diff options
Diffstat (limited to 'debian/patches')
-rw-r--r-- | debian/patches/0002-gitignore.diff.patch | 29 | ||||
-rw-r--r-- | debian/patches/0006-jradius.diff.patch | 17 | ||||
-rw-r--r-- | debian/patches/0009-dhcp-sqlipool-Comment-out-mysql.patch | 22 | ||||
-rw-r--r-- | debian/patches/debian-local/0001-Rename-radius-to-freeradius.patch | 152 | ||||
-rw-r--r-- | debian/patches/debian-local/0010-version.c-disable-openssl-version-check.patch | 32 | ||||
-rw-r--r-- | debian/patches/disable-dhcp-bydefault.diff | 12 | ||||
-rw-r--r-- | debian/patches/dont-install-tests.diff | 24 | ||||
-rw-r--r-- | debian/patches/fix-intermediate-ca.patch | 33 | ||||
-rw-r--r-- | debian/patches/fix-tls-client-cert-common-name-1.patch | 40 | ||||
-rw-r--r-- | debian/patches/fix-tls-client-cert-common-name-2.patch | 29 | ||||
-rw-r--r-- | debian/patches/fix-ttls-mschapv2.patch | 40 | ||||
-rw-r--r-- | debian/patches/series | 12 | ||||
-rw-r--r-- | debian/patches/snakeoil-certs.diff | 132 |
13 files changed, 574 insertions, 0 deletions
diff --git a/debian/patches/0002-gitignore.diff.patch b/debian/patches/0002-gitignore.diff.patch new file mode 100644 index 0000000..22013a1 --- /dev/null +++ b/debian/patches/0002-gitignore.diff.patch @@ -0,0 +1,29 @@ +From 993eba48a171e70dfe83fa25f04c4d19b257ea1b Mon Sep 17 00:00:00 2001 +From: Sam Hartman <hartmans@debian.org> +Date: Thu, 18 Sep 2014 15:55:47 -0400 +Subject: gitignore.diff + +--- + .gitignore | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +--- a/.gitignore ++++ b/.gitignore +@@ -1,3 +1,17 @@ ++*.la ++*.o ++*.lo ++.libs ++.deps ++build-arch-stamp ++build-indep-stamp ++config.h ++config.log ++config.status ++config.cache ++config.guess.dist ++config.sub.dist ++Make.inc + *~ + *.o + *.a diff --git a/debian/patches/0006-jradius.diff.patch b/debian/patches/0006-jradius.diff.patch new file mode 100644 index 0000000..2eeee49 --- /dev/null +++ b/debian/patches/0006-jradius.diff.patch @@ -0,0 +1,17 @@ +From b72e1d985e709e4c5fd7355747cde8697e665b44 Mon Sep 17 00:00:00 2001 +From: Sam Hartman <hartmans@debian.org> +Date: Thu, 18 Sep 2014 15:55:52 -0400 +Subject: jradius.diff + +--- + src/modules/stable | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/src/modules/stable ++++ b/src/modules/stable +@@ -40,3 +40,5 @@ + rlm_yubikey + rlm_redis + rlm_rediswho ++rlm_policy ++rlm_jradius diff --git a/debian/patches/0009-dhcp-sqlipool-Comment-out-mysql.patch b/debian/patches/0009-dhcp-sqlipool-Comment-out-mysql.patch new file mode 100644 index 0000000..8e09238 --- /dev/null +++ b/debian/patches/0009-dhcp-sqlipool-Comment-out-mysql.patch @@ -0,0 +1,22 @@ +From f39ef7f317a49c4e959bed7e9d954e473f49d602 Mon Sep 17 00:00:00 2001 +From: Sam Hartman <hartmans@debian.org> +Date: Wed, 1 Oct 2014 16:38:16 -0400 +Subject: dhcp sqlipool: Comment out mysql + +So freeradius does not depend on freeradius-mysql +--- + raddb/modules/dhcp_sqlippool | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/raddb/mods-available/dhcp_sqlippool ++++ b/raddb/mods-available/dhcp_sqlippool +@@ -97,5 +97,8 @@ + nopool = "DHCP: No ${..pool_name} defined (cid %{DHCP-Client-Identifier} chaddr %{DHCP-Client-Hardware-Address} giaddr %{DHCP-Gateway-IP-Address})" + } + +- $INCLUDE ${modconfdir}/sql/ippool-dhcp/${dialect}/queries.conf ++ # This line is commented by default to enable clean startup when you ++ # don't have freeradius-mysql installed. Uncomment this line if you ++ # use this module. ++ #$INCLUDE ${modconfdir}/sql/ippool-dhcp/${dialect}/queries.conf + } diff --git a/debian/patches/debian-local/0001-Rename-radius-to-freeradius.patch b/debian/patches/debian-local/0001-Rename-radius-to-freeradius.patch new file mode 100644 index 0000000..fda1cf0 --- /dev/null +++ b/debian/patches/debian-local/0001-Rename-radius-to-freeradius.patch @@ -0,0 +1,152 @@ +Author: Sam Hartman <hartmans@debian.org> +Description: Rename radius to freeradius +Last-Updated: 2016-09-16 +Forwarded: not-needed + +--- + +--- a/Make.inc.in ++++ b/Make.inc.in +@@ -98,7 +98,7 @@ + + LOGDIR = ${logdir} + RADDBDIR = ${raddbdir} +-RUNDIR = ${localstatedir}/run/radiusd ++RUNDIR = ${localstatedir}/run/freeradius + SBINDIR = ${sbindir} + RADIR = ${radacctdir} + LIBRADIUS = $(top_builddir)/src/lib/$(LIBPREFIX)freeradius-radius.la $(TALLOC_LIBS) +--- a/raddb/radiusd.conf.in ++++ b/raddb/radiusd.conf.in +@@ -91,7 +91,7 @@ + + # + # name of the running server. See also the "-n" command-line option. +-name = radiusd ++name = freeradius + + # Location of config and logfiles. + confdir = ${raddbdir} +@@ -447,8 +447,8 @@ + # member. This can allow for some finer-grained access + # controls. + # +-# user = radius +-# group = radius ++ user = freerad ++ group = freerad + + # Core dumps are a bad thing. This should only be set to + # 'yes' if you're debugging a problem with the server. +--- a/scripts/monit/freeradius.monitrc ++++ b/scripts/monit/freeradius.monitrc +@@ -8,9 +8,9 @@ + # Totalmem limit should be lowered to 200.0 if none of the + # interpreted language modules or rlm_cache are being used. + # +-check process radiusd with pidfile /var/run/radiusd/radiusd.pid +- start program = "/etc/init.d/radiusd start" +- stop program = "/etc/init.d/radiusd stop" ++check process freeradius with pidfile /var/run/freeradius/freeradius.pid ++ start program = "/etc/init.d/freeradius start" ++ stop program = "/etc/init.d/freeradius stop" + if failed host 127.0.0.1 port 1812 type udp protocol radius secret testing123 then alert + if failed host 127.0.0.1 port 1813 type udp protocol radius secret testing123 then alert + if cpu > 95% for 2 cycles then alert +--- a/raddb/sites-available/control-socket ++++ b/raddb/sites-available/control-socket +@@ -72,12 +72,12 @@ + # + # Name of user that is allowed to connect to the control socket. + # +-# uid = radius ++# uid = freerad + + # + # Name of group that is allowed to connect to the control socket. + # +-# gid = radius ++# gid = freerad + + # + # Access mode. +--- a/src/main/radiusd.c ++++ b/src/main/radiusd.c +@@ -102,7 +102,6 @@ + bool display_version = false; + int flag = 0; + int from_child[2] = {-1, -1}; +- char *p; + fr_state_t *state = NULL; + + /* +@@ -137,13 +136,7 @@ + main_config.myip.af = AF_UNSPEC; + main_config.port = 0; + main_config.daemonize = true; +- +- p = strrchr(argv[0], FR_DIR_SEP); +- if (!p) { +- main_config.name = argv[0]; +- } else { +- main_config.name = p + 1; +- } ++ main_config.name = "radiusd"; + + /* + * Don't put output anywhere until we get told a little +@@ -697,7 +690,7 @@ + { + FILE *output = status?stderr:stdout; + +- fprintf(output, "Usage: %s [options]\n", main_config.name); ++ fprintf(output, "Usage: freeradius [options]\n"); + fprintf(output, "Options:\n"); + fprintf(output, " -C Check configuration and exit.\n"); + fprintf(stderr, " -d <raddb> Set configuration directory (defaults to " RADDBDIR ").\n"); +--- a/man/man8/radiusd.8 ++++ b/man/man8/radiusd.8 +@@ -56,7 +56,7 @@ + for an informative list of which modules are checked for correct + configuration, and which modules are skipped, and therefore not checked. + .IP "\-d \fIconfig directory\fP" +-Defaults to \fI/etc/raddb\fP. \fBRadiusd\fP looks here for its configuration ++Defaults to \fI/etc/freeradius\fP. \fBRadiusd\fP looks here for its configuration + files such as the \fIdictionary\fP and the \fIusers\fP files. + .IP "\-D \fIdictionary directory\fP" + Set main dictionary directory. Defaults to \fI/usr/share/freeradius\fP. +@@ -80,7 +80,7 @@ + On SIGINT or SIGQUIT exit cleanly instead of immediately. + This is most useful for when running the server with "valgrind". + .IP "\-n \fIname\fP" +-Read \fIraddb/name.conf\fP instead of \fIraddb/radiusd.conf\fP. ++Read \fIfreeradius/name.conf\fP instead of \fIfreeradius/radiusd.conf\fP. + .IP "\-p \fIport\fP" + Defines which port is used for receiving authentication packets. + Accounting packets are received on "port + 1". +@@ -147,14 +147,14 @@ + SQL), then: + .PP + .in +0.3i +-a) Edit raddb/modules/foo ++a) Edit freeradius/modules/foo + .br + This file contains the default configuration for the module. It + contains comments describing what can be configured, and what those + configuration entries mean. + .br + .br +-b) Edit raddb/sites-available/default ++b) Edit freeradius/sites-available/default + .br + This file contains the default policy for the server. e.g. "enable + CHAP, MS-CHAP, and EAP authentication". Look in this file for all +@@ -163,7 +163,7 @@ + the module. + .br + .br +-c) Edit raddb/sites-available/inner-tunnel ++c) Edit freeradius/sites-available/inner-tunnel + .br + This file contains the default policy for the "tunneled" portion of + certain EAP methods. Perform the same kind of edits as above, for the diff --git a/debian/patches/debian-local/0010-version.c-disable-openssl-version-check.patch b/debian/patches/debian-local/0010-version.c-disable-openssl-version-check.patch new file mode 100644 index 0000000..82e8a9c --- /dev/null +++ b/debian/patches/debian-local/0010-version.c-disable-openssl-version-check.patch @@ -0,0 +1,32 @@ +From 1b4e8e5751c417ba9d3788d264e76aba4f6baa12 Mon Sep 17 00:00:00 2001 +From: Sam Hartman <hartmans@debian.org> +Date: Thu, 23 Oct 2014 21:44:03 -0400 +Subject: version.c: disable openssl version check + +For Debian we don't want to require that the built OpenSSL be the same +as the linked OpenSSL. Debian will be responsible for changing the +soname if the ABI changes. The version check causes the freeradius +packages to fail whenever a new OpenSSL is built. + +Patch-Category: debian-local +--- + src/main/version.c | 45 +++++++-------------------------------------- + 1 file changed, 7 insertions(+), 38 deletions(-) + +--- a/src/main/radiusd.c ++++ b/src/main/radiusd.c +@@ -277,14 +277,6 @@ + + if (rad_check_lib_magic(RADIUSD_MAGIC_NUMBER) < 0) exit(EXIT_FAILURE); + +- /* +- * Mismatch between build time OpenSSL and linked SSL, better to die +- * here than segfault later. +- */ +-#ifdef HAVE_OPENSSL_CRYPTO_H +- if (ssl_check_consistency() < 0) exit(EXIT_FAILURE); +-#endif +- + if (flag && (flag != 0x03)) { + fprintf(stderr, "%s: The options -i and -p cannot be used individually.\n", + main_config.name); diff --git a/debian/patches/disable-dhcp-bydefault.diff b/debian/patches/disable-dhcp-bydefault.diff new file mode 100644 index 0000000..a76a085 --- /dev/null +++ b/debian/patches/disable-dhcp-bydefault.diff @@ -0,0 +1,12 @@ +diff a/raddb/all.mk b/raddb/all.mk +--- a/raddb/all.mk ++++ b/raddb/all.mk +@@ -8,7 +8,7 @@ DEFAULT_SITES := default inner-tunnel + LOCAL_SITES := $(addprefix raddb/sites-enabled/,$(DEFAULT_SITES)) + + DEFAULT_MODULES := always attr_filter cache_eap chap \ +- detail detail.log digest dhcp dynamic_clients eap \ ++ detail detail.log digest dynamic_clients eap \ + echo exec expiration expr files linelog logintime \ + mschap ntlm_auth pap passwd preprocess radutmp realm \ + replicate soh sradutmp unix unpack utf8 diff --git a/debian/patches/dont-install-tests.diff b/debian/patches/dont-install-tests.diff new file mode 100644 index 0000000..ff2cfab --- /dev/null +++ b/debian/patches/dont-install-tests.diff @@ -0,0 +1,24 @@ +Author: Michael Stapelberg <stapelberg@debian.org> +Forwarded: https://github.com/FreeRADIUS/freeradius-server/commit/94c42123517c46474e45e545c264de6e5ce228c6 +Last-Update: 2016-10-08 + +--- + +Index: freeradius/src/tests/map/map_unit.mk +=================================================================== +--- freeradius.orig/src/tests/map/map_unit.mk ++++ freeradius/src/tests/map/map_unit.mk +@@ -3,3 +3,4 @@ SOURCES := map_unit.c ${top_srcdir}/src + + TGT_PREREQS := libfreeradius-server.a libfreeradius-radius.a + TGT_LDLIBS := $(LIBS) ++TGT_INSTALLDIR := +Index: freeradius/src/main/radattr.mk +=================================================================== +--- freeradius.orig/src/main/radattr.mk ++++ freeradius/src/main/radattr.mk +@@ -8,3 +8,4 @@ TGT_PREREQS += libfreeradius-dhcp.a + endif + + TGT_LDLIBS := $(LIBS) ++TGT_INSTALLDIR := diff --git a/debian/patches/fix-intermediate-ca.patch b/debian/patches/fix-intermediate-ca.patch new file mode 100644 index 0000000..e4e1ffc --- /dev/null +++ b/debian/patches/fix-intermediate-ca.patch @@ -0,0 +1,33 @@ +From aa5b642a3d6fed8663e5242d91884d25d14e9f53 Mon Sep 17 00:00:00 2001 +From: "Alan T. DeKok" <aland@freeradius.org> +Date: Tue, 25 Oct 2022 08:59:53 -0400 +Subject: [PATCH] move partial chain set to after set cert store. Should fix + #4753 + +--- + src/main/tls.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/src/main/tls.c b/src/main/tls.c +index 118978b52a3f..8a6844f4939b 100644 +--- a/src/main/tls.c ++++ b/src/main/tls.c +@@ -3987,14 +3987,15 @@ SSL_CTX *tls_init_ctx(fr_tls_server_conf_t *conf, int client, char const *chain_ + /* + * Load the CAs we trust and configure CRL checks if needed + */ +-#if defined(X509_V_FLAG_PARTIAL_CHAIN) +- X509_STORE_set_flags(SSL_CTX_get_cert_store(ctx), X509_V_FLAG_PARTIAL_CHAIN); +-#endif + if (conf->ca_file || conf->ca_path) { + if ((certstore = fr_init_x509_store(conf)) == NULL ) return NULL; + SSL_CTX_set_cert_store(ctx, certstore); + } + ++#if defined(X509_V_FLAG_PARTIAL_CHAIN) ++ X509_STORE_set_flags(SSL_CTX_get_cert_store(ctx), X509_V_FLAG_PARTIAL_CHAIN); ++#endif ++ + if (conf->ca_file && *conf->ca_file) SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(conf->ca_file)); + + conf->ca_path_last_reload = time(NULL); diff --git a/debian/patches/fix-tls-client-cert-common-name-1.patch b/debian/patches/fix-tls-client-cert-common-name-1.patch new file mode 100644 index 0000000..e0cf181 --- /dev/null +++ b/debian/patches/fix-tls-client-cert-common-name-1.patch @@ -0,0 +1,40 @@ +From d23987cbf55821dc56ab70d5ce6af3305cf83289 Mon Sep 17 00:00:00 2001 +From: "Alan T. DeKok" <aland@freeradius.org> +Date: Tue, 25 Oct 2022 10:51:02 -0400 +Subject: [PATCH] set partial chain always. Helps with #4785 + +--- + src/main/tls.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/src/main/tls.c b/src/main/tls.c +index aa6395d8391f..a33699cbb66e 100644 +--- a/src/main/tls.c ++++ b/src/main/tls.c +@@ -3546,6 +3546,11 @@ X509_STORE *fr_init_x509_store(fr_tls_server_conf_t *conf) + if (conf->check_all_crl) + X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK_ALL); + #endif ++ ++#if defined(X509_V_FLAG_PARTIAL_CHAIN) ++ X509_STORE_set_flags(store, X509_V_FLAG_PARTIAL_CHAIN); ++#endif ++ + return store; + } + +@@ -4011,11 +4016,11 @@ SSL_CTX *tls_init_ctx(fr_tls_server_conf_t *conf, int client, char const *chain_ + if (conf->ca_file || conf->ca_path) { + if ((certstore = fr_init_x509_store(conf)) == NULL ) return NULL; + SSL_CTX_set_cert_store(ctx, certstore); +- } +- ++ } else { + #if defined(X509_V_FLAG_PARTIAL_CHAIN) +- X509_STORE_set_flags(SSL_CTX_get_cert_store(ctx), X509_V_FLAG_PARTIAL_CHAIN); ++ X509_STORE_set_flags(SSL_CTX_get_cert_store(ctx), X509_V_FLAG_PARTIAL_CHAIN); + #endif ++ } + + if (conf->ca_file && *conf->ca_file) SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(conf->ca_file)); + diff --git a/debian/patches/fix-tls-client-cert-common-name-2.patch b/debian/patches/fix-tls-client-cert-common-name-2.patch new file mode 100644 index 0000000..f7207db --- /dev/null +++ b/debian/patches/fix-tls-client-cert-common-name-2.patch @@ -0,0 +1,29 @@ +From 3d08027f30c6d9c1eaccf7d60c68c8f7d78017c3 Mon Sep 17 00:00:00 2001 +From: "Alan T. DeKok" <aland@freeradius.org> +Date: Wed, 26 Oct 2022 07:31:43 -0400 +Subject: [PATCH] fix cert order only for lookup=0. Fixes #4785 + +--- + src/main/tls.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/src/main/tls.c b/src/main/tls.c +index a33699cbb66e..c67148cf12c7 100644 +--- a/src/main/tls.c ++++ b/src/main/tls.c +@@ -3015,7 +3015,14 @@ int cbtls_verify(int ok, X509_STORE_CTX *ctx) + */ + if (lookup > 1) { + if (!my_ok) lookup = 1; +- } else { ++ ++ } else if (lookup == 0) { ++ /* ++ * This flag is only set for outbound ++ * connections. And then allows us to remap SSL ++ * offset 0 (server) to our offset 1 (also ++ * server). ++ */ + lookup = (SSL_get_ex_data(ssl, FR_TLS_EX_INDEX_FIX_CERT_ORDER) != NULL); + } + diff --git a/debian/patches/fix-ttls-mschapv2.patch b/debian/patches/fix-ttls-mschapv2.patch new file mode 100644 index 0000000..17581e4 --- /dev/null +++ b/debian/patches/fix-ttls-mschapv2.patch @@ -0,0 +1,40 @@ +From 0812bc1768cedc420adc03e86893d798fa19e872 Mon Sep 17 00:00:00 2001 +From: "Alan T. DeKok" <aland@freeradius.org> +Date: Wed, 1 Feb 2023 14:38:53 -0500 +Subject: [PATCH] be more careful about session established. Fixes #4878 + +--- + src/main/tls.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/src/main/tls.c b/src/main/tls.c +index 5ca2f5fed250..4f34d70faccc 100644 +--- a/src/main/tls.c ++++ b/src/main/tls.c +@@ -5338,7 +5338,13 @@ fr_tls_status_t tls_ack_handler(tls_session_t *ssn, REQUEST *request) + return FR_TLS_FAIL; + + case handshake: +- if ((ssn->is_init_finished) && (ssn->dirty_out.used == 0)) { ++ if (ssn->dirty_out.used > 0) { ++ RDEBUG2("(TLS) Peer ACKed our handshake fragment"); ++ /* Fragmentation handler, send next fragment */ ++ return FR_TLS_REQUEST; ++ } ++ ++ if (ssn->is_init_finished || SSL_is_init_finished(ssn->ssl)) { + RDEBUG2("(TLS) Peer ACKed our handshake fragment. handshake is finished"); + + /* +@@ -5350,9 +5356,8 @@ fr_tls_status_t tls_ack_handler(tls_session_t *ssn, REQUEST *request) + return FR_TLS_SUCCESS; + } /* else more data to send */ + +- RDEBUG2("(TLS) Peer ACKed our handshake fragment"); +- /* Fragmentation handler, send next fragment */ +- return FR_TLS_REQUEST; ++ REDEBUG("(TLS) Cannot continue, as the peer is misbehaving."); ++ return FR_TLS_FAIL; + + case application_data: + RDEBUG2("(TLS) Peer ACKed our application data fragment"); diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..c77bc2e --- /dev/null +++ b/debian/patches/series @@ -0,0 +1,12 @@ +debian-local/0001-Rename-radius-to-freeradius.patch +0002-gitignore.diff.patch +0006-jradius.diff.patch +0009-dhcp-sqlipool-Comment-out-mysql.patch +debian-local/0010-version.c-disable-openssl-version-check.patch +dont-install-tests.diff +snakeoil-certs.diff +#python_config_script_update.diff +fix-ttls-mschapv2.patch +fix-intermediate-ca.patch +fix-tls-client-cert-common-name-1.patch +fix-tls-client-cert-common-name-2.patch diff --git a/debian/patches/snakeoil-certs.diff b/debian/patches/snakeoil-certs.diff new file mode 100644 index 0000000..447b329 --- /dev/null +++ b/debian/patches/snakeoil-certs.diff @@ -0,0 +1,132 @@ +Description: Use snakeoil certificates. +Author: Michael Stapelberg <stapelberg@debian.org> +Last-Updated: 2016-09-16 +Forwarded: not-needed + +--- + +--- a/raddb/mods-available/eap ++++ b/raddb/mods-available/eap +@@ -176,7 +176,7 @@ + # + tls-config tls-common { + private_key_password = whatever +- private_key_file = ${certdir}/server.pem ++ private_key_file = /etc/ssl/private/ssl-cert-snakeoil.key + + # If Private key & Certificate are located in + # the same file, then private_key_file & +@@ -212,7 +212,7 @@ + # give advice which will work everywhere. Instead, + # we give general guidelines. + # +- certificate_file = ${certdir}/server.pem ++ certificate_file = /etc/ssl/certs/ssl-cert-snakeoil.pem + + # Trusted Root CA list + # +@@ -225,7 +225,7 @@ + # In that case, this CA file should contain + # *one* CA certificate. + # +- ca_file = ${cadir}/ca.pem ++ ca_file = /etc/ssl/certs/ca-certificates.crt + + # OpenSSL will automatically create certificate chains, + # unless we tell it to not do that. The problem is that +--- a/raddb/mods-available/inner-eap ++++ b/raddb/mods-available/inner-eap +@@ -59,7 +59,7 @@ + # + tls { + private_key_password = whatever +- private_key_file = ${certdir}/inner-server.pem ++ private_key_file = /etc/ssl/private/ssl-cert-snakeoil.key + + # If Private key & Certificate are located in + # the same file, then private_key_file & +@@ -71,11 +71,11 @@ + # only the server certificate, but ALSO all + # of the CA certificates used to sign the + # server certificate. +- certificate_file = ${certdir}/inner-server.pem ++ certificate_file = /etc/ssl/certs/ssl-cert-snakeoil.pem + + # You may want different CAs for inner and outer + # certificates. If so, edit this file. +- ca_file = ${cadir}/ca.pem ++ ca_file = /etc/ssl/certs/ca-certificates.crt + + cipher_list = "DEFAULT" + +--- a/raddb/sites-available/abfab-tls ++++ b/raddb/sites-available/abfab-tls +@@ -14,9 +14,9 @@ + private_key_password = whatever + + # Moonshot tends to distribute certs separate from keys +- private_key_file = ${certdir}/server.key +- certificate_file = ${certdir}/server.pem +- ca_file = ${cadir}/ca.pem ++ private_key_file = /etc/ssl/private/ssl-cert-snakeoil.key ++ certificate_file = /etc/ssl/certs/ssl-cert-snakeoil.pem ++ ca_file = /etc/ssl/certs/ca-certificates.crt + dh_file = ${certdir}/dh + fragment_size = 8192 + ca_path = ${cadir} +--- a/raddb/sites-available/tls ++++ b/raddb/sites-available/tls +@@ -161,7 +161,7 @@ + # + tls { + private_key_password = whatever +- private_key_file = ${certdir}/server.pem ++ private_key_file = /etc/ssl/private/ssl-cert-snakeoil.key + + # Accept an expired Certificate Revocation List + # +@@ -177,7 +177,7 @@ + # only the server certificate, but ALSO all + # of the CA certificates used to sign the + # server certificate. +- certificate_file = ${certdir}/server.pem ++ certificate_file = /etc/ssl/certs/ssl-cert-snakeoil.pem + + # Trusted Root CA list + # +@@ -194,7 +194,7 @@ + # not use client certificates, and you do not want + # to permit EAP-TLS authentication, then delete + # this configuration item. +- ca_file = ${cadir}/ca.pem ++ ca_file = /etc/ssl/certs/ca-certificates.crt + + # For DH cipher suites to work in OpenSSL < 1.1.0, + # you have to run OpenSSL to create the DH file +@@ -551,7 +551,7 @@ + # hostname = "example.com" + + private_key_password = whatever +- private_key_file = ${certdir}/client.pem ++ private_key_file = /etc/ssl/private/ssl-cert-snakeoil.key + + # If Private key & Certificate are located in + # the same file, then private_key_file & +@@ -563,7 +563,7 @@ + # only the server certificate, but ALSO all + # of the CA certificates used to sign the + # server certificate. +- certificate_file = ${certdir}/client.pem ++ certificate_file = /etc/ssl/certs/ssl-cert-snakeoil.pem + + # Trusted Root CA list + # +@@ -580,7 +580,7 @@ + # not use client certificates, and you do not want + # to permit EAP-TLS authentication, then delete + # this configuration item. +- ca_file = ${cadir}/ca.pem ++ ca_file = /etc/ssl/certs/ca-certificates.crt + + # + # Before version 3.2.1, outbound RadSec connections |