[EMAIL PROTECTED] wrote: > I need to set up a RADIUS server that accepts certificates which use > SHA-256 as signature algorithm (OID sha256WithRSAEncryption). I have set > up a FreeRADIUS 2.0.0-pre2 server to see if this would work out of the > box.
If OpenSSL supports it, AND the client supplicant supports it, it should work. > Here's a snippet of the log I got from my SHA-256 test: > > ===== > --> verify error:num=7:certificate signature failure > rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal decrypt_error > TLS Alert write:fatal:decrypt error > TLS_accept:error in SSLv3 read client certificate B > rlm_eap: SSL error error:0D0C50A1:asn1 encoding > routines:ASN1_item_verify:unknown message digest algorithm That would seem to be an SSL issue. > So, I'd like to know if FreeRADIUS supports SHA-256 certificates? > If it doesn't, is the support for them planned? FreeRADIUS doesn't support SSL. It uses OpenSSL, which *does* support SSL. So if there are SSL issues, find out why OpenSSL doesn't like the TLS session. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
