unsupported certificate purpose

classic Classic list List threaded Threaded
5 messages Options
| Threaded
Open this post in threaded view
|

unsupported certificate purpose

murugesh pitchaiah
Hi

while trying for radsec I see freeradius throwing below error on TLS handshake:

(0) TLS_accept: SSLv3/TLS write server done
(0) <<< recv TLS 1.2  [length 07b9]
(0) Creating attributes from certificate OIDs
(0)   ERROR: SSL says error 26 : unsupported certificate purpose
(0) >>> send TLS 1.2  [length 0002]
(0) ERROR: TLS Alert write:fatal:unsupported certificate
tls: TLS_accept: Error in error
(0) ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL
routines:tls_process_client_certificate:certificate verify failed
(0) ERROR: System call (I/O) error (-1)
(0) FAILED in TLS handshake receive


Here is the client certificate's purpose details:

        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Key Usage:
                Digital Signature
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                AE:C8:80:61:1C:AB:99:03:8F:13:4F:14:95:EA:61:52:4D:8C:37:E8
            X509v3 Authority Key Identifier:

keyid:44:C9:8D:CB:50:17:D2:33:60:4F:96:1A:76:34:99:A4:0D:FA:A1:8D

            X509v3 Extended Key Usage:
                TLS Web Client Authentication

I see the key usage and Extended usage look good; still unable to find
whats reason for freeradius rejecting the client certificate

client openssl ; 1.0.2
freeradius: 3.0.16 and i see this has openssl 1.1.0

any help  please ?

Thanks
murugesh
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: unsupported certificate purpose

Alan Buxey
hi,

"TLS Web Client Authentication" - okay, its a client

X509v3 Key Usage:
                Digital Signature

not okay - this cert isnt being used for just a signature - I expect
OpenSSL > 1.0.2 is now doing the right thing and not being happy with
the presented cert being used for more than its assigned task.

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: unsupported certificate purpose

Alan DeKok-2
In reply to this post by murugesh pitchaiah
On Oct 30, 2020, at 8:21 AM, murugesh pitchaiah <[hidden email]> wrote:
> while trying for radsec I see freeradius throwing below error on TLS handshake:
>
> (0) TLS_accept: SSLv3/TLS write server done
> (0) <<< recv TLS 1.2  [length 07b9]
> (0) Creating attributes from certificate OIDs
> (0)   ERROR: SSL says error 26 : unsupported certificate purpose

  That seems relatively clear.

> (0) >>> send TLS 1.2  [length 0002]
> (0) ERROR: TLS Alert write:fatal:unsupported certificate
> tls: TLS_accept: Error in error
> (0) ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL
> routines:tls_process_client_certificate:certificate verify failed

  So it's the client certificate which is failing here.  That's at least better than some of the other OpenSSL error messages.  :(

> Here is the client certificate's purpose details:
>
>        X509v3 extensions:
>            X509v3 Basic Constraints:
>                CA:FALSE
>            X509v3 Key Usage:
>                Digital Signature

  Is the client certificate signing other certificates?  I suspect not...

>            Netscape Comment:
>                OpenSSL Generated Certificate
>            X509v3 Subject Key Identifier:
>                AE:C8:80:61:1C:AB:99:03:8F:13:4F:14:95:EA:61:52:4D:8C:37:E8
>            X509v3 Authority Key Identifier:
>
> keyid:44:C9:8D:CB:50:17:D2:33:60:4F:96:1A:76:34:99:A4:0D:FA:A1:8D
>
>            X509v3 Extended Key Usage:
>                TLS Web Client Authentication

  That should work.

> I see the key usage and Extended usage look good; still unable to find
> whats reason for freeradius rejecting the client certificate

  It's not.  :(  OpenSSL is rejecting the client certificate.

> client openssl ; 1.0.2
> freeradius: 3.0.16 and i see this has openssl 1.1.0

  How did you generate the certificates?

  If you copy the client certificate to the OpenSSL machine, you can verify it there using the "openssl" command-line too.

  What's likely happening is that OpenSSL 1.1.0 is doing more stringent checks than OpenSSL 1.0.2.  So you'll need to regenerate the certificate, without the offending OIDs.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: unsupported certificate purpose

murugesh pitchaiah
Thanks Alan B and Alan K.

I generated key and certificate using the openssl.cnf and below steps:

openssl genrsa -aes256 -out key.pem
openssl req -config openssl.cnf -key key.pem new -sha256 -out csr.pem
openssl ca -config openssl.cnf -extensions usr_cert -days 375 -notext
-md sha256 -in csr.pem -out cert.pem

This generation is done in a linux box with openssl 1.0.2.

While verifying with openssl 1.1.0 (also using 1.0.2) using below
steps -  in the ubuntu where freeradius is running - it shows OK.

openssl verify -CAfile cacert.pem  cert.pem
cert.pem: OK

But only freeradius is throwing the error on purpose.

Still i generated a new client certificate without the 'digital
signature' key usage.

        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                DD:4A:55:26:9E:7F:27:E9:F6:14:63:CE:95:A3:AD:78:68:7F:56:A6
            X509v3 Authority Key Identifier:

keyid:44:C9:8D:CB:50:17:D2:33:60:4F:96:1A:76:34:99:A4:0D:FA:A1:8D

            X509v3 Extended Key Usage:
                TLS Web Client Authentication



But result is same.

0) TLS_accept: SSLv3/TLS write server done
(0) <<< recv TLS 1.2  [length 07ac]
(0) Creating attributes from certificate OIDs
(0)   ERROR: SSL says error 26 : unsupported certificate purpose
(0) >>> send TLS 1.2  [length 0002]
(0) ERROR: TLS Alert write:fatal:unsupported certificate
tls: TLS_accept: Error in error
(0) ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL
routines:tls_process_client_certificate:certificate verify failed
(0) ERROR: System call (I/O) error (-1)
(0) FAILED in TLS handshake receive
Closing TLS socket from client port 57851

Should I generate again with openssl 1.1.0 ? But I wonder how the
"openssl verify" works good with openssl 1.1.0; but not freeradius's
SSL Read.

Thanks in advance.

Thanks
murugesh



On 10/30/20, Alan DeKok <[hidden email]> wrote:

> On Oct 30, 2020, at 8:21 AM, murugesh pitchaiah
> <[hidden email]> wrote:
>> while trying for radsec I see freeradius throwing below error on TLS
>> handshake:
>>
>> (0) TLS_accept: SSLv3/TLS write server done
>> (0) <<< recv TLS 1.2  [length 07b9]
>> (0) Creating attributes from certificate OIDs
>> (0)   ERROR: SSL says error 26 : unsupported certificate purpose
>
>   That seems relatively clear.
>
>> (0) >>> send TLS 1.2  [length 0002]
>> (0) ERROR: TLS Alert write:fatal:unsupported certificate
>> tls: TLS_accept: Error in error
>> (0) ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL
>> routines:tls_process_client_certificate:certificate verify failed
>
>   So it's the client certificate which is failing here.  That's at least
> better than some of the other OpenSSL error messages.  :(
>
>> Here is the client certificate's purpose details:
>>
>>        X509v3 extensions:
>>            X509v3 Basic Constraints:
>>                CA:FALSE
>>            X509v3 Key Usage:
>>                Digital Signature
>
>   Is the client certificate signing other certificates?  I suspect not...
>
>>            Netscape Comment:
>>                OpenSSL Generated Certificate
>>            X509v3 Subject Key Identifier:
>>                AE:C8:80:61:1C:AB:99:03:8F:13:4F:14:95:EA:61:52:4D:8C:37:E8
>>            X509v3 Authority Key Identifier:
>>
>> keyid:44:C9:8D:CB:50:17:D2:33:60:4F:96:1A:76:34:99:A4:0D:FA:A1:8D
>>
>>            X509v3 Extended Key Usage:
>>                TLS Web Client Authentication
>
>   That should work.
>
>> I see the key usage and Extended usage look good; still unable to find
>> whats reason for freeradius rejecting the client certificate
>
>   It's not.  :(  OpenSSL is rejecting the client certificate.
>
>> client openssl ; 1.0.2
>> freeradius: 3.0.16 and i see this has openssl 1.1.0
>
>   How did you generate the certificates?
>
>   If you copy the client certificate to the OpenSSL machine, you can verify
> it there using the "openssl" command-line too.
>
>   What's likely happening is that OpenSSL 1.1.0 is doing more stringent
> checks than OpenSSL 1.0.2.  So you'll need to regenerate the certificate,
> without the offending OIDs.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: unsupported certificate purpose

Alan DeKok-2
On Oct 30, 2020, at 1:47 PM, murugesh pitchaiah <[hidden email]> wrote:
> I generated key and certificate using the openssl.cnf and below steps:

  FreeRADIUS comes with certificate creation scripts in raddb/certs.  The certificates created with those scripts *work*.

> openssl genrsa -aes256 -out key.pem
> openssl req -config openssl.cnf -key key.pem new -sha256 -out csr.pem
> openssl ca -config openssl.cnf -extensions usr_cert -days 375 -notext
> -md sha256 -in csr.pem -out cert.pem

  We don't know what's in the "openssl.cnf" file you're using.  We suggest just using the scripts that are included with FreeRADIUS.

> This generation is done in a linux box with openssl 1.0.2.
>
> While verifying with openssl 1.1.0 (also using 1.0.2) using below
> steps -  in the ubuntu where freeradius is running - it shows OK.
>
> openssl verify -CAfile cacert.pem  cert.pem
> cert.pem: OK

  That's good.

> But only freeradius is throwing the error on purpose.

  Again... it's *openssl* which is giving the error to FreeRADIUS.  The server is just reporting it.

> Still i generated a new client certificate without the 'digital
> signature' key usage.

  OpenSSL doesn't like one of the other extensions.  Which one?  I don't know... OpenSSL won't tell us.

  Use the scripts included with FreeRADIUS.  If you need extra OIDs, create certs *without* them, and test.  If that works (and it will), then add OIDs one by one, until it doesn't work.

  That's the OID which is failing.  Why?  OpenSSL won't tell us.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html