Are SHA-256 certificates supported?
hannu.lammi at wipsl.com
hannu.lammi at wipsl.com
Wed Oct 24 12:32:20 CEST 2007
Hi,
>> So, I'd like to know if FreeRADIUS supports SHA-256 certificates? If it
doesn't, is the support for them planned?
>
> FreeRADIUS doesn't support SSL. It uses OpenSSL, which *does* support
> SSL. So if there are SSL issues, find out why OpenSSL doesn't like the
TLS session.
I debugged this and it seems that FreeRADIUS doesn't initialize SHA-256
digest. OpenSSL_add_all_digests() isn't used and I found only calls to
EVP_md5() and EVP_sha1() in the sources.
I did a test by adding the line
EVP_add_digest(EVP_sha256());
in the cbtls_verify() function in the rlm_eap_tls.c file. After
recompiling the module and replacing the original rlm_eap_tls module with
this hacked one, my SHA-256 certificates are accepted. At least it *seems*
to work with this little modification.
I can live with this hack in my test server, but would appreciate it if
FreeRADIUS added official support for SHA-256 digests.
regards,
- hannu
More information about the Freeradius-Users
mailing list