Hello Jeff,
That will be difficult. By complience policy, our servers are on Debian / Cent
of the current stable version. Even patches code should not be used :-)
Does you already know when a version of OpenSSL will be released that follows
this RFC?
Robert
-Ursprüngliche Nachricht-
On Mon, Jan 22, 2018 at 1:44 AM, Gladewitz, Robert via openssl-users
wrote:
>
> Thank you all for all the answers.
> The problem is that Cisco prescribes the attributes.
> ...
>
> Unfortunately, the Cisco CUCM telephone systems do not seem to accept
> certificates without these attributes :-(.
>
Thank you all for all the answers.
The problem is that Cisco prescribes the attributes.
https://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/212214-Tech-Note-on-CAPF-Certificate-Signed-by.html
CAPF CSR:
Attributes:
Requeste
Gladewitz, Robert möchte die Nachricht "[openssl-users] TLS Error in FreeRadius
- eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL
routines:tls_process_client_certificate:certificate verify failed" zurückrufen.
--
openssl-users mailing list
To unsubscribe: https://mta.openss
Thank you all for all the answers.
The problem is that Cisco prescribes the attributes.
https://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/212214-Tech-Note-on-CAPF-Certificate-Signed-by.html
CAPF CSR:
Attributes:
Requeste
➢ The sensible thing at this point is to publish an update to RFC5280
that accepts reality.
Yes, and there’s an IETF place to do that if anyone is interested; see the
LAMPS working group.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-user
On Sun, Jan 21, 2018 at 6:23 PM, Viktor Dukhovni
wrote:
>
>
>> On Jan 21, 2018, at 6:04 PM, Jeffrey Walton wrote:
>>
>> Maybe OpenSSL should allow users to choose between IETF issuing
>> policies and CA/Browser BR issuing policies.
>
> The sensible thing at this point is to publish an update to R
> On Jan 21, 2018, at 6:04 PM, Jeffrey Walton wrote:
>
> Maybe OpenSSL should allow users to choose between IETF issuing
> policies and CA/Browser BR issuing policies.
The sensible thing at this point is to publish an update to RFC5280
that accepts reality.
--
Viktor.
--
openssl-us
On Sun, Jan 21, 2018 at 5:59 PM, Viktor Dukhovni
wrote:
>
>
>> On Jan 21, 2018, at 2:40 PM, Jeffrey Walton wrote:
>>
>>> OpenSSL interprets the "extendedKeyUsage" extension in CA certificates
>>> as a restriction on the allowed extended key usages of leaf certificates
>>> that can be issued by th
> On Jan 21, 2018, at 2:40 PM, Jeffrey Walton wrote:
>
>> OpenSSL interprets the "extendedKeyUsage" extension in CA certificates
>> as a restriction on the allowed extended key usages of leaf certificates
>> that can be issued by that CA.
>>
>> You should typically not specify extended key usa
On Sun, Jan 21, 2018 at 1:31 PM, Viktor Dukhovni
wrote:
>
> ...
> OpenSSL interprets the "extendedKeyUsage" extension in CA certificates
> as a restriction on the allowed extended key usages of leaf certificates
> that can be issued by that CA.
>
> You should typically not specify extended key usa
> On Jan 21, 2018, at 7:34 AM, Gladewitz, Robert via openssl-users
> wrote:
>
> If I understand your right, then I need to add "TLS Web Client Authentication"
> to the CAPF certificate.
Or better still, remove the "ExtendedKeyUsage" extension from the CA
certificate and thus specify neither "
Hello Viktor,
thanks for all this hepl.
I i understand your right, than I need to add "TLS Web Client Authentication"
to the CAPF certificate.
But I have i question. In Freeradius i use the CAPF cert only as an ca cert,
not as a server or client cert. The only funktion is, to ckeck the client
13 matches
Mail list logo
