Hello Frank. Thank your for helping ☺.
The CAPF certificates in cisco CUCM Systems have some functions, for example
phone proxy services. Usually, you create a certificate reqest on CUCM
(Callmanager) and you will signed by you internal ca. Also it is possible, that
the CUCM callmanager signed by self. (On both, the problem are happening)
I use a signed ca certificate for CAPF, with is signed by my internal root ca,
wich is bases on openssl.
So, for new phone, the CUCM callmanager generate and sign the phone client
certificate, wich is downloaded from the phone and used for check configuration
signing und in our problem case use as a client certificate for 802.1x tls
authentification.
In freeradius, the CAPF CA certificate is installed as a CA certificatge for
check the clients certs in tls authentification processes. In freeradius2
anything is working fine and the phone client certificates is verify without
any error.
The interesst think is, that the error is display for the ca (CAPF)
certificate, not for the client certificates.
So, i check the attributes and extensions:
X509v3 extensions:
X509v3 Subject Key Identifier:
58:A4:EB:D9:DD:CE:A2:99:72:3B:E1:20:19:1D:40:C1:F9:D5:C2:28
X509v3 Authority Key Identifier:
keyid:E2:E9:20:42:29:83:C4:77:8C:87:AB:FA:4B:A1:A9:C4:CE:00:BD:39
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
X509v3 Extended Key Usage: critical
TLS Web Server Authentication
For my interpretation, anything ist ok. May the TLS Web Server Authentication
is not usual, but it is mandodary by cisco. On the way, we use the minimal
mandodary requirements from cisco.
Vg
Robert
Von: Frank Migge [mailto:[email protected]]
Gesendet: Samstag, 20. Januar 2018 03:30
An: Gladewitz, Robert <[email protected]>; [email protected]
Betreff: Re: [openssl-users] TLS Error in FreeRadius - eap_tls: ERROR: Failed
in __FUNCTION__ (SSL_read): error:1417C086:SSL
routines:tls_process_client_certificate:certificate verify failed
Hi Robert,
error 26 : unsupported certificate purpose
It seems the cert gets declined because of a problem with cert
extensions. "keyUsage" or "extendedKeyUsage" are typical candidates. In
your case, the leaf certificate "CAPF-91d43ef6" has two extensions:
Object 00: X509v3 Key Usage
Digital Signature, Key Encipherment
Object 01: X509v3 Extended Key Usage
TLS Web Server Authentication, TLS Web Client Authentication, IPSec End System
I would check if an extension is now missing/newly required, or no
longer recognized. Try check for differences in the openssl.cnf and
freeradius config files between the old Debian system and the new one.
Some EAP TLS guides (incl. Cisco) also list extensions "nonRepudiation" and
"dataEncipherment", but this is just a guess since you mentioned it works on
the old system.
I have some problems with new Cisco CAPF certs
What is the authenticating device? Cisco IP phone?
Cheers,
Frank
cacert.capf.pem
Description: cacert.capf.pem
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
