cert bootstrap script change: no more MD5?

John Dennis jdennis at redhat.com
Mon Oct 17 20:00:02 CEST 2011

On 10/17/2011 01:53 PM, Stefan Winter wrote:
> Hi,
> the bootstrap script uses ca.cnf, server.cnf and client.cnf for the
> generated certificates. All of these set the default_md = md5.
> iOS 5 is the first OS to condemn certificates which are signed by MD5.
> So, the default certificates generated by this script will not be
> compatible with recent iOS.
> Does anything speak against up'ing the default_md to sha1? Otherwise I
> can see questions on -user coming up saying EAP doesn't work - and this
> time with a particularly difficult to diagnose issue.

FWIW, we've been patching the config files to use sha1 instead of md5 in 
our Fedora and RHEL RPM's for the last couple of years.

John Dennis <jdennis at redhat.com>

Looking to carve out IT costs?

More information about the Freeradius-Devel mailing list