Hi,<br><br>While I was building a version of FreeRADIUS 2.1.6 from source I was testing the certificates that are created using the certs makefile. I noticed that the CA certs (as well as server and client certs) use the default OpenSSL md5rsa signature algorithm. From the recently announced vulnerabilities against certs using this signature algorithm (<a href="http://www.kb.cert.org/vuls/id/836068">http://www.kb.cert.org/vuls/id/836068</a>), it would be better if these certificates used the sha1rsa signature algorithm instead. Note that while the README explicitly states that the default test certificates shouldn't be used, it does tell users to generate their own certificates using the same certificate configuration files. The result is that users following these defaults will end up using md5rsa certificates.<br>
<br>The following patches to the ca.cnf, server.cnf, and client.cnf files update them to use sha1rsa.<br><br>Thanks,<br>Walter<br><br>--- ca.cnf.orig 2009-08-08 22:48:01.000000000 -0500<br>+++ ca.cnf 2009-08-08 22:49:44.000000000 -0500<br>
@@ -16,7 +16,7 @@<br> cert_opt = ca_default<br> default_days = 365<br> default_crl_days = 30<br>-default_md = md5<br>+default_md = sha1<br> preserve = no<br> policy = policy_match<br>
<br>--- client.cnf.orig 2009-08-08 22:48:08.000000000 -0500<br>+++ client.cnf 2009-08-08 22:49:33.000000000 -0500<br>@@ -16,7 +16,7 @@<br> cert_opt = ca_default<br> default_days = 365<br> default_crl_days = 30<br>
-default_md = md5<br>+default_md = sha1<br> preserve = no<br> policy = policy_match<br> <br>--- server.cnf.orig 2009-08-08 22:48:16.000000000 -0500<br>+++ server.cnf 2009-08-08 22:49:56.000000000 -0500<br>
@@ -16,7 +16,7 @@<br> cert_opt = ca_default<br> default_days = 365<br> default_crl_days = 30<br>-default_md = md5<br>+default_md = sha1<br> preserve = no<br> policy = policy_match<br>
<br>