Patch to update the default CA certificates to use SHA1 instead of MD5

Walter Goulet wgoulet at gmail.com
Sun Aug 9 06:00:40 CEST 2009


Hi,

While I was building a version of FreeRADIUS 2.1.6 from source I was testing
the certificates that are created using the certs makefile. I noticed that
the CA certs (as well as server and client certs) use the default OpenSSL
md5rsa signature algorithm. From the recently announced vulnerabilities
against certs using this signature algorithm (
http://www.kb.cert.org/vuls/id/836068), it would be better if these
certificates used the sha1rsa signature algorithm instead. Note that while
the README explicitly states that the default test certificates shouldn't be
used, it does tell users to generate their own certificates using the same
certificate configuration files. The result is that users following these
defaults will end up using md5rsa certificates.

The following patches to the ca.cnf, server.cnf, and client.cnf files update
them to use sha1rsa.

Thanks,
Walter

--- ca.cnf.orig    2009-08-08 22:48:01.000000000 -0500
+++ ca.cnf    2009-08-08 22:49:44.000000000 -0500
@@ -16,7 +16,7 @@
 cert_opt        = ca_default
 default_days        = 365
 default_crl_days    = 30
-default_md        = md5
+default_md        = sha1
 preserve        = no
 policy            = policy_match

--- client.cnf.orig    2009-08-08 22:48:08.000000000 -0500
+++ client.cnf    2009-08-08 22:49:33.000000000 -0500
@@ -16,7 +16,7 @@
 cert_opt        = ca_default
 default_days        = 365
 default_crl_days    = 30
-default_md        = md5
+default_md        = sha1
 preserve        = no
 policy            = policy_match

--- server.cnf.orig    2009-08-08 22:48:16.000000000 -0500
+++ server.cnf    2009-08-08 22:49:56.000000000 -0500
@@ -16,7 +16,7 @@
 cert_opt        = ca_default
 default_days        = 365
 default_crl_days    = 30
-default_md        = md5
+default_md        = sha1
 preserve        = no
 policy            = policy_match
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090808/9dc1b989/attachment.html>


More information about the Freeradius-Users mailing list