OS X Mavericks not connecting to Debian FreeRADIUS
Nick Lowe
nick.lowe at gmail.com
Wed Aug 12 11:47:04 CEST 2015
>
> Look at the date of said online sources, and when they were last updated.
> If it's anything before last year, you can be guaranteed that they are out
> of date. FreeRADIUS makes *huge* strides in a year (and I know this because
> I first had exposure to FR 2.1.12 in 2013 and have found that the product
> has vastly improved since). Everyone I know uses the 'make' or 'bootstrap'
> commands in the /etc/raddb/certs directory... The makefile and the
> certificate configs (ca.cnf, server.cnf and client.cnf) have been regularly
> updated to the latest recommended configurations (amongst them using SHA1
> as the hashing algorithm and 2048 bits as key length).
Actually...
We all should be using SHA-256 and not SHA-1 for new installations.
Microsoft, Google and Mozilla are now deprecating the use of SHA-1 based
certificates:
http://blogs.technet.com/b/pki/archive/2013/11/12/sha1-deprecation-policy.
aspx
http://googleonlinesecurity.blogspot.com
/2014/09/gradually-sunsetting-sha-1.html
https://wiki.mozilla.org/CA:Problematic_Practices#SHA-1_Certificates
Also see:
https://wiki.terena.org/display/H2eduroam/EAP+Server+Certificate+considerations
The SHA-1 hash algorithm is now on the verge of practically being broken
(76/80 round collision already generated). See:
https://marc-stevens.nl/research/
It is likely that the same approach that was taken for MD5 will soon be
taken with SHA-1. We shouldn't be building up a technical debt by deploying
new certificates with this algorithm.
It will just cause pain down the line.
Regards,
Nick Lowe
More information about the Freeradius-Users
mailing list