olemaire
commented
10 years ago Strange.. Are you sure you use the latest release (on master) ?
Open ghost opened 10 years ago
olemaire
commented
10 years ago Strange.. Are you sure you use the latest release (on master) ?
olemaire
commented
10 years ago Bug confirmed. Fixing in progress.
olemaire
commented
10 years ago bug fixed. Anyway, not closing the ticket cause I wanna make sure coherency between x503v3 extensions (extendedKeyUsages) and nsCertType used as :
olemaire
commented
10 years ago Bug still there:
Example of the error with OpenVPN:
Re-using SSL/TLS context
LZO compression initialised
TCP connection established with [AF_INET]<IP>:<PORT>
TCPv4_SERVER link local: [undef]
TCPv4_SERVER link remote: [AF_INET]<IP>:<PORT>
VERIFY ERROR: depth=0, error=unsupported certificate purpose: /C=FR/O=COY/OU=Operationa
l_Unit/CN=test-client/emailAddress=support@domain.com
TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIE
NT_CERTIFICATE:no certificate returned
TLS Error: TLS object -> incoming plaintext read error
TLS Error: TLS handshake failed
Fatal TLS error (check_tls_errors_co), restarting
It could be an incoherency between nsCertType and extendedKeyUsage - or perhaps with keyUsage.
Need to be fixed.It seems OpenVPN want specific associations:
Reminder of possibles values (taxinomy):
issuing keyUsage in coherency with nsCertType - seems working with nginx - let's test now with OpenVPN.
The field must be set to 'client' or 'server' depending on the certificate type.