cert bootstrap script change: no more MD5?

John Dennis jdennis at redhat.com
Mon Oct 17 20:00:02 CEST 2011


On 10/17/2011 01:53 PM, Stefan Winter wrote:
> Hi,
>
> the bootstrap script uses ca.cnf, server.cnf and client.cnf for the
> generated certificates. All of these set the default_md = md5.
>
> iOS 5 is the first OS to condemn certificates which are signed by MD5.
> So, the default certificates generated by this script will not be
> compatible with recent iOS.
>
> Does anything speak against up'ing the default_md to sha1? Otherwise I
> can see questions on -user coming up saying EAP doesn't work - and this
> time with a particularly difficult to diagnose issue.

FWIW, we've been patching the config files to use sha1 instead of md5 in 
our Fedora and RHEL RPM's for the last couple of years.


-- 
John Dennis <jdennis at redhat.com>

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



More information about the Freeradius-Devel mailing list