cert bootstrap script change: no more MD5?
Alan Buxey
A.L.M.Buxey at lboro.ac.uk
Mon Oct 17 20:05:42 CEST 2011
Hi,
> the bootstrap script uses ca.cnf, server.cnf and client.cnf for the
> generated certificates. All of these set the default_md = md5.
>
> iOS 5 is the first OS to condemn certificates which are signed by MD5.
> So, the default certificates generated by this script will not be
> compatible with recent iOS.
>
> Does anything speak against up'ing the default_md to sha1? Otherwise I
> can see questions on -user coming up saying EAP doesn't work - and this
> time with a particularly difficult to diagnose issue.
is it worth just going straight to eg default_md = sha256 ?
NIST have already rail-roaded SHA1 out of use..... though I note
that openssl < 0.9.8 seem to not like any real crypto for Message Digest :-(
alan
More information about the Freeradius-Devel
mailing list