Are SHA-256 certificates supported?

hannu.lammi at hannu.lammi at
Wed Oct 24 12:32:20 CEST 2007


>> So, I'd like to know if FreeRADIUS supports SHA-256 certificates? If it
doesn't, is the support for them planned?
>   FreeRADIUS doesn't support SSL.  It uses OpenSSL, which *does* support
> SSL.  So if there are SSL issues, find out why OpenSSL doesn't like the
TLS session.

I debugged this and it seems that FreeRADIUS doesn't initialize SHA-256
digest. OpenSSL_add_all_digests() isn't used and I found only calls to
EVP_md5() and EVP_sha1() in the sources.

I did a test by adding the line


in the cbtls_verify() function in the rlm_eap_tls.c file. After
recompiling the module and replacing the original rlm_eap_tls module with
this hacked one, my SHA-256 certificates are accepted. At least it *seems*
to work with this little modification.

I can live with this hack in my test server, but would appreciate it if
FreeRADIUS added official support for SHA-256 digests.

 - hannu

More information about the Freeradius-Users mailing list