From: Alan T. DeKok <aland@freeradius.org>
Date: Mon, 17 Aug 2009 12:25:57 +0000 (+0200)
Subject: Add notes on SHA1 versus MD5
X-Git-Tag: release_2_1_7~38
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a42dc8f686494d046576606d95e5a6e5b936a35f;p=thirdparty%2Ffreeradius-server.git

Add notes on SHA1 versus MD5
---

diff --git a/raddb/certs/README b/raddb/certs/README
index 13e302b82ac..c054fd10f6e 100644
--- a/raddb/certs/README
+++ b/raddb/certs/README
@@ -200,3 +200,17 @@ with ALL operating systems.  Some common issues are:
 
   - Someone needs to ask Microsoft to please stop making life hard for
     their customers.
+
+
+		SECURITY CONSIDERATIONS
+
+The default certificate configuration files uses MD5 for message
+digests, to maintain compatibility with network equipment that
+supports only this algorithm.
+
+MD5 has known weaknesses and is discouraged in favor of SHA1 (see
+http://www.kb.cert.org/vuls/id/836068 for details). If your network
+equipment supports the SHA1 signature algorithm, we recommend that you
+change the "ca.cnf", "server.cnf", and "client.cnf" files to specify
+the use of SHA1 for the certificates. To do this, change the
+'default_md' entry in those files from 'md5' to 'sha1'.