[RADIATOR] SHA-2 SSL Certificate Support

Heikki Vatiainen hvn at open.com.au
Mon Sep 22 12:52:07 CDT 2014


On 09/19/2014 11:54 PM, Johnson, Neil M wrote:

> Does RADIATOR support SHA-2 in SSL certificates ?

Radiator depends on the SSL libraries for this. That is, if the SSL
library supports the SHA-2 hash functions, then certificates with
SHA-256 and related functions will work with Radiator.

Older OpenSSL libraries did not load SHA-2 hash functions by default,
but the latest version do. Also, since version 4.4 Radiator tries to
always load SHA-256.

If there are problems with SHA-2, then these should get solved by
upgrading Net::SSLeay and/or OpenSSL. The Radiator 4.4 release notes
indicate Net::SSLeay 1.36 and OpenSSL 0.9.8i are required for SHA-256.
These seem to be from 2009 or early 2010.

> Our security office is recommending that we get new certs sooner than later.
> 
> https://www.comodo.com/e-commerce/SHA-2-transition.php

RSA with 1024 bit long modulus is on its way out too and Chrome and
Firefox have just recently taken action against both SHA1 and RSA 1024.

We actually just recently discussed refreshing the test certificates
that come with Radiator to use SHA-256 and RSA 2048. These are likely to
be in the 4.13 patches this week. We will test with the systems we have,
but if there are problems with other platforms, we would be interested
to hear more.

Thanks,
Heikki

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.


More information about the radiator mailing list