hannu.lammi@wipsl.com wrote:
I need to set up a RADIUS server that accepts certificates which use SHA-256 as signature algorithm (OID sha256WithRSAEncryption). I have set up a FreeRADIUS 2.0.0-pre2 server to see if this would work out of the box.
If OpenSSL supports it, AND the client supplicant supports it, it should work.
Here's a snippet of the log I got from my SHA-256 test:
===== --> verify error:num=7:certificate signature failure rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal decrypt_error TLS Alert write:fatal:decrypt error TLS_accept:error in SSLv3 read client certificate B rlm_eap: SSL error error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm
That would seem to be an SSL issue.
So, I'd like to know if FreeRADIUS supports SHA-256 certificates? If it doesn't, is the support for them planned?
FreeRADIUS doesn't support SSL. It uses OpenSSL, which *does* support SSL. So if there are SSL issues, find out why OpenSSL doesn't like the TLS session. Alan DeKok.