TLS Error in FreeRadius - eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
53 messages Options
123
Reply | Threaded
Open this post in threaded view
|

TLS Error in FreeRadius - eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed

OpenSSL - User mailing list

Dear OpenSSL Team,

 

I have some problems with new Cisco CAPF certs and freeradius tls authentification. The point is, that freeradius users see the problem on openssl implemtiation.

 

<SNIP: DEBUG>

(69) eap_tls: Continuing EAP-TLS

(69) eap_tls: Peer indicated complete TLS record size will be 1432 bytes

(69) eap_tls: Got complete TLS record (1432 bytes)

(69) eap_tls: [eaptls verify] = length included

(69) eap_tls: TLS_accept: SSLv3/TLS write server done

(69) eap_tls: <<< recv TLS 1.0 Handshake [length 03c2], Certificate

(69) eap_tls: Creating attributes from certificate OIDs

(69) eap_tls:   TLS-Cert-Serial := "1009"

(69) eap_tls:   TLS-Cert-Expiration := "380111125719Z"

(69) eap_tls:   TLS-Cert-Subject := "/C=DE/ST=Sachsen/L=Leipzig/O=DBFZ Deutsches Biomasseforschungszentrum gGmbH/OU=IT/CN=CAPF-91d43ef6"

(69) eap_tls:   TLS-Cert-Issuer := "/C=DE/ST=Sachsen/L=Leipzig/O=DBFZ Deutsches Biomasseforschungszentrum gemeinnuetzige GmbH/OU=IT/CN=DBFZ CA INTERN [hidden email]"

(69) eap_tls:   TLS-Cert-Common-Name := "CAPF-91d43ef6"

(69) eap_tls:   ERROR: SSL says error 26 : unsupported certificate purpose

(69) eap_tls: >>> send TLS 1.0 Alert [length 0002], fatal unsupported_certificate

(69) eap_tls: ERROR: TLS Alert write:fatal:unsupported certificate

tls: TLS_accept: Error in error

(69) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed

(69) eap_tls: ERROR: System call (I/O) error (-1)

(69) eap_tls: ERROR: TLS receive handshake failed during operation

(69) eap_tls: ERROR: [eaptls process] = fail </DEBUG>

</SNIP>

 

This means, that the check of ca certificate is failed. So, bu I do not see, why. If i check the certificate by command openssl –verify, all sems to be right.

# openssl verify -verbose -CAfile /etc/freeradius/3.0/certs.8021x.ciscophone/cacert.capf.pem SEP64A0E714844E-L1.pem

# SEP64A0E714844E-L1.pem: OK

 

 

The openssl version is Debian based 1.1.0g-2. But the same error is happening on 1.1.0f also.

 

Older freeradius version 2 on Debian 8/openssl 1.0.1t-1+deb8u7 working fine without this problem (by using the same certificates)

 

The ca certificate are signed by an intern ca. Can anyone see the error??

 

Robert

 

 

 


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

cacert.capf.pem (4K) Download Attachment
SEP64A0E714844E-L1.pem (1K) Download Attachment
smime.p7s (8K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: TLS Error in FreeRadius - eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed

Frank Migge-2
Hi Robert,

error 26 : unsupported certificate purpose

It seems the cert gets declined because of a problem with cert
extensions. "keyUsage" or "extendedKeyUsage" are typical candidates. In
your case, the leaf certificate "CAPF-91d43ef6" has two extensions:

Object 00: X509v3 Key Usage
  Digital Signature, Key Encipherment

Object 01: X509v3 Extended Key Usage
  TLS Web Server Authentication, TLS Web Client Authentication, IPSec End System

I would check if an extension is now missing/newly required, or no
longer recognized. Try check for differences in the openssl.cnf and
freeradius config files between the old Debian system and the new one.

Some EAP TLS guides (incl. Cisco) also list extensions "nonRepudiation" and "dataEncipherment", but this is just a guess since you mentioned it works on the old system.

I have some problems with new Cisco CAPF certs

What is the authenticating device? Cisco IP phone?

Cheers,
Frank

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: TLS Error in FreeRadius - eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed

Frank Migge-2
I got it wrong. The failing cert from your log is actually the intermediate, which has five extensions:

>> Object 00: X509v3 Subject Key Identifier: 58:A4:EB:D9:DD:CE:A2:99:72:3B:E1:20:19:1D:40:C1:F9:D5:C2:28
>> Object 01: X509v3 Authority Key Identifier: keyid:E2:E9:20:42:29:83:C4:77:8C:87:AB:FA:4B:A1:A9:C4:CE:00:BD:39
>> Object 02: X509v3 Basic Constraints: CA:TRUE, pathlen:0
>> Object 03: X509v3 Key Usage: Digital Signature, Certificate Sign, CRL Sign
>> Object 04: X509v3 Extended Key Usage: TLS Web Server Authentication

This is were I would check first.

I am not fully sure, but believe that Extended Key Usage should *not* be there.

Frank

Saturday, January 20, 2018 11:29 AM
Hi Robert,

error 26 : unsupported certificate purpose

It seems the cert gets declined because of a problem with cert
extensions. "keyUsage" or "extendedKeyUsage" are typical candidates. In
your case, the leaf certificate "CAPF-91d43ef6" has two extensions:

Object 00: X509v3 Key Usage
  Digital Signature, Key Encipherment

Object 01: X509v3 Extended Key Usage
  TLS Web Server Authentication, TLS Web Client Authentication, IPSec End System

I would check if an extension is now missing/newly required, or no
longer recognized. Try check for differences in the openssl.cnf and
freeradius config files between the old Debian system and the new one.

Some EAP TLS guides (incl. Cisco) also list extensions "nonRepudiation" and "dataEncipherment", but this is just a guess since you mentioned it works on the old system.

I have some problems with new Cisco CAPF certs

What is the authenticating device? Cisco IP phone?

Cheers,
Frank
Friday, January 19, 2018 11:12 PM

Dear OpenSSL Team,

 

I have some problems with new Cisco CAPF certs and freeradius tls authentification. The point is, that freeradius users see the problem on openssl implemtiation.

 

<SNIP: DEBUG>

(69) eap_tls: Continuing EAP-TLS

(69) eap_tls: Peer indicated complete TLS record size will be 1432 bytes

(69) eap_tls: Got complete TLS record (1432 bytes)

(69) eap_tls: [eaptls verify] = length included

(69) eap_tls: TLS_accept: SSLv3/TLS write server done

(69) eap_tls: <<< recv TLS 1.0 Handshake [length 03c2], Certificate

(69) eap_tls: Creating attributes from certificate OIDs

(69) eap_tls:   TLS-Cert-Serial := "1009"

(69) eap_tls:   TLS-Cert-Expiration := "380111125719Z"

(69) eap_tls:   TLS-Cert-Subject := "/C=DE/ST=Sachsen/L=Leipzig/O=DBFZ Deutsches Biomasseforschungszentrum gGmbH/OU=IT/CN=CAPF-91d43ef6"

(69) eap_tls:   TLS-Cert-Issuer := "/C=DE/ST=Sachsen/L=Leipzig/O=DBFZ Deutsches Biomasseforschungszentrum gemeinnuetzige GmbH/OU=IT/CN=DBFZ CA INTERN [hidden email]"

(69) eap_tls:   TLS-Cert-Common-Name := "CAPF-91d43ef6"

(69) eap_tls:   ERROR: SSL says error 26 : unsupported certificate purpose

(69) eap_tls: >>> send TLS 1.0 Alert [length 0002], fatal unsupported_certificate

(69) eap_tls: ERROR: TLS Alert write:fatal:unsupported certificate

tls: TLS_accept: Error in error

(69) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed

(69) eap_tls: ERROR: System call (I/O) error (-1)

(69) eap_tls: ERROR: TLS receive handshake failed during operation

(69) eap_tls: ERROR: [eaptls process] = fail </DEBUG>

</SNIP>

 

This means, that the check of ca certificate is failed. So, bu I do not see, why. If i check the certificate by command openssl –verify, all sems to be right.

# openssl verify -verbose -CAfile /etc/freeradius/3.0/certs.8021x.ciscophone/cacert.capf.pem SEP64A0E714844E-L1.pem

# SEP64A0E714844E-L1.pem: OK

 

 

The openssl version is Debian based 1.1.0g-2. But the same error is happening on 1.1.0f also.

 

Older freeradius version 2 on Debian 8/openssl 1.0.1t-1+deb8u7 working fine without this problem (by using the same certificates)

 

The ca certificate are signed by an intern ca. Can anyone see the error??

 

Robert

 

 

 



--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: TLS Error in FreeRadius - eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed

Viktor Dukhovni


> On Jan 19, 2018, at 10:09 PM, Frank Migge <[hidden email]> wrote:
>
> >> Object 04: X509v3 Extended Key Usage: TLS Web Server Authentication
>
> This is were I would check first.
>
> I am not fully sure, but believe that Extended Key Usage should *not* be there.

Indeed the intermediate CA should either not have an extendedKeyUsage, or that
keyUsage should include the desired "purpose".  The handling of the purpose of
intermediate certificates was made more uniform in OpenSSL 1.1.0 (whether the
certificate is from the cert store or the remote peer is no longer material).
This and related changes can affect whether a chain is still valid with 1.1.0
and beyond.

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: TLS Error in FreeRadius - eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed

OpenSSL - User mailing list
In reply to this post by Frank Migge-2

Hello Frank.

 

Thank your for helping J.

 

The CAPF certificates in cisco CUCM Systems have some functions, for example phone proxy services. Usually, you create a certificate reqest on CUCM (Callmanager) and you will signed by you internal ca. Also it is possible, that the CUCM callmanager signed by self. (On both, the problem are happening)

 

I use a signed ca certificate for CAPF, with is signed by my internal root ca, wich is bases on openssl.

 

So, for new phone, the CUCM callmanager generate and sign the phone client certificate, wich is downloaded from the phone and used for check configuration signing und in our problem case use as a client certificate for 802.1x tls authentification.

 

In freeradius, the CAPF CA certificate is installed as a CA certificatge for check the clients certs in tls authentification processes. In freeradius2 anything is working fine and the phone client certificates is verify without any error.

 

The interesst think is, that the error is display for  the ca (CAPF) certificate, not for the client certificates.

 

So, i check the attributes and extensions:

 

        X509v3 extensions:

            X509v3 Subject Key Identifier:

                58:A4:EB:D9:DD:CE:A2:99:72:3B:E1:20:19:1D:40:C1:F9:D5:C2:28

            X509v3 Authority Key Identifier:

                keyid:E2:E9:20:42:29:83:C4:77:8C:87:AB:FA:4B:A1:A9:C4:CE:00:BD:39

 

            X509v3 Basic Constraints: critical

                CA:TRUE, pathlen:0

            X509v3 Key Usage: critical

                Digital Signature, Certificate Sign, CRL Sign

            X509v3 Extended Key Usage: critical

                TLS Web Server Authentication

 

 

For my interpretation, anything ist ok. May the TLS Web Server Authentication is not usual, but it is mandodary by cisco. On the way, we use the minimal mandodary requirements from cisco.

 

Vg

Robert

 

 

 

Von: Frank Migge [mailto:[hidden email]]
Gesendet: Samstag, 20. Januar 2018 03:30
An: Gladewitz, Robert <[hidden email]>; [hidden email]
Betreff: Re: [openssl-users] TLS Error in FreeRadius - eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed

 

Hi Robert,
 
error 26 : unsupported certificate purpose
 
It seems the cert gets declined because of a problem with cert
extensions. "keyUsage" or "extendedKeyUsage" are typical candidates. In
your case, the leaf certificate "CAPF-91d43ef6" has two extensions:
 
Object 00: X509v3 Key Usage
  Digital Signature, Key Encipherment
 
Object 01: X509v3 Extended Key Usage
  TLS Web Server Authentication, TLS Web Client Authentication, IPSec End System
 
I would check if an extension is now missing/newly required, or no
longer recognized. Try check for differences in the openssl.cnf and
freeradius config files between the old Debian system and the new one.
 
Some EAP TLS guides (incl. Cisco) also list extensions "nonRepudiation" and "dataEncipherment", but this is just a guess since you mentioned it works on the old system.
 
I have some problems with new Cisco CAPF certs
 
What is the authenticating device? Cisco IP phone?
 
Cheers,
Frank

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

cacert.capf.pem (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: TLS Error in FreeRadius - eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed

Michael Ströder
In reply to this post by Viktor Dukhovni
Viktor Dukhovni wrote:

>> On Jan 19, 2018, at 10:09 PM, Frank Migge <[hidden email]> wrote:
>>
>>>> Object 04: X509v3 Extended Key Usage: TLS Web Server Authentication
>>
>> This is were I would check first.
>>
>> I am not fully sure, but believe that Extended Key Usage should *not* be there.
>
> Indeed the intermediate CA should either not have an extendedKeyUsage, or that
> keyUsage should include the desired "purpose".
Full ack.

But unfortunately M$ implemented this requirement to add such a value to
Extended Key Usage of intermediate CA certs violating X.509 and RFC
5280. And now all PKI lemmings are following this crap.

=> use your own CA

Ciao, Michael.


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: TLS Error in FreeRadius - eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed

OpenSSL - User mailing list
In reply to this post by Viktor Dukhovni
Hello Vikor,

hmm, we have only a self signed root ca and the CAPF ist directly minor. And the extended key usage is mandodary by cisco.

You mean, the only solution are, the the root ca also have the same extendedKeyUsage?

Robert



 

-----Ursprüngliche Nachricht-----
Von: openssl-users [mailto:[hidden email]] Im Auftrag von Viktor Dukhovni
Gesendet: Samstag, 20. Januar 2018 05:34
An: [hidden email]
Betreff: Re: [openssl-users] TLS Error in FreeRadius - eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed



> On Jan 19, 2018, at 10:09 PM, Frank Migge <[hidden email]> wrote:
>
> >> Object 04: X509v3 Extended Key Usage: TLS Web Server Authentication
>
> This is were I would check first.
>
> I am not fully sure, but believe that Extended Key Usage should *not* be there.

Indeed the intermediate CA should either not have an extendedKeyUsage, or that keyUsage should include the desired "purpose".  The handling of the purpose of intermediate certificates was made more uniform in OpenSSL 1.1.0 (whether the certificate is from the cert store or the remote peer is no longer material).
This and related changes can affect whether a chain is still valid with 1.1.0 and beyond.

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: TLS Error in FreeRadius - eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed

OpenSSL - User mailing list
In reply to this post by Michael Ströder
Hello Michael,

So, i think there is a lot of problems for many infrastrucure in the feature, if all software use functions based on openssl >1.1.0.  

But a am using a own root ca based on creation time in openssl 1.0.0. What ca i do, when cisco need the Extended Key Usage?

Robert


-----Ursprüngliche Nachricht-----
Von: openssl-users [mailto:[hidden email]] Im Auftrag von Michael Ströder
Gesendet: Samstag, 20. Januar 2018 11:59
An: [hidden email]; Viktor Dukhovni <[hidden email]>
Betreff: Re: [openssl-users] TLS Error in FreeRadius - eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed

Viktor Dukhovni wrote:

>> On Jan 19, 2018, at 10:09 PM, Frank Migge <[hidden email]> wrote:
>>
>>>> Object 04: X509v3 Extended Key Usage: TLS Web Server Authentication
>>
>> This is were I would check first.
>>
>> I am not fully sure, but believe that Extended Key Usage should *not* be there.
>
> Indeed the intermediate CA should either not have an extendedKeyUsage,
> or that keyUsage should include the desired "purpose".

Full ack.

But unfortunately M$ implemented this requirement to add such a value to Extended Key Usage of intermediate CA certs violating X.509 and RFC 5280. And now all PKI lemmings are following this crap.

=> use your own CA

Ciao, Michael.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: TLS Error in FreeRadius - eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed

OpenSSL - User mailing list
In reply to this post by Frank Migge-2

Hallo Frank,

 

this are bad news. The Cisco CAPF CA certifiace need TLS Web Server Authentification.

 

https://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/212214-Tech-Note-on-CAPF-Certificate-Signed-by.html

 

You mean, i sign the cert request new with adding anyExtendedKeyUsage will be work? Ir kann the root ca add the same extendedKeyUsage and resign byself?

 

Robert

 

 

 

Von: Frank Migge [mailto:[hidden email]]
Gesendet: Samstag, 20. Januar 2018 13:54
An: Gladewitz, Robert <[hidden email]>
Betreff: Re: AW: [openssl-users] TLS Error in FreeRadius - eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed

 

Hi Robert,

Lets see if I get it right. Please correct me if I am misinterpreting.

If an extended key usage extension such as "TLS Web Server Authentication" is set in the intermediate, its purpose conflicts with the signing purpose of an (intermediate) CA cert.

RFC8250 mentions that extended key usage extension (EKU) is only meant for end entity certificates (e.g. client or server certs). If both key key usage extensions (KU) and EKU extensions exist, both need to be checked for a consistent purpose. The EKU above could create a conflict of purpose with the KU before.  In that case, the RFC requires the cert not to be used at all.

In simpler words: CA certificates can't/shouldn't be also used as client or server certs, and vice versa. However, it seems that Cisco is doing exactly that, trying to achieve both functions in a single cert.

This RFC violation(?) may work in a closed Cisco-world, but could fail against other products, such as FreeRadius/OpenSSL.

That it used to work with an older Debian under OpenSSL 1.0.1 may have been luck. Victor mentioned that some changes to chain verification happened in versions 1.1.0 and beyond.

What could be done?

RFC 5280 mentions a "work-around". If the CAPF cert could be created outside of Cisco, replacing existing or adding the specific EKU called "anyExtendedKeyUsage", so it could act as a "wildcard"? Not sure if it would fix it (or breaks the Cisco side instead), and if indeed above problem is your issue, but it may be worth a try.

Frank

Saturday, January 20, 2018 8:29 PM

Hello Frank,

 

why it is wron for an ca cert?

 

Robert

 

Von: Frank Migge [[hidden email]]
Gesendet: Samstag, 20. Januar 2018 04:10
An: [hidden email]
Cc: Gladewitz, Robert [hidden email]
Betreff: Re: [openssl-users] TLS Error in FreeRadius - eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed

 

I got it wrong. The failing cert from your log is actually the intermediate, which has five extensions:

>> Object 00: X509v3 Subject Key Identifier: 58:A4:EB:D9:DD:CE:A2:99:72:3B:E1:20:19:1D:40:C1:F9:D5:C2:28
>> Object 01: X509v3 Authority Key Identifier: keyid:E2:E9:20:42:29:83:C4:77:8C:87:AB:FA:4B:A1:A9:C4:CE:00:BD:39
>> Object 02: X509v3 Basic Constraints: CA:TRUE, pathlen:0
>> Object 03: X509v3 Key Usage: Digital Signature, Certificate Sign, CRL Sign
>> Object 04: X509v3 Extended Key Usage: TLS Web Server Authentication

This is were I would check first.

I am not fully sure, but believe that Extended Key Usage should *not* be there.

Frank



 

Saturday, January 20, 2018 12:09 PM

I got it wrong. The failing cert from your log is actually the intermediate, which has five extensions:

>> Object 00: X509v3 Subject Key Identifier: 58:A4:EB:D9:DD:CE:A2:99:72:3B:E1:20:19:1D:40:C1:F9:D5:C2:28
>> Object 01: X509v3 Authority Key Identifier: keyid:E2:E9:20:42:29:83:C4:77:8C:87:AB:FA:4B:A1:A9:C4:CE:00:BD:39
>> Object 02: X509v3 Basic Constraints: CA:TRUE, pathlen:0
>> Object 03: X509v3 Key Usage: Digital Signature, Certificate Sign, CRL Sign
>> Object 04: X509v3 Extended Key Usage: TLS Web Server Authentication

This is were I would check first.

I am not fully sure, but believe that Extended Key Usage should *not* be there.

Frank

Saturday, January 20, 2018 11:29 AM

Hi Robert,
 
error 26 : unsupported certificate purpose
 
It seems the cert gets declined because of a problem with cert
extensions. "keyUsage" or "extendedKeyUsage" are typical candidates. In
your case, the leaf certificate "CAPF-91d43ef6" has two extensions:
 
Object 00: X509v3 Key Usage
  Digital Signature, Key Encipherment
 
Object 01: X509v3 Extended Key Usage
  TLS Web Server Authentication, TLS Web Client Authentication, IPSec End System
 
I would check if an extension is now missing/newly required, or no
longer recognized. Try check for differences in the openssl.cnf and
freeradius config files between the old Debian system and the new one.
 
Some EAP TLS guides (incl. Cisco) also list extensions "nonRepudiation" and "dataEncipherment", but this is just a guess since you mentioned it works on the old system.
 
I have some problems with new Cisco CAPF certs
 
What is the authenticating device? Cisco IP phone?
 
Cheers,
Frank

Friday, January 19, 2018 11:12 PM

Dear OpenSSL Team,

 

I have some problems with new Cisco CAPF certs and freeradius tls authentification. The point is, that freeradius users see the problem on openssl implemtiation.

 

<SNIP: DEBUG>

(69) eap_tls: Continuing EAP-TLS

(69) eap_tls: Peer indicated complete TLS record size will be 1432 bytes

(69) eap_tls: Got complete TLS record (1432 bytes)

(69) eap_tls: [eaptls verify] = length included

(69) eap_tls: TLS_accept: SSLv3/TLS write server done

(69) eap_tls: <<< recv TLS 1.0 Handshake [length 03c2], Certificate

(69) eap_tls: Creating attributes from certificate OIDs

(69) eap_tls:   TLS-Cert-Serial := "1009"

(69) eap_tls:   TLS-Cert-Expiration := "380111125719Z"

(69) eap_tls:   TLS-Cert-Subject := "/C=DE/ST=Sachsen/L=Leipzig/O=DBFZ Deutsches Biomasseforschungszentrum gGmbH/OU=IT/CN=CAPF-91d43ef6"

(69) eap_tls:   TLS-Cert-Issuer := "/C=DE/ST=Sachsen/L=Leipzig/O=DBFZ Deutsches Biomasseforschungszentrum gemeinnuetzige GmbH/OU=IT/CN=DBFZ CA INTERN [hidden email]"

(69) eap_tls:   TLS-Cert-Common-Name := "CAPF-91d43ef6"

(69) eap_tls:   ERROR: SSL says error 26 : unsupported certificate purpose

(69) eap_tls: >>> send TLS 1.0 Alert [length 0002], fatal unsupported_certificate

(69) eap_tls: ERROR: TLS Alert write:fatal:unsupported certificate

tls: TLS_accept: Error in error

(69) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed

(69) eap_tls: ERROR: System call (I/O) error (-1)

(69) eap_tls: ERROR: TLS receive handshake failed during operation

(69) eap_tls: ERROR: [eaptls process] = fail </DEBUG>

</SNIP>

 

This means, that the check of ca certificate is failed. So, bu I do not see, why. If i check the certificate by command openssl –verify, all sems to be right.

# openssl verify -verbose -CAfile /etc/freeradius/3.0/certs.8021x.ciscophone/cacert.capf.pem SEP64A0E714844E-L1.pem

# SEP64A0E714844E-L1.pem: OK

 

 

The openssl version is Debian based 1.1.0g-2. But the same error is happening on 1.1.0f also.

 

Older freeradius version 2 on Debian 8/openssl 1.0.1t-1+deb8u7 working fine without this problem (by using the same certificates)

 

The ca certificate are signed by an intern ca. Can anyone see the error??

 

Robert

 

 

 

 


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: TLS Error in FreeRadius - eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed

Viktor Dukhovni
In reply to this post by OpenSSL - User mailing list


> On Jan 20, 2018, at 6:42 AM, Gladewitz, Robert via openssl-users <[hidden email]> wrote:
>
> Hello Vikor,
>
> hmm, we have only a self signed root ca and the CAPF ist directly minor. And the extended key usage is mandodary by cisco.
>
> You mean, the only solution are, the the root ca also have the same extendedKeyUsage?

The intermediate CA you posted:

   Subject: C = DE, ST = Sachsen, L = Leipzig, O = DBFZ Deutsches Biomasseforschungszentrum gGmbH, OU = IT, CN = CAPF-91d43ef6

has extensions:

        X509v3 extensions:
            X509v3 Subject Key Identifier: ...
            X509v3 Authority Key Identifier: ...
            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:0
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign
            X509v3 Extended Key Usage: critical
                TLS Web Server Authentication

The last of these limits the CA to just "TLS Web Server Authentication".
The leaf certificate has:

            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication, IPSec End System

which works if you're authenticating it as a "TLS server" (the "Web" part
is irrelevant), but fails when used for a "TLS client" or "IPSec End System",
because those purposes are not included in the issuing CA certificate.

Presumably the problem in this case is that this CA is being used to
validate a "TLS client" certificate.  You'll need an intermediate CA
that either has no "X509v3 Extended Key Usage" or has one that includes
both "TLS Web Server Authentication" and "TLS Web Client Authentication".

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: TLS Error in FreeRadius - eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed

OpenSSL - User mailing list
Hello Viktor,

thanks for all this hepl.

I i understand your right, than I need to add "TLS Web Client Authentication" to the CAPF certificate.

But I have i question. In Freeradius i use the CAPF cert only as an ca cert, not as a server or client cert. The only funktion is, to ckeck the client cert is signed from CAPF. For only check this, the ca need "TLS Web Client Authentication"??

Regards

Robert


-----Ursprüngliche Nachricht-----
Von: Viktor Dukhovni [mailto:[hidden email]]
Gesendet: Sonntag, 21. Januar 2018 00:21
An: Gladewitz, Robert <[hidden email]>; [hidden email]
Betreff: Re: [openssl-users] TLS Error in FreeRadius - eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed



> On Jan 20, 2018, at 6:42 AM, Gladewitz, Robert via openssl-users <[hidden email]> wrote:
>
> Hello Vikor,
>
> hmm, we have only a self signed root ca and the CAPF ist directly minor. And the extended key usage is mandodary by cisco.
>
> You mean, the only solution are, the the root ca also have the same extendedKeyUsage?

The intermediate CA you posted:

   Subject: C = DE, ST = Sachsen, L = Leipzig, O = DBFZ Deutsches Biomasseforschungszentrum gGmbH, OU = IT, CN = CAPF-91d43ef6

has extensions:

        X509v3 extensions:
            X509v3 Subject Key Identifier: ...
            X509v3 Authority Key Identifier: ...
            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:0
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign
            X509v3 Extended Key Usage: critical
                TLS Web Server Authentication

The last of these limits the CA to just "TLS Web Server Authentication".
The leaf certificate has:

            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication, IPSec End System

which works if you're authenticating it as a "TLS server" (the "Web" part is irrelevant), but fails when used for a "TLS client" or "IPSec End System", because those purposes are not included in the issuing CA certificate.

Presumably the problem in this case is that this CA is being used to validate a "TLS client" certificate.  You'll need an intermediate CA that either has no "X509v3 Extended Key Usage" or has one that includes both "TLS Web Server Authentication" and "TLS Web Client Authentication".

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: TLS Error in FreeRadius - eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed

Viktor Dukhovni


> On Jan 21, 2018, at 7:34 AM, Gladewitz, Robert via openssl-users <[hidden email]> wrote:
>
> If I understand your right, then I need to add "TLS Web Client Authentication"
> to the CAPF certificate.

Or better still, remove the "ExtendedKeyUsage" extension from the CA
certificate and thus specify neither "TLS Web Client Authentication",
nor ""TLS Web Server Authentication".  When you "tag" a CA certificate
with a given list of "purpose" OIDs, it is then not considered valid
for the purposes that are not listed.

> But I have a question. In Freeradius I use the CAPF cert only as a CA
> cert, not as a server or client cert. The only function is to check
> the client cert is signed from CAPF. For only check this, the CA need
> "TLS Web Client Authentication"??

OpenSSL interprets the "extendedKeyUsage" extension in CA certificates
as a restriction on the allowed extended key usages of leaf certificates
that can be issued by that CA.

You should typically not specify extended key usage for CA certificates
at all, unless you mean to restrict them to specific purposes.

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: TLS Error in FreeRadius - eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed

Jeffrey Walton-3
On Sun, Jan 21, 2018 at 1:31 PM, Viktor Dukhovni
<[hidden email]> wrote:
>
> ...
> OpenSSL interprets the "extendedKeyUsage" extension in CA certificates
> as a restriction on the allowed extended key usages of leaf certificates
> that can be issued by that CA.
>
> You should typically not specify extended key usage for CA certificates
> at all, unless you mean to restrict them to specific purposes.

The behavior is inconsistent with RFC 5280:

4.2.1.12.  Extended Key Usage

   This extension indicates one or more purposes for which the certified
   public key may be used, in addition to or in place of the basic
   purposes indicated in the key usage extension.  In general, this
   extension will appear only in end entity certificates.  This
   extension is defined as follows ...

Jeff
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: TLS Error in FreeRadius - eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed

Viktor Dukhovni


> On Jan 21, 2018, at 2:40 PM, Jeffrey Walton <[hidden email]> wrote:
>
>> OpenSSL interprets the "extendedKeyUsage" extension in CA certificates
>> as a restriction on the allowed extended key usages of leaf certificates
>> that can be issued by that CA.
>>
>> You should typically not specify extended key usage for CA certificates
>> at all, unless you mean to restrict them to specific purposes.
>
> The behavior is inconsistent with RFC 5280:
>
> 4.2.1.12.  Extended Key Usage
>
>   This extension indicates one or more purposes for which the certified
>   public key may be used, in addition to or in place of the basic
>   purposes indicated in the key usage extension.  In general, this
>   extension will appear only in end entity certificates.  This
>   extension is defined as follows ...

We're well aware of this, but this is the de-facto behaviour of
multiple implementations.  This is an area in which RFC5280 fails
to match the real world.

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: TLS Error in FreeRadius - eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed

Jeffrey Walton-3
On Sun, Jan 21, 2018 at 5:59 PM, Viktor Dukhovni
<[hidden email]> wrote:

>
>
>> On Jan 21, 2018, at 2:40 PM, Jeffrey Walton <[hidden email]> wrote:
>>
>>> OpenSSL interprets the "extendedKeyUsage" extension in CA certificates
>>> as a restriction on the allowed extended key usages of leaf certificates
>>> that can be issued by that CA.
>>>
>>> You should typically not specify extended key usage for CA certificates
>>> at all, unless you mean to restrict them to specific purposes.
>>
>> The behavior is inconsistent with RFC 5280:
>>
>> 4.2.1.12.  Extended Key Usage
>>
>>   This extension indicates one or more purposes for which the certified
>>   public key may be used, in addition to or in place of the basic
>>   purposes indicated in the key usage extension.  In general, this
>>   extension will appear only in end entity certificates.  This
>>   extension is defined as follows ...
>
> We're well aware of this, but this is the de-facto behaviour of
> multiple implementations.  This is an area in which RFC5280 fails
> to match the real world.

Apparently everyone did not get the memo :)

Maybe OpenSSL should allow users to choose between IETF issuing
policies and CA/Browser BR issuing policies.

Jeff
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: TLS Error in FreeRadius - eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed

Viktor Dukhovni


> On Jan 21, 2018, at 6:04 PM, Jeffrey Walton <[hidden email]> wrote:
>
> Maybe OpenSSL should allow users to choose between IETF issuing
> policies and CA/Browser BR issuing policies.

The sensible thing at this point is to publish an update to RFC5280
that accepts reality.

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: TLS Error in FreeRadius - eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed

Jeffrey Walton-3
On Sun, Jan 21, 2018 at 6:23 PM, Viktor Dukhovni
<[hidden email]> wrote:
>
>
>> On Jan 21, 2018, at 6:04 PM, Jeffrey Walton <[hidden email]> wrote:
>>
>> Maybe OpenSSL should allow users to choose between IETF issuing
>> policies and CA/Browser BR issuing policies.
>
> The sensible thing at this point is to publish an update to RFC5280
> that accepts reality.

+1.

Add a Key-Interception usage while you're at it. Its a widespread practice too.

Jeff
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: TLS Error in FreeRadius - eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed

OpenSSL - User mailing list
In reply to this post by Viktor Dukhovni
➢ The sensible thing at this point is to publish an update to RFC5280
    that accepts reality.
   
Yes, and there’s an IETF place to do that if anyone is interested; see the LAMPS working group.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: TLS Error in FreeRadius - eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed

OpenSSL - User mailing list

Thank you all for all the answers.
The problem is that Cisco prescribes the attributes.

https://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/212214-Tech-Note-on-CAPF-Certificate-Signed-by.html

CAPF CSR:

        Attributes:
        Requested Extensions:
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, IPSec End System
            X509v3 Key Usage:
                Digital Signature, Certificate Sign




-----Ursprüngliche Nachricht-----
Von: openssl-users [mailto:[hidden email]] Im Auftrag von Salz, Rich via openssl-users
Gesendet: Montag, 22. Januar 2018 00:39
An: [hidden email]
Betreff: Re: [openssl-users] TLS Error in FreeRadius - eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed

➢ The sensible thing at this point is to publish an update to RFC5280
    that accepts reality.
   
Yes, and there’s an IETF place to do that if anyone is interested; see the LAMPS working group.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

smime.p7s (8K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: TLS Error in FreeRadius - eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed

OpenSSL - User mailing list
In reply to this post by OpenSSL - User mailing list

Thank you all for all the answers.
The problem is that Cisco prescribes the attributes.

https://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/212214-Tech-Note-on-CAPF-Certificate-Signed-by.html

CAPF CSR:

        Attributes:
        Requested Extensions:
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, IPSec End System
            X509v3 Key Usage:
                Digital Signature, Certificate Sign

Unfortunately, the Cisco CUCM telephone systems do not seem to accept certificates without these attributes :-(.

If I understand everything correctly, would the only (and unclean) workaround be adding "TLS Web Client Authentication" to solve my problem?

Robert

-----Ursprüngliche Nachricht-----
Von: openssl-users [mailto:[hidden email]] Im Auftrag von Salz, Rich via openssl-users
Gesendet: Montag, 22. Januar 2018 00:39
An: [hidden email]
Betreff: Re: [openssl-users] TLS Error in FreeRadius - eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed

➢ The sensible thing at this point is to publish an update to RFC5280
    that accepts reality.
   
Yes, and there’s an IETF place to do that if anyone is interested; see the LAMPS working group.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

smime.p7s (8K) Download Attachment
123