unsupported certificate purpose

murugesh pitchaiah murugesh.pitchaiah at gmail.com
Fri Oct 30 13:21:01 CET 2020


while trying for radsec I see freeradius throwing below error on TLS handshake:

(0) TLS_accept: SSLv3/TLS write server done
(0) <<< recv TLS 1.2  [length 07b9]
(0) Creating attributes from certificate OIDs
(0)   ERROR: SSL says error 26 : unsupported certificate purpose
(0) >>> send TLS 1.2  [length 0002]
(0) ERROR: TLS Alert write:fatal:unsupported certificate
tls: TLS_accept: Error in error
(0) ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL
routines:tls_process_client_certificate:certificate verify failed
(0) ERROR: System call (I/O) error (-1)
(0) FAILED in TLS handshake receive

Here is the client certificate's purpose details:

        X509v3 extensions:
            X509v3 Basic Constraints:
            X509v3 Key Usage:
                Digital Signature
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
            X509v3 Authority Key Identifier:


            X509v3 Extended Key Usage:
                TLS Web Client Authentication

I see the key usage and Extended usage look good; still unable to find
whats reason for freeradius rejecting the client certificate

client openssl ; 1.0.2
freeradius: 3.0.16 and i see this has openssl 1.1.0

any help  please ?


More information about the Freeradius-Users mailing list