings,

Stefan Winter


Am 18.04.2018 um 13:36 schrieb Nick Howitt:
> 
> 
> On 18/04/2018 12:23, Stefan Winter wrote:
>> Hi,
>>
>>> I've reverted the set up to use the standard Freeradius certs and I've
>>> been through the certs README, deleting all certificates  and recreating
>>> the ca.pem and server certs (btw I think the order in the README is
>>> wrong as you need to create the server.csr before the server.pem) and
>>> I've hit the same "(6) eap_tls:   ERROR: SSL says error 26 : unsupported
>>> certificate purpose" issue when running eapol_test with the new certs.
>> Can you paste both the CA's and the server's PEM representation into a
>> mail on the list?
>>
>> Stefan
>>
>>
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
> I've just recreated them as I had to remove the extension for testing.
> Note I have increased the validity of both in the cnf files to 3650d;
> everything else is at default.
> From "history":
>   994  cd /etc/raddb/certs
>   995  rm -f *.pem *.der *.csr *.crt *.key *.p12 serial* index.txt*
>   996  make ca.pem
>   997  server.csr
>   998  make server.csr
>   999  make server.pem
>  1000  openssl x509 -text -noout -in server.pem
>  1001  history
> 
> ca.pem:
> -----BEGIN CERTIFICATE-----
> MIIE5DCCA8ygAwIBAgIJANMWAroiOxufMA0GCSqGSIb3DQEBCwUAMIGTMQswCQYD
> VQQGEwJGUjEPMA0GA1UECAwGUmFkaXVzMRIwEAYDVQQHDAlTb21ld2hlcmUxFTAT
> BgNVBAoMDEV4YW1wbGUgSW5jLjEgMB4GCSqGSIb3DQEJARYRYWRtaW5AZXhhbXBs
> ZS5vcmcxJjAkBgNVBAMMHUV4YW1wbGUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4X
> DTE4MDQxODExMjczM1oXDTI4MDQxNTExMjczM1owgZMxCzAJBgNVBAYTAkZSMQ8w
> DQYDVQQIDAZSYWRpdXMxEjAQBgNVBAcMCVNvbWV3aGVyZTEVMBMGA1UECgwMRXhh
> bXBsZSBJbmMuMSAwHgYJKoZIhvcNAQkBFhFhZG1pbkBleGFtcGxlLm9yZzEmMCQG
> A1UEAwwdRXhhbXBsZSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqGSIb3
> DQEBAQUAA4IBDwAwggEKAoIBAQC5jRl/IZsBPOvH1Vdua8yCt1NchL8j9aWAth7v
> z+mw7gG+pZegojz97M1+wQZiTeZwuR5XclAc/zpsv3u9stU+fR2hfMOBse9/bzaz
> wRUrhtN6kKPNGA0lMmbbNwus6AQnrgRXQOyvgmET0B+OHsVBqtWTGzq7IA7X0c5Y
> jcHj6zN4PwTg/2PfM59Ir2vcVO5hpLVYda0qK3GDoh8WfwpCvWgjt5YsFd7ARSUY
> Nf2hmHETzXSxx0tAFF+Hk/iFwXGeQFSXbrvh18Trgs3lmX4d0ehKXwgPjF4kY5IG
> 2yAjcTQWWGnoRE8fl9/yG6hBIOd6xNrabSIh2eiKreui1oZdAgMBAAGjggE3MIIB
> MzAdBgNVHQ4EFgQUOYtRuUCNkemvqYjtAokDb0sAHEYwgcgGA1UdIwSBwDCBvYAU
> OYtRuUCNkemvqYjtAokDb0sAHEahgZmkgZYwgZMxCzAJBgNVBAYTAkZSMQ8wDQYD
> VQQIDAZSYWRpdXMxEjAQBgNVBAcMCVNvbWV3aGVyZTEVMBMGA1UECgwMRXhhbXBs
> ZSBJbmMuMSAwHgYJKoZIhvcNAQkBFhFhZG1pbkBleGFtcGxlLm9yZzEmMCQGA1UE
> AwwdRXhhbXBsZSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHmCCQDTFgK6IjsbnzAPBgNV
> HRMBAf8EBTADAQH/MDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly93d3cuZXhhbXBs
> ZS5vcmcvZXhhbXBsZV9jYS5jcmwwDQYJKoZIhvcNAQELBQADggEBACfUwu20Djg4
> Vz80P3Q5LtzLLQ+M8ndEn8QaWDEbQKP60Wlj3nD3FT+jCNovov2xgH18z2d6q2bE
> vqCN8884Sy0xIjuROwPhG1CFJ4oJ9rJmcjKqBcpr81UiM0hCf2OqLFPCHZRfAjMb
> RMmF0Vf3Cb/44Xqf10zYLe1fT++3Kj3QYGgn2YKVkmB++XH4FRux2pNoeImlKaP3
> 78KZB4GobraydEpxGJbvoD58TJ7/b1NGlPFgaC07aDZLhSfiSsRoN0Dt95VOZpWO
> vSxh8Yv6h9g9kxU6Nx0Up0LS23qvWcIhkbQkF0H7gQ2ECH6UN4CNdNvpLPPX5kjZ
> 0eCj1CL9j4g=
> -----END CERTIFICATE-----
> 
> server.pem:
> Bag Attributes
>     localKeyID: AD A7 E8 29 BB 2F C9 69 4F 75 2E F4 EF 80 70 99 B1 75 04 37
> subject=/C=FR/ST=Radius/O=Example Inc./CN=Example Server
> Certificate/emailAddress=admin at example.org
> issuer=/C=FR/ST=Radius/L=Somewhere/O=Example
> Inc./emailAddress=admin at example.org/CN=Example Certificate Authority
> -----BEGIN CERTIFICATE-----
> MIID2jCCAsKgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBkzELMAkGA1UEBhMCRlIx
> DzANBgNVBAgMBlJhZGl1czESMBAGA1UEBwwJU29tZXdoZXJlMRUwEwYDVQQKDAxF
> eGFtcGxlIEluYy4xIDAeBgkqhkiG9w0BCQEWEWFkbWluQGV4YW1wbGUub3JnMSYw
> JAYDVQQDDB1FeGFtcGxlIENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xODA0MTgx
> MTI4MDhaFw0yODA0MTUxMTI4MDhaMHwxCzAJBgNVBAYTAkZSMQ8wDQYDVQQIDAZS
> YWRpdXMxFTATBgNVBAoMDEV4YW1wbGUgSW5jLjEjMCEGA1UEAwwaRXhhbXBsZSBT
> ZXJ2ZXIgQ2VydGlmaWNhdGUxIDAeBgkqhkiG9w0BCQEWEWFkbWluQGV4YW1wbGUu
> b3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApAY39TBW76KKMYQ3
> CSeXT7PtoRB1FtWKE1qVKRQOP2y/I9hSBJxbknKdhcpE3diORoWKh0qwjFKY+7as
> Ehq9zVELbcO7fvTT663Cn9uBIwQ517RMJZjf6ks7N3LB9nmwi2iC0lmq/OS8mMNF
> hZdK2QfWoDxRwBcT0z/WIrNJyYluJAtKISzejqP27rjh1ZI/WnxY/S+8VXdCwcR4
> PtuyqSdOhC7q8EF8vIjG6H13G2V2/vmVrXQ7VokxWQ8F83vmRZVC2vcgYd5Qp813
> /7YVL6C5g6CJgbz7AcJVwmT5P1W7xY9lOCz7bavdbPGewV7kONxQQrub+ZdKrJKX
> uP13GwIDAQABo08wTTATBgNVHSUEDDAKBggrBgEFBQcDATA2BgNVHR8ELzAtMCug
> KaAnhiVodHRwOi8vd3d3LmV4YW1wbGUuY29tL2V4YW1wbGVfY2EuY3JsMA0GCSqG
> SIb3DQEBCwUAA4IBAQBBTf/njNLVZdM4ZoLQnO+GLLTN335PXGL4ufYtA38kncQJ
> doSGaJTKllJdqCs+CRwNGVd2LE7Ahx0Rfj3m0J9YRmGzd5fdHRoWyqbED4nIrswd
> ErhTbM7e34GnyhXeFcFYdEH8kczysOsKzRFSBQQKkKg7dIxE9AUyB13wsMeWWEcQ
> DmINh6oan458/eXInqIvv7mc0JTJh+TuYFXYk738rSj6Tj4KloasG0rvCcTNmHWd
> ojouFuypcJQASPUvIfM6zkkdKtnTI4OJYbidy/rI6LcPj2m1MV7poGwibVhuxmcK
> jYb8EaNYormuKJ19HEXoKxLp5AM2wgDwCGae762k
> -----END CERTIFICATE-----
> Bag Attributes
>     localKeyID: AD A7 E8 29 BB 2F C9 69 4F 75 2E F4 EF 80 70 99 B1 75 04 37
> Key Attributes: <No Attributes>
> -----BEGIN ENCRYPTED PRIVATE KEY-----
> MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIDXoPxieDQy0CAggA
> MBQGCCqGSIb3DQMHBAhvyXKp13L/JASCBMiuLfezZw39A9Z9YppLHYfxh9rhBHm/
> vgUUzsiybokGnXJOCa/W8noUOTL3xF0rdsZmjo+B/eoOAdMUyYBLAxZYbZOutlBH
> XFZhVxWdkT2H0+SWn2opT7sRIxWfjsSfZQDHYJ3YLng3kNkDjUaiet+3SVs/30j1
> sobLZviGLftWqo5vnlWP6BpzvWruge0qFaSy3BMO5dF0G7J6ZHs1vnxseT9NUvHo
> p+z8di3P3fpv8cBnA4lA/4PPEeKw7A6vcklvilKlFzYoNbwQaoPRxyT7yRODbINs
> 44Ypd+agDRpxWjZoNKFLlEViCOkt2d6twU5ngi8u2Cy67NhhbuuXbPDUO25sAzAl
> myRwnEJkc77801fus8PncyAQlD1gyEiFaaMo4xSbJpa8de31Z6FLzpReLetRE+In
> 7gtXdHvSArkYP6KkveuywBZ3w73tmpQ8hFaP8fpf0/DbqQpMI2AWd1mYvmOMl4oW
> 6skl/Pw6HOrrpQEnFY22uvyhac6dlOghlbKRpXfM/IXqmkxBiM7oaOcCwk3D14++
> 2rfQB7O9fbD/BceSbFgC9Q8yHEWTEh5q6075I27nYjvR3XOxgkMGty/X7nQ/pNLz
> YDw7zwW+RAQ5u23NNikrwXFBx9T8DjizpcMIR+3HK78XaVyyHBaek5OWXQpm/q3Z
> 89odhJVRhAE/zc+lW+r3HmT99TY7o2pPPboU/yJJSpNimYiBJdAYgHOS58Cs5WW0
> 6dKvZl9LLfWJ6xgvxcf6wXsSLQyErkorAwuI2gL8jx5CKAmGKWICmhggzOhNNTEX
> RUzXMaqjwEH3pvr9/431U5xscuFf6JKveqUVEDDkRAV7IEaCxr1uCBlpTGjx/ltQ
> 0WRyTos1Zmfxru3qSUm4Xltwl9ZMJs5VInw6wl1hOK4ktIVPuZ2/okkbiF6bsYyt
> fvCaBZyOn9rBnPcMD7gx8Q5wPqMXipDKhgciN90b5kG3OI26pFz4u7YsTKclXrFC
> pDn86/t8twBtP2ML4yl9XMfPcoIfWhDFmKZRHhSlfFM9d55PABD1Tg0CPE+/RdSq
> Ayh0xB/Iw9AVxJFK9LM8IJGCAgm+0Zw8nnIfJ6HJLCno8yIySpR7HfvxZpEAhdUv
> EUSkuMukkJUR0vNMmuNoJWXWaV4o+yZXIvB7wtwlFBbTjLddZtVZ45IRly8rmP7F
> V/8gz2QLTRVz9GJM46nPS9U+zTbTPPi/76r/sfrtW6Rwlt2cw0V29JrUNW0GNXig
> eZS0iS1P69VBOGLXRA95heteDoDcCnspuEQedD8nPdogOFRbBSR8REFFpxuZU7vf
> m9FdluJ+U5SwZUBu+QEIMZmOBtqxQAa7HThSVjMujUmdejl2irhVoL1V4X9rKbML
> 8VvOdkuhaNSp8v1PehYM2+P4GdDw8wSgOldpu1FcPXbA7q1ZVhXVOfLlPi/GCxcF
> jBGKCn7hcsp/55dNo68dLTaqB3KY5d64rn9gjEuBOHpGj2gn6RdrESaGGQnuGI0S
> 20cSEiAf3JqcBcPektjYNbiTpwsE0StiQQEdrT7Oo/lrZqPmu7yD32W/QKwSr/a6
> IXOfcCSdMo9V7Iyti9LV/rfTkmXuUHetAtVQGJqdZjevSz5ct5UeLeGIuDGXDCsk
> cn4=
> -----END ENCRYPTED PRIVATE KEY-----
> 
> It is a temporary cert so I don't mind publishing the key which is in
> the server.pem.
> Regards,
> Nick
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html


-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20180418/bd37a40b/attachment-0001.sig>


More information about the Freeradius-Users mailing list