Re: extendedKeyUsage = 1.3.6.1.5.5.7.3.1

[Rok Papez]

Hello Bilal.

Dne petek 19 november 2004 09:02 je Bilal Shahid napisal(a):

 I am using FreeRADIUS to authenticate the XSupplicant using EAP-TLS. The 
 certificates are being generated using the script CA.all. For the Server 
 certificate, the TLS Web Server OID used is 1.3.6.1.5.5.7.3.1.
 
 Now what the FreeRADIUS Server is actually sending out to the Client 
 (XSupplicant) (as seen from the Access Challenge packet dump while running 
 the FreeRADIUS Server in the debug mode) is the following byte sequence:
 
 0x08 2b 06 01 05 05 07 03 01
 
 as opposed to
 
 0x01 03 06 01 05 05 07 03 01
 

Have you checked the certificate for errors ? I've been using this EKU
without problems with freeradius. AFAIK freeradius is not processing
the certificates, but the openssl code is.

In openssl.cnf you need:
#  [ eku ]
extendedKeyUsage = 1.3.6.1.5.5.7.3.1

And when you sign a certificate request (I use openssl directly):
openssl ca -extensions eku ...

Check the certificate with:
# openssl x509 -in krkotnik.arnes.si_cert.pem -noout -text
[...]
X509v3 extensions:
X509v3 Extended Key Usage: 
TLS Web Server Authentication
[...]

-- 
lep pozdrav,
Rok Pape.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: extendedKeyUsage = 1.3.6.1.5.5.7.3.1

[Alan DeKok]

Bilal Shahid [EMAIL PROTECTED] wrote:
 Now I might be totally off the track here in this analysis but I just wanted 
 to make sure that the Server is indeed sending out what it is supposed to 
 send out to the Client. Is it alright that the OID being sent to the Client 
 has its first 2 bytes (0x01, 0x03) replaced by something else (0x08, 0x2b)?

  Please read the appropriate specifications to see what the format
should be.

  Whatever's going on, FreeRADIUS is just using the OpenSSL code.  I
suggest asking SSl questions on their list.

  Alan DeKok.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html