< Previous by Date Date Index Next by Date >
  Thread Index  

[reSIProcate] some TLS certs not suitable/unsupported certificate purpose error

I've observed that some CAs don't put `TLS client' in their SSL Server
certs, while others do include this in their extended key usage

For federated VoIP - where a server can also use it's certificate in a
client mode - reSIProcate and repro appear to be pedantic about this,
the extended key usage must indicated `TLS client', or repro will drop
the connection.

In particular, the free startcom SSL certs are in this category.  They
tell me that they only include `TLS client' in the extended key usage if
you pay for the class 2 verification.  Here is the openssl x509 output
for a startcom cert:

$  openssl x509 -text -noout -in domain_cert_sip5060.net.pem-startcom |
egrep 'Extend|TLS'
            X509v3 Extended Key Usage:
                TLS Web Server Authentication

CAcert.org doesn't have this problem:

$ openssl x509 -text -noout -in domain_cert_sip5060.net.pem-cacert |
egrep 'Extend|TLS'
            X509v3 Extended Key Usage:
                TLS Web Client Authentication, TLS Web Server
Authentication, Netscape Server Gated Crypto, Microsoft Server Gated Crypto

Below is a sample of the error that people will see in this scenario.  I
suspect most users won't know exactly what is wrong, and repro may need
to check the quality of the certificates at startup time, maybe even
refuse to run, so that people start out with the right certs.

ERR | 20120801-235617.565 | repro | RESIP | 140417212532480 |
ssl/Security.cxx:167 | Error when verifying server's chain of
certificates: unsupported certificate purpose, depth=0

ERR | 20120801-235617.565 | repro | RESIP:TRANSPORT | 140417212532480 |
ssl/TlsConnection.cxx:219 | TLS handshake failed
ERR | 20120801-235617.565 | repro | RESIP:TRANSPORT | 140417212532480 |
ssl/TlsConnection.cxx:233 | error:140890B2:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
ERR | 20120801-235617.566 | repro | RESIP:TRANSPORT | 140417212532480 |
ssl/TlsConnection.cxx:235 | Error code = 336105650 file=s3_srvr.c line=3276
DEBUG | 20120801-235617.566 | repro | RESIP:TRANSPORT | 140417212532480
| Connection.cxx:303 | Closing connection bytesRead=-1