Patch to update the default CA certificates to use SHA1 instead of MD5
Walter Goulet
wgoulet at gmail.com
Mon Aug 10 01:43:08 CEST 2009
Ah, I never considered that other people's gear (besides my own) wouldn't
support SHA1. Would you consider then the following patch to the README file
so that people can make an informed decision?
--- README.orig 2009-08-09 18:31:53.000000000 -0500
+++ README 2009-08-09 18:42:06.000000000 -0500
@@ -200,3 +200,17 @@
- Someone needs to ask Microsoft to please stop making life hard for
their customers.
+
+ SECURITY CONSIDERATIONS
+
+The default certificate configuration files specify the use of the
+MD5/RSA signature algorithm to maintain compatibility with network
+equipment that only supports this algorithm.
+
+MD5/RSA has known weaknesses and is discouraged in favor of SHA1/RSA
+(see http://www.kb.cert.org/vuls/id/836068 for details). If your
+network equipment supports the SHA1/RSA signature algorithm, it is
+recommended that you change the configuration files to specify the use
+of SHA1/RSA for the certificates. To do this, change the 'default_md'
+entry in the ca.cnf/server.cnf/client.cnf files from 'md5' to 'sha1'.
+
On Sun, Aug 9, 2009 at 8:47 AM, Alan T DeKok <aland at freeradius.org> wrote:
> Walter Goulet wrote:
> > While I was building a version of FreeRADIUS 2.1.6 from source I was
> > testing the certificates that are created using the certs makefile. I
> > noticed that the CA certs (as well as server and client certs) use the
> > default OpenSSL md5rsa signature algorithm. From the recently announced
> > vulnerabilities against certs using this signature algorithm
> > (http://www.kb.cert.org/vuls/id/836068), it would be better if these
> > certificates used the sha1rsa signature algorithm instead.
>
> Except a lot of systems still don't support certificates with SHA1
> hashes. We had made that change a while ago, and it caused problems.
> So we changed it back.
>
> It's easier to leave it as MD5. If people need SHA1 for security,
> they can edit the files and create better certificates.
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090809/9456c3dd/attachment.html>
More information about the Freeradius-Users
mailing list