Are SHA-256 certificates supported?

hannu.lammi at hannu.lammi at
Tue Oct 23 09:10:05 CEST 2007


I need to set up a RADIUS server that accepts certificates which use
SHA-256 as signature algorithm (OID sha256WithRSAEncryption). I have set
up a FreeRADIUS 2.0.0-pre2 server to see if this would work out of the

After verifying that EAP-TLS authentication works with SHA-1 certificates
I switched to SHA-256 certificate that was created with OpenSSL 0.9.8b,
the same that FreeRADIUS was compiled against.

Here's a snippet of the log I got from my SHA-256 test:

--> verify error:num=7:certificate signature failure
  rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal decrypt_error
TLS Alert write:fatal:decrypt error
    TLS_accept:error in SSLv3 read client certificate B
rlm_eap: SSL error error:0D0C50A1:asn1 encoding
routines:ASN1_item_verify:unknown message digest algorithm

It would seem there's a problem somewhere. It may very well be in the
client I'm using.

So, I'd like to know if FreeRADIUS supports SHA-256 certificates?
If it doesn't, is the support for them planned?

thanks in advance,
 - Hannu

More information about the Freeradius-Users mailing list