cert bootstrap script change: no more MD5?

Alan Buxey A.L.M.Buxey at lboro.ac.uk
Mon Oct 17 20:05:42 CEST 2011


> the bootstrap script uses ca.cnf, server.cnf and client.cnf for the
> generated certificates. All of these set the default_md = md5.
> iOS 5 is the first OS to condemn certificates which are signed by MD5.
> So, the default certificates generated by this script will not be
> compatible with recent iOS.
> Does anything speak against up'ing the default_md to sha1? Otherwise I
> can see questions on -user coming up saying EAP doesn't work - and this
> time with a particularly difficult to diagnose issue.

is it worth just going straight to eg default_md = sha256 ?

NIST have already rail-roaded SHA1 out of use..... though I note
that openssl < 0.9.8 seem to not like any real crypto for Message Digest :-(


More information about the Freeradius-Devel mailing list