unsupported certificate purpose

Alan DeKok aland at deployingradius.com
Fri Oct 30 13:44:40 CET 2020 

On Oct 30, 2020, at 8:21 AM, murugesh pitchaiah <murugesh.pitchaiah at gmail.com> wrote:
> while trying for radsec I see freeradius throwing below error on TLS handshake:
> 
> (0) TLS_accept: SSLv3/TLS write server done
> (0) <<< recv TLS 1.2  [length 07b9]
> (0) Creating attributes from certificate OIDs
> (0)   ERROR: SSL says error 26 : unsupported certificate purpose

  That seems relatively clear.

> (0) >>> send TLS 1.2  [length 0002]
> (0) ERROR: TLS Alert write:fatal:unsupported certificate
> tls: TLS_accept: Error in error
> (0) ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL
> routines:tls_process_client_certificate:certificate verify failed

  So it's the client certificate which is failing here.  That's at least better than some of the other OpenSSL error messages.  :(

> Here is the client certificate's purpose details:
> 
>        X509v3 extensions:
>            X509v3 Basic Constraints:
>                CA:FALSE
>            X509v3 Key Usage:
>                Digital Signature

  Is the client certificate signing other certificates?  I suspect not...

>            Netscape Comment:
>                OpenSSL Generated Certificate
>            X509v3 Subject Key Identifier:
>                AE:C8:80:61:1C:AB:99:03:8F:13:4F:14:95:EA:61:52:4D:8C:37:E8
>            X509v3 Authority Key Identifier:
> 
> keyid:44:C9:8D:CB:50:17:D2:33:60:4F:96:1A:76:34:99:A4:0D:FA:A1:8D
> 
>            X509v3 Extended Key Usage:
>                TLS Web Client Authentication

  That should work.

> I see the key usage and Extended usage look good; still unable to find
> whats reason for freeradius rejecting the client certificate

  It's not.  :(  OpenSSL is rejecting the client certificate.

> client openssl ; 1.0.2
> freeradius: 3.0.16 and i see this has openssl 1.1.0

  How did you generate the certificates?

  If you copy the client certificate to the OpenSSL machine, you can verify it there using the "openssl" command-line too.

  What's likely happening is that OpenSSL 1.1.0 is doing more stringent checks than OpenSSL 1.0.2.  So you'll need to regenerate the certificate, without the offending OIDs.

  Alan DeKok.

More information about the Freeradius-Users mailing list