17 Oct
2011
17 Oct
'11
2:05 p.m.
Hi,
the bootstrap script uses ca.cnf, server.cnf and client.cnf for the generated certificates. All of these set the default_md = md5.
iOS 5 is the first OS to condemn certificates which are signed by MD5. So, the default certificates generated by this script will not be compatible with recent iOS.
Does anything speak against up'ing the default_md to sha1? Otherwise I can see questions on -user coming up saying EAP doesn't work - and this time with a particularly difficult to diagnose issue.
is it worth just going straight to eg default_md = sha256 ? NIST have already rail-roaded SHA1 out of use..... though I note that openssl < 0.9.8 seem to not like any real crypto for Message Digest :-( alan