I got it wrong. The failing cert from your log is actually the
intermediate, which has five extensions:

>> Object 00: X509v3 Subject Key Identifier:
58:A4:EB:D9:DD:CE:A2:99:72:3B:E1:20:19:1D:40:C1:F9:D5:C2:28
>> Object 01: X509v3 Authority Key Identifier:
keyid:E2:E9:20:42:29:83:C4:77:8C:87:AB:FA:4B:A1:A9:C4:CE:00:BD:39
>> Object 02: X509v3 Basic Constraints: CA:TRUE, pathlen:0
>> Object 03: X509v3 Key Usage: Digital Signature, Certificate Sign, CRL
Sign
>> Object 04: X509v3 Extended Key Usage: TLS Web Server Authentication

This is were I would check first.

I am not fully sure, but believe that Extended Key Usage should *not* be
there.

Frank

> Frank Migge <mailto:f...@frank4dd.com>
> Saturday, January 20, 2018 11:29 AM
> Hi Robert,
>
>>> error 26 : unsupported certificate purpose
>
> It seems the cert gets declined because of a problem with cert
> extensions. "keyUsage" or "extendedKeyUsage" are typical candidates. In
> your case, the leaf certificate "CAPF-91d43ef6" has two extensions:
>
> Object 00: X509v3 Key Usage
>   Digital Signature, Key Encipherment
>
> Object 01: X509v3 Extended Key Usage
>   TLS Web Server Authentication, TLS Web Client Authentication, IPSec End 
> System
>
> I would check if an extension is now missing/newly required, or no
> longer recognized. Try check for differences in the openssl.cnf and
> freeradius config files between the old Debian system and the new one.
>
> Some EAP TLS guides (incl. Cisco) also list extensions "nonRepudiation" and 
> "dataEncipherment", but this is just a guess since you mentioned it works on 
> the old system.
>
>>> I have some problems with new Cisco CAPF certs
>
> What is the authenticating device? Cisco IP phone?
>
> Cheers,
> Frank
> Gladewitz, Robert via openssl-users <mailto:openssl-users@openssl.org>
> Friday, January 19, 2018 11:12 PM
>
> Dear OpenSSL Team,
>
>  
>
> I have some problems with new Cisco CAPF certs and freeradius tls
> authentification. The point is, that freeradius users see the problem
> on openssl implemtiation.
>
>  
>
> <SNIP: DEBUG>
>
> (69) eap_tls: Continuing EAP-TLS
>
> (69) eap_tls: Peer indicated complete TLS record size will be 1432 bytes
>
> (69) eap_tls: Got complete TLS record (1432 bytes)
>
> (69) eap_tls: [eaptls verify] = length included
>
> (69) eap_tls: TLS_accept: SSLv3/TLS write server done
>
> (69) eap_tls: <<< recv TLS 1.0 Handshake [length 03c2], Certificate
>
> (69) eap_tls: Creating attributes from certificate OIDs
>
> (69) eap_tls:   TLS-Cert-Serial := "1009"
>
> (69) eap_tls:   TLS-Cert-Expiration := "380111125719Z"
>
> (69) eap_tls:   TLS-Cert-Subject := "/C=DE/ST=Sachsen/L=Leipzig/O=DBFZ
> Deutsches Biomasseforschungszentrum gGmbH/OU=IT/CN=CAPF-91d43ef6"
>
> (69) eap_tls:   TLS-Cert-Issuer := "/C=DE/ST=Sachsen/L=Leipzig/O=DBFZ
> Deutsches Biomasseforschungszentrum gemeinnuetzige GmbH/OU=IT/CN=DBFZ
> CA INTERN ROOT/emailAddress=supp...@dbfz.de
> <mailto:ROOT/emailAddress=supp...@dbfz.de>"
>
> (69) eap_tls:   TLS-Cert-Common-Name := "CAPF-91d43ef6"
>
> (69) eap_tls:   ERROR: SSL says error 26 : unsupported certificate purpose
>
> (69) eap_tls: >>> send TLS 1.0 Alert [length 0002], fatal
> unsupported_certificate
>
> (69) eap_tls: ERROR: TLS Alert write:fatal:unsupported certificate
>
> tls: TLS_accept: Error in error
>
> (69) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read):
> error:1417C086:SSL routines:tls_process_client_certificate:certificate
> verify failed
>
> (69) eap_tls: ERROR: System call (I/O) error (-1)
>
> (69) eap_tls: ERROR: TLS receive handshake failed during operation
>
> (69) eap_tls: ERROR: [eaptls process] = fail </DEBUG>
>
> </SNIP>
>
>  
>
> This means, that the check of ca certificate is failed. So, bu I do
> not see, why. If i check the certificate by command openssl –verify,
> all sems to be right.
>
> # openssl verify -verbose -CAfile
> /etc/freeradius/3.0/certs.8021x.ciscophone/cacert.capf.pem
> SEP64A0E714844E-L1.pem
>
> # SEP64A0E714844E-L1.pem: OK
>
>  
>
>  
>
> The openssl version is Debian based 1.1.0g-2. But the same error is
> happening on 1.1.0f also.
>
>  
>
> Older freeradius version 2 on Debian 8/openssl 1.0.1t-1+deb8u7 working
> fine without this problem (by using the same certificates)
>
>  
>
> The ca certificate are signed by an intern ca. Can anyone see the error??
>
>  
>
> Robert
>
>  
>
>  
>
>  
>

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Reply via email to