cert bootstrap script change: no more MD5?

Stefan Winter stefan.winter at restena.lu
Tue Oct 18 07:37:30 CEST 2011


>> the bootstrap script uses ca.cnf, server.cnf and client.cnf for the
>> generated certificates. All of these set the default_md = md5.
>> iOS 5 is the first OS to condemn certificates which are signed by MD5.
>> So, the default certificates generated by this script will not be
>> compatible with recent iOS.
>> Does anything speak against up'ing the default_md to sha1? Otherwise I
>> can see questions on -user coming up saying EAP doesn't work - and this
>> time with a particularly difficult to diagnose issue.
> is it worth just going straight to eg default_md = sha256 ?
> NIST have already rail-roaded SHA1 out of use..... though I note
> that openssl < 0.9.8 seem to not like any real crypto for Message Digest :-(

I'm aware of NISTs specs. What I'm not aware of is the corresponding
client device support. Is SHA-256 really out on all kinds of EAP-capable
devices? It would be not so nice to a sizable fraction of (oldish) user
devices failing authentication because they can't validate the chain due
to unknown algorithm.

I really have no idea here - anyone aware of studies, or people already
running with SHA-256 signatures?



> alan
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html

Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-devel/attachments/20111018/3e157b6c/attachment.pgp>

More information about the Freeradius-Devel mailing list