Re: extendedKeyUsage = 1.3.6.1.5.5.7.3.1
Hello Bilal. Dne petek 19 november 2004 09:02 je Bilal Shahid napisal(a): > I am using FreeRADIUS to authenticate the XSupplicant using EAP-TLS. The > certificates are being generated using the script CA.all. For the Server > certificate, the TLS Web Server OID used is 1.3.6.1.5.5.7.3.1. > > Now what the FreeRADIUS Server is actually sending out to the Client > (XSupplicant) (as seen from the Access Challenge packet dump while running > the FreeRADIUS Server in the debug mode) is the following byte sequence: > > 0x08 2b 06 01 05 05 07 03 01 > > as opposed to > > 0x01 03 06 01 05 05 07 03 01 > Have you checked the certificate for errors ? I've been using this EKU without problems with freeradius. AFAIK freeradius is not processing the certificates, but the openssl code is. In openssl.cnf you need: # [ eku ] extendedKeyUsage = 1.3.6.1.5.5.7.3.1 And when you sign a certificate request (I use openssl directly): openssl ca -extensions eku ... Check the certificate with: # openssl x509 -in krkotnik.arnes.si_cert.pem -noout -text [...] X509v3 extensions: X509v3 Extended Key Usage: TLS Web Server Authentication [...] -- lep pozdrav, Rok Papež. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: extendedKeyUsage = 1.3.6.1.5.5.7.3.1
"Bilal Shahid" <[EMAIL PROTECTED]> wrote: > Now I might be totally off the track here in this analysis but I just wanted > to make sure that the Server is indeed sending out what it is supposed to > send out to the Client. Is it alright that the OID being sent to the Client > has its first 2 bytes (0x01, 0x03) replaced by something else (0x08, 0x2b)? Please read the appropriate specifications to see what the format should be. Whatever's going on, FreeRADIUS is just using the OpenSSL code. I suggest asking SSl questions on their list. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
extendedKeyUsage = 1.3.6.1.5.5.7.3.1
Hi, I am using FreeRADIUS to authenticate the XSupplicant using EAP-TLS. The certificates are being generated using the script CA.all. For the Server certificate, the TLS Web Server OID used is 1.3.6.1.5.5.7.3.1. Now what the FreeRADIUS Server is actually sending out to the Client (XSupplicant) (as seen from the Access Challenge packet dump while running the FreeRADIUS Server in the debug mode) is the following byte sequence: 0x08 2b 06 01 05 05 07 03 01 as opposed to 0x01 03 06 01 05 05 07 03 01 Now I might be totally off the track here in this analysis but I just wanted to make sure that the Server is indeed sending out what it is supposed to send out to the Client. Is it alright that the OID being sent to the Client has its first 2 bytes (0x01, 0x03) replaced by something else (0x08, 0x2b)? Problem is, upon receiving the Server certificate my Client recognizes correctly that an EKU is included in the certificate but fails to recognize that it is to be used for TLS Web Server Authentication. Thanks, Bilal _ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html