Are SHA-256 certificates supported?
Hi, I need to set up a RADIUS server that accepts certificates which use SHA-256 as signature algorithm (OID sha256WithRSAEncryption). I have set up a FreeRADIUS 2.0.0-pre2 server to see if this would work out of the box. After verifying that EAP-TLS authentication works with SHA-1 certificates I switched to SHA-256 certificate that was created with OpenSSL 0.9.8b, the same that FreeRADIUS was compiled against. Here's a snippet of the log I got from my SHA-256 test: ===== --> verify error:num=7:certificate signature failure rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal decrypt_error TLS Alert write:fatal:decrypt error TLS_accept:error in SSLv3 read client certificate B rlm_eap: SSL error error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm ===== It would seem there's a problem somewhere. It may very well be in the client I'm using. So, I'd like to know if FreeRADIUS supports SHA-256 certificates? If it doesn't, is the support for them planned? thanks in advance, - Hannu
hannu.lammi@wipsl.com wrote:
I need to set up a RADIUS server that accepts certificates which use SHA-256 as signature algorithm (OID sha256WithRSAEncryption). I have set up a FreeRADIUS 2.0.0-pre2 server to see if this would work out of the box.
If OpenSSL supports it, AND the client supplicant supports it, it should work.
Here's a snippet of the log I got from my SHA-256 test:
===== --> verify error:num=7:certificate signature failure rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal decrypt_error TLS Alert write:fatal:decrypt error TLS_accept:error in SSLv3 read client certificate B rlm_eap: SSL error error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm
That would seem to be an SSL issue.
So, I'd like to know if FreeRADIUS supports SHA-256 certificates? If it doesn't, is the support for them planned?
FreeRADIUS doesn't support SSL. It uses OpenSSL, which *does* support SSL. So if there are SSL issues, find out why OpenSSL doesn't like the TLS session. Alan DeKok.
Hi,
So, I'd like to know if FreeRADIUS supports SHA-256 certificates? If it doesn't, is the support for them planned?
FreeRADIUS doesn't support SSL. It uses OpenSSL, which *does* support SSL. So if there are SSL issues, find out why OpenSSL doesn't like the TLS session.
I debugged this and it seems that FreeRADIUS doesn't initialize SHA-256 digest. OpenSSL_add_all_digests() isn't used and I found only calls to EVP_md5() and EVP_sha1() in the sources. I did a test by adding the line EVP_add_digest(EVP_sha256()); in the cbtls_verify() function in the rlm_eap_tls.c file. After recompiling the module and replacing the original rlm_eap_tls module with this hacked one, my SHA-256 certificates are accepted. At least it *seems* to work with this little modification. I can live with this hack in my test server, but would appreciate it if FreeRADIUS added official support for SHA-256 digests. regards, - hannu
hannu.lammi@wipsl.com wrote:
I debugged this and it seems that FreeRADIUS doesn't initialize SHA-256 digest. OpenSSL_add_all_digests() isn't used and I found only calls to EVP_md5() and EVP_sha1() in the sources.
OK.
I can live with this hack in my test server, but would appreciate it if FreeRADIUS added official support for SHA-256 digests.
I've added the appropriate OpenSSL initialization call to the source. Alan DeKok.
Hi,
I can live with this hack in my test server, but would appreciate it if FreeRADIUS added official support for SHA-256 digests.
I've added the appropriate OpenSSL initialization call to the source.
Alan DeKok.
thank you. The CVS version seems to work with my certificates, and also when using SHA-256 certificate on the server side. regards, - hannu
participants (2)
-
Alan DeKok -
hannu.lammi@wipsl.com