Are SHA-256 certificates supported?

Alan DeKok aland at
Tue Oct 23 09:25:33 CEST 2007

hannu.lammi at wrote:
> I need to set up a RADIUS server that accepts certificates which use
> SHA-256 as signature algorithm (OID sha256WithRSAEncryption). I have set
> up a FreeRADIUS 2.0.0-pre2 server to see if this would work out of the
> box.

  If OpenSSL supports it, AND the client supplicant supports it, it
should work.

> Here's a snippet of the log I got from my SHA-256 test:
> =====
> --> verify error:num=7:certificate signature failure
>   rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal decrypt_error
> TLS Alert write:fatal:decrypt error
>     TLS_accept:error in SSLv3 read client certificate B
> rlm_eap: SSL error error:0D0C50A1:asn1 encoding
> routines:ASN1_item_verify:unknown message digest algorithm

 That would seem to be an SSL issue.

> So, I'd like to know if FreeRADIUS supports SHA-256 certificates?
> If it doesn't, is the support for them planned?

  FreeRADIUS doesn't support SSL.  It uses OpenSSL, which *does* support
SSL.  So if there are SSL issues, find out why OpenSSL doesn't like the
TLS session.

  Alan DeKok.

More information about the Freeradius-Users mailing list