Hi, >> So, I'd like to know if FreeRADIUS supports SHA-256 certificates? If it doesn't, is the support for them planned? > > FreeRADIUS doesn't support SSL. It uses OpenSSL, which *does* support > SSL. So if there are SSL issues, find out why OpenSSL doesn't like the TLS session.
I debugged this and it seems that FreeRADIUS doesn't initialize SHA-256 digest. OpenSSL_add_all_digests() isn't used and I found only calls to EVP_md5() and EVP_sha1() in the sources. I did a test by adding the line EVP_add_digest(EVP_sha256()); in the cbtls_verify() function in the rlm_eap_tls.c file. After recompiling the module and replacing the original rlm_eap_tls module with this hacked one, my SHA-256 certificates are accepted. At least it *seems* to work with this little modification. I can live with this hack in my test server, but would appreciate it if FreeRADIUS added official support for SHA-256 digests. regards, - hannu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
