Ubuntu patch FYI
Alan DeKok
aland at deployingradius.com
Tue Feb 25 23:41:55 CET 2020
On Feb 25, 2020, at 12:43 PM, Danner, Mearl <jmdanner at samford.edu> wrote:
> Just got this from a wireless lan list:
>
> "We has been struggling with a recent patch from Ubuntu that broke encrypted connections
> between some of our internal servers.
>
> Long story short: Ubuntu now uses GNU-TLS and the latest security patch has removed support for SHA-1.
> Error messages in Ubuntu or in LDAP were not explicit enough to make it obvious.
SHA-1 has been deprecated for years.
> Some of you may face this issue between RADIUS and LDAP (still used quite a bit for 802.1X).
> This issue will most likely affect internally issued infrastructure certificates!
>
> Fix: Do not patch GNU-TLS (is this a good idea?) or recreate your ROOT CA to support SHA-2 family"
You should use SHA-2 for all of your certs. Everyone should have switched to that years ago. :(
Alan DeKok.
More information about the Freeradius-Users
mailing list