Are SHA-256 certificates supported?
Alan DeKok
aland at deployingradius.com
Tue Oct 23 09:25:33 CEST 2007
hannu.lammi at wipsl.com wrote:
> I need to set up a RADIUS server that accepts certificates which use
> SHA-256 as signature algorithm (OID sha256WithRSAEncryption). I have set
> up a FreeRADIUS 2.0.0-pre2 server to see if this would work out of the
> box.
If OpenSSL supports it, AND the client supplicant supports it, it
should work.
> Here's a snippet of the log I got from my SHA-256 test:
>
> =====
> --> verify error:num=7:certificate signature failure
> rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal decrypt_error
> TLS Alert write:fatal:decrypt error
> TLS_accept:error in SSLv3 read client certificate B
> rlm_eap: SSL error error:0D0C50A1:asn1 encoding
> routines:ASN1_item_verify:unknown message digest algorithm
That would seem to be an SSL issue.
> So, I'd like to know if FreeRADIUS supports SHA-256 certificates?
> If it doesn't, is the support for them planned?
FreeRADIUS doesn't support SSL. It uses OpenSSL, which *does* support
SSL. So if there are SSL issues, find out why OpenSSL doesn't like the
TLS session.
Alan DeKok.
More information about the Freeradius-Users
mailing list