1 files changed, 132 insertions, 0 deletions

diff --git a/debian/patches/snakeoil-certs.diff b/debian/patches/snakeoil-certs.diff
new file mode 100644
index 0000000..447b329
--- /dev/null
+++ b/debian/patches/snakeoil-certs.diff
@@ -0,0 +1,132 @@
+Description: Use snakeoil certificates.
+Author: Michael Stapelberg <stapelberg@debian.org>
+Last-Updated: 2016-09-16
+Forwarded: not-needed
+
+---
+
+--- a/raddb/mods-available/eap
++++ b/raddb/mods-available/eap
+@@ -176,7 +176,7 @@
+ 	#
+ 	tls-config tls-common {
+ 		private_key_password = whatever
+-		private_key_file = ${certdir}/server.pem
++		private_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
+ 
+ 		#  If Private key & Certificate are located in
+ 		#  the same file, then private_key_file &
+@@ -212,7 +212,7 @@
+ 		#  give advice which will work everywhere.  Instead,
+ 		#  we give general guidelines.
+ 		#
+-		certificate_file = ${certdir}/server.pem
++		certificate_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
+ 
+ 		#  Trusted Root CA list
+ 		#
+@@ -225,7 +225,7 @@
+ 		#  In that case, this CA file should contain
+ 		#  *one* CA certificate.
+ 		#
+-		ca_file = ${cadir}/ca.pem
++		ca_file = /etc/ssl/certs/ca-certificates.crt
+ 
+ 	 	#  OpenSSL will automatically create certificate chains,
+ 	 	#  unless we tell it to not do that.  The problem is that
+--- a/raddb/mods-available/inner-eap
++++ b/raddb/mods-available/inner-eap
+@@ -59,7 +59,7 @@
+ 	#
+ 	tls {
+ 		private_key_password = whatever
+-		private_key_file = ${certdir}/inner-server.pem
++		private_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
+ 
+ 		#  If Private key & Certificate are located in
+ 		#  the same file, then private_key_file &
+@@ -71,11 +71,11 @@
+ 		#  only the server certificate, but ALSO all
+ 		#  of the CA certificates used to sign the
+ 		#  server certificate.
+-		certificate_file = ${certdir}/inner-server.pem
++		certificate_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
+ 
+ 		#  You may want different CAs for inner and outer
+ 		#  certificates.  If so, edit this file.
+-		ca_file = ${cadir}/ca.pem
++		ca_file = /etc/ssl/certs/ca-certificates.crt
+ 
+ 		cipher_list = "DEFAULT"
+ 
+--- a/raddb/sites-available/abfab-tls
++++ b/raddb/sites-available/abfab-tls
+@@ -14,9 +14,9 @@
+ 		private_key_password = whatever
+ 
+ 		# Moonshot tends to distribute certs separate from keys
+-		private_key_file = ${certdir}/server.key
+-		certificate_file = ${certdir}/server.pem
+-		ca_file = ${cadir}/ca.pem
++		private_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
++		certificate_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
++		ca_file = /etc/ssl/certs/ca-certificates.crt
+ 		dh_file = ${certdir}/dh
+ 		fragment_size = 8192
+ 		ca_path = ${cadir}
+--- a/raddb/sites-available/tls
++++ b/raddb/sites-available/tls
+@@ -161,7 +161,7 @@
+ 	#
+ 	tls {
+ 		private_key_password = whatever
+-		private_key_file = ${certdir}/server.pem
++		private_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
+ 
+ 		# Accept an expired Certificate Revocation List
+ 		#
+@@ -177,7 +177,7 @@
+ 		#  only the server certificate, but ALSO all
+ 		#  of the CA certificates used to sign the
+ 		#  server certificate.
+-		certificate_file = ${certdir}/server.pem
++		certificate_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
+ 
+ 		#  Trusted Root CA list
+ 		#
+@@ -194,7 +194,7 @@
+ 		#  not use client certificates, and you do not want
+ 		#  to permit EAP-TLS authentication, then delete
+ 		#  this configuration item.
+-		ca_file = ${cadir}/ca.pem
++		ca_file = /etc/ssl/certs/ca-certificates.crt
+ 
+ 		#  For DH cipher suites to work in OpenSSL < 1.1.0,
+ 		#  you have to run OpenSSL to create the DH file
+@@ -551,7 +551,7 @@
+ 	#	hostname = "example.com"
+ 
+ 		private_key_password = whatever
+-		private_key_file = ${certdir}/client.pem
++		private_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
+ 
+ 		#  If Private key & Certificate are located in
+ 		#  the same file, then private_key_file &
+@@ -563,7 +563,7 @@
+ 		#  only the server certificate, but ALSO all
+ 		#  of the CA certificates used to sign the
+ 		#  server certificate.
+-		certificate_file = ${certdir}/client.pem
++		certificate_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
+ 
+ 		#  Trusted Root CA list
+ 		#
+@@ -580,7 +580,7 @@
+ 		#  not use client certificates, and you do not want
+ 		#  to permit EAP-TLS authentication, then delete
+ 		#  this configuration item.
+-		ca_file = ${cadir}/ca.pem
++		ca_file = /etc/ssl/certs/ca-certificates.crt
+ 
+ 		#
+ 		#  Before version 3.2.1, outbound RadSec connections