Patch to update the default CA certificates to use SHA1 instead of MD5
Walter Goulet
wgoulet at gmail.com
Sun Aug 9 06:00:40 CEST 2009
Hi,
While I was building a version of FreeRADIUS 2.1.6 from source I was testing
the certificates that are created using the certs makefile. I noticed that
the CA certs (as well as server and client certs) use the default OpenSSL
md5rsa signature algorithm. From the recently announced vulnerabilities
against certs using this signature algorithm (
http://www.kb.cert.org/vuls/id/836068), it would be better if these
certificates used the sha1rsa signature algorithm instead. Note that while
the README explicitly states that the default test certificates shouldn't be
used, it does tell users to generate their own certificates using the same
certificate configuration files. The result is that users following these
defaults will end up using md5rsa certificates.
The following patches to the ca.cnf, server.cnf, and client.cnf files update
them to use sha1rsa.
Thanks,
Walter
--- ca.cnf.orig 2009-08-08 22:48:01.000000000 -0500
+++ ca.cnf 2009-08-08 22:49:44.000000000 -0500
@@ -16,7 +16,7 @@
cert_opt = ca_default
default_days = 365
default_crl_days = 30
-default_md = md5
+default_md = sha1
preserve = no
policy = policy_match
--- client.cnf.orig 2009-08-08 22:48:08.000000000 -0500
+++ client.cnf 2009-08-08 22:49:33.000000000 -0500
@@ -16,7 +16,7 @@
cert_opt = ca_default
default_days = 365
default_crl_days = 30
-default_md = md5
+default_md = sha1
preserve = no
policy = policy_match
--- server.cnf.orig 2009-08-08 22:48:16.000000000 -0500
+++ server.cnf 2009-08-08 22:49:56.000000000 -0500
@@ -16,7 +16,7 @@
cert_opt = ca_default
default_days = 365
default_crl_days = 30
-default_md = md5
+default_md = sha1
preserve = no
policy = policy_match
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090808/9dc1b989/attachment.html>
More information about the Freeradius-Users
mailing list