Issues extending EAP-TLS to use OCSP
Przemysław Basa
pmb at langbit.pl
Sat Mar 8 19:15:42 UTC 2025
On 08.03.2025 00:31, Craig Huckabee wrote:
>
> If your OCSP certificate lacks the OCSP specific OID it will fail that basic verification process.
>
That was indeed the case - thank you! It was driving me nuts.
My current working solution is to use an intermediate CA to sign server.pem and client certificates. It also signs the
OCSP responder certificate, which has the EKU set to OCSPSigning.
For anyone wondering why an intermediate CA is necessary, the reason is that OpenSSL complains about self-signed
certificate in the chain when the OCSP responder certificate is signed directly by the root CA.
For completeness, I'll also mention that trying to add the OCSPSigning flag directly to the root CA results in the
following errors:
(5) eap_tls: ERROR: (TLS) OpenSSL says error 26 : unsuitable certificate purpose
(5) eap_tls: (TLS) TLS - send TLS 1.2 Alert, fatal unsupported_certificate
(5) eap_tls: ERROR: (TLS) TLS - Alert write:fatal:unsupported certificate
(5) eap_tls: ERROR: (TLS) TLS - Server : Error in error
(5) eap_tls: ERROR: (TLS) Failed reading from OpenSSL: error:0A000086:SSL routines::certificate verify failed
(5) eap_tls: ERROR: (TLS) System call (I/O) error (-1)
(5) eap_tls: ERROR: (TLS) EAP Receive handshake failed during operation
(5) eap_tls: ERROR: [eaptls process] = fail
Regards,
Przemyslaw Basa
More information about the Freeradius-Users
mailing list