Solved: After Upgrade from freeradius 2 to 3 (Debian 8 - 9): TLS Alert write:fatal:unsupported certificate

Alan DeKok aland at
Wed Jan 24 09:12:47 CET 2018

On Jan 24, 2018, at 2:16 AM, Gladewitz, Robert via Freeradius-Users <freeradius-users at> wrote:
> I would like to summarize the topic for FreeRadius.
> The error discussed is actually due to a change in OpenSSL1.1. My request in the OpenSSL user group on this topic has led to a controversial discussion.
> Of course the certificates are RFC compliant. Unfortunately, OpenSSL does not evaluate the ExtendedKeyUsage (eku) as defined in the RFC in question.\

  The OpenSSL team gave you very clear reasons why on their mailing list.  One of which is that the RFCs are probably being updated to match current implementations.

  As someone who's written many RFCs, they're not perfect.  See RFC 5080, for example, which points out errors in earlier RFCs, and describes the correct behaviour.

  The "correct" behaviour in many cases is "what the implementations have been doing for a decade".

  There are cases where FreeRADIUS does not follow the RFCs.  These are cases where the RFCs are broken or wrong.

> In the case discussed here, ExtednedKeyUsage (eku) is set to TLS "Web Server Authentication" for the CA (CAPF) certificate.
> This would be allowable under RFC, but is not allowed by the openssl client certificate validation functions.

  Or by most implementations, as you were told on the OpenSSL list.  And that they believe the RFCs are wrong.

> Unfortunately, this is not a solution for customers who use the certificate signed by Cisco CallManagers themselves, as the eku for the freeradius can not simply be deleted here. This means, that there is no chance to authenticate the phones with a freeradius version based on openssl libraries> = 1.1.0 - at least not with tls.

  How about complaining to Cisco, and getting their implementation fixed?  Oh wait, Stefan already told you how to fix it.  You can:

>> upgrade his system to release 11.5 and re-generate the CAPF CA, then he should get a real CA.

> Remedy would only create a correctly patched openssl version or the correct implementation of an openssl_verify function (as discussed in openssl thread).

  Stop trolling.  It's rude, and will result in you getting kicked off of the list.  I've already warned you once off-list.  This is your last, and final warning.

  You're claiming here that the "correct" implementation of OpenSSL is whatever you think it is, and that the OpenSSL developers are wrong.  You're making that same claim about FreeRADIUS.

  You *could* choose to upgrade the Cisco software to a version which is fixed.  Instead, you insist on claiming that you know better than everyone else, and that everyone's software is wrong.

  There is no language problem here.  You're choosing to be obnoxious.  Stop it.

  Alan DeKok.

More information about the Freeradius-Users mailing list