Patch to update the default CA certificates to use SHA1 instead of MD5
Alan T DeKok
aland at freeradius.org
Sun Aug 9 15:47:37 CEST 2009
Walter Goulet wrote:
> While I was building a version of FreeRADIUS 2.1.6 from source I was
> testing the certificates that are created using the certs makefile. I
> noticed that the CA certs (as well as server and client certs) use the
> default OpenSSL md5rsa signature algorithm. From the recently announced
> vulnerabilities against certs using this signature algorithm
> (http://www.kb.cert.org/vuls/id/836068), it would be better if these
> certificates used the sha1rsa signature algorithm instead.
Except a lot of systems still don't support certificates with SHA1
hashes. We had made that change a while ago, and it caused problems.
So we changed it back.
It's easier to leave it as MD5. If people need SHA1 for security,
they can edit the files and create better certificates.
Alan DeKok.
More information about the Freeradius-Users
mailing list