OpenSSL - Unhandled critical extension

1

We are trying to create a node.js application which should interact with a server over HTTPS (>TLS v1.2). We are given some list of key, cert files to establish a connection with the server. Node HTTPS requires CA, cert, key files which are CA file, server certificate, and key files. When provided these we are getting the following error:

Error: unhandled critical extension.

After spending some time on the internet, we found that the CA cert has some custom extensions. Later when we did openssl verify -CAfile ca_file.pem server_cert.pem we could reproduce it:

error 34 at 0 depth lookup:unhandled critical extension
OK

So, this seems something to do with OpenSSL. How do we make OpenSSL understand our custom extensions? Those custom extensions are critical as well, so that we cannot just ignore the error by setting -ignore_critical.

RaR

Posted 2016-12-21T15:03:01.860

Reputation: 113

Answers

0

I got a ssl error in openvpn.

VERIFY ERROR: depth=1, error=unhandled critical extension: CN=xxxx
OpenSSL: error:xxx:SSL routines:tls_process_server_certificate:certificate verify failed

I understand it as the CA insists that some values are critical, and the are not present or wrong in the Certificate.

What fixed it for me with OpenVPN was turning the 'subjectKeyIdentifier' that was set to critical=True, to False in the CA.

Pieter

Posted 2016-12-21T15:03:01.860

Reputation: 138

Asked: 2016-12-21T15:03:01.860

Viewed: 1 315 times

Active: 2018-07-12T10:01:26.677