summaryrefslogtreecommitdiffstats
path: root/debian/patches
diff options
context:
space:
mode:
Diffstat (limited to 'debian/patches')
-rw-r--r--debian/patches/0002-gitignore.diff.patch29
-rw-r--r--debian/patches/0006-jradius.diff.patch17
-rw-r--r--debian/patches/0009-dhcp-sqlipool-Comment-out-mysql.patch22
-rw-r--r--debian/patches/debian-local/0001-Rename-radius-to-freeradius.patch152
-rw-r--r--debian/patches/debian-local/0010-version.c-disable-openssl-version-check.patch32
-rw-r--r--debian/patches/disable-dhcp-bydefault.diff12
-rw-r--r--debian/patches/dont-install-tests.diff24
-rw-r--r--debian/patches/fix-intermediate-ca.patch33
-rw-r--r--debian/patches/fix-tls-client-cert-common-name-1.patch40
-rw-r--r--debian/patches/fix-tls-client-cert-common-name-2.patch29
-rw-r--r--debian/patches/fix-ttls-mschapv2.patch40
-rw-r--r--debian/patches/series12
-rw-r--r--debian/patches/snakeoil-certs.diff132
13 files changed, 574 insertions, 0 deletions
diff --git a/debian/patches/0002-gitignore.diff.patch b/debian/patches/0002-gitignore.diff.patch
new file mode 100644
index 0000000..22013a1
--- /dev/null
+++ b/debian/patches/0002-gitignore.diff.patch
@@ -0,0 +1,29 @@
+From 993eba48a171e70dfe83fa25f04c4d19b257ea1b Mon Sep 17 00:00:00 2001
+From: Sam Hartman <hartmans@debian.org>
+Date: Thu, 18 Sep 2014 15:55:47 -0400
+Subject: gitignore.diff
+
+---
+ .gitignore | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+--- a/.gitignore
++++ b/.gitignore
+@@ -1,3 +1,17 @@
++*.la
++*.o
++*.lo
++.libs
++.deps
++build-arch-stamp
++build-indep-stamp
++config.h
++config.log
++config.status
++config.cache
++config.guess.dist
++config.sub.dist
++Make.inc
+ *~
+ *.o
+ *.a
diff --git a/debian/patches/0006-jradius.diff.patch b/debian/patches/0006-jradius.diff.patch
new file mode 100644
index 0000000..2eeee49
--- /dev/null
+++ b/debian/patches/0006-jradius.diff.patch
@@ -0,0 +1,17 @@
+From b72e1d985e709e4c5fd7355747cde8697e665b44 Mon Sep 17 00:00:00 2001
+From: Sam Hartman <hartmans@debian.org>
+Date: Thu, 18 Sep 2014 15:55:52 -0400
+Subject: jradius.diff
+
+---
+ src/modules/stable | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/src/modules/stable
++++ b/src/modules/stable
+@@ -40,3 +40,5 @@
+ rlm_yubikey
+ rlm_redis
+ rlm_rediswho
++rlm_policy
++rlm_jradius
diff --git a/debian/patches/0009-dhcp-sqlipool-Comment-out-mysql.patch b/debian/patches/0009-dhcp-sqlipool-Comment-out-mysql.patch
new file mode 100644
index 0000000..8e09238
--- /dev/null
+++ b/debian/patches/0009-dhcp-sqlipool-Comment-out-mysql.patch
@@ -0,0 +1,22 @@
+From f39ef7f317a49c4e959bed7e9d954e473f49d602 Mon Sep 17 00:00:00 2001
+From: Sam Hartman <hartmans@debian.org>
+Date: Wed, 1 Oct 2014 16:38:16 -0400
+Subject: dhcp sqlipool: Comment out mysql
+
+So freeradius does not depend on freeradius-mysql
+---
+ raddb/modules/dhcp_sqlippool | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/raddb/mods-available/dhcp_sqlippool
++++ b/raddb/mods-available/dhcp_sqlippool
+@@ -97,5 +97,8 @@
+ nopool = "DHCP: No ${..pool_name} defined (cid %{DHCP-Client-Identifier} chaddr %{DHCP-Client-Hardware-Address} giaddr %{DHCP-Gateway-IP-Address})"
+ }
+
+- $INCLUDE ${modconfdir}/sql/ippool-dhcp/${dialect}/queries.conf
++ # This line is commented by default to enable clean startup when you
++ # don't have freeradius-mysql installed. Uncomment this line if you
++ # use this module.
++ #$INCLUDE ${modconfdir}/sql/ippool-dhcp/${dialect}/queries.conf
+ }
diff --git a/debian/patches/debian-local/0001-Rename-radius-to-freeradius.patch b/debian/patches/debian-local/0001-Rename-radius-to-freeradius.patch
new file mode 100644
index 0000000..fda1cf0
--- /dev/null
+++ b/debian/patches/debian-local/0001-Rename-radius-to-freeradius.patch
@@ -0,0 +1,152 @@
+Author: Sam Hartman <hartmans@debian.org>
+Description: Rename radius to freeradius
+Last-Updated: 2016-09-16
+Forwarded: not-needed
+
+---
+
+--- a/Make.inc.in
++++ b/Make.inc.in
+@@ -98,7 +98,7 @@
+
+ LOGDIR = ${logdir}
+ RADDBDIR = ${raddbdir}
+-RUNDIR = ${localstatedir}/run/radiusd
++RUNDIR = ${localstatedir}/run/freeradius
+ SBINDIR = ${sbindir}
+ RADIR = ${radacctdir}
+ LIBRADIUS = $(top_builddir)/src/lib/$(LIBPREFIX)freeradius-radius.la $(TALLOC_LIBS)
+--- a/raddb/radiusd.conf.in
++++ b/raddb/radiusd.conf.in
+@@ -91,7 +91,7 @@
+
+ #
+ # name of the running server. See also the "-n" command-line option.
+-name = radiusd
++name = freeradius
+
+ # Location of config and logfiles.
+ confdir = ${raddbdir}
+@@ -447,8 +447,8 @@
+ # member. This can allow for some finer-grained access
+ # controls.
+ #
+-# user = radius
+-# group = radius
++ user = freerad
++ group = freerad
+
+ # Core dumps are a bad thing. This should only be set to
+ # 'yes' if you're debugging a problem with the server.
+--- a/scripts/monit/freeradius.monitrc
++++ b/scripts/monit/freeradius.monitrc
+@@ -8,9 +8,9 @@
+ # Totalmem limit should be lowered to 200.0 if none of the
+ # interpreted language modules or rlm_cache are being used.
+ #
+-check process radiusd with pidfile /var/run/radiusd/radiusd.pid
+- start program = "/etc/init.d/radiusd start"
+- stop program = "/etc/init.d/radiusd stop"
++check process freeradius with pidfile /var/run/freeradius/freeradius.pid
++ start program = "/etc/init.d/freeradius start"
++ stop program = "/etc/init.d/freeradius stop"
+ if failed host 127.0.0.1 port 1812 type udp protocol radius secret testing123 then alert
+ if failed host 127.0.0.1 port 1813 type udp protocol radius secret testing123 then alert
+ if cpu > 95% for 2 cycles then alert
+--- a/raddb/sites-available/control-socket
++++ b/raddb/sites-available/control-socket
+@@ -72,12 +72,12 @@
+ #
+ # Name of user that is allowed to connect to the control socket.
+ #
+-# uid = radius
++# uid = freerad
+
+ #
+ # Name of group that is allowed to connect to the control socket.
+ #
+-# gid = radius
++# gid = freerad
+
+ #
+ # Access mode.
+--- a/src/main/radiusd.c
++++ b/src/main/radiusd.c
+@@ -102,7 +102,6 @@
+ bool display_version = false;
+ int flag = 0;
+ int from_child[2] = {-1, -1};
+- char *p;
+ fr_state_t *state = NULL;
+
+ /*
+@@ -137,13 +136,7 @@
+ main_config.myip.af = AF_UNSPEC;
+ main_config.port = 0;
+ main_config.daemonize = true;
+-
+- p = strrchr(argv[0], FR_DIR_SEP);
+- if (!p) {
+- main_config.name = argv[0];
+- } else {
+- main_config.name = p + 1;
+- }
++ main_config.name = "radiusd";
+
+ /*
+ * Don't put output anywhere until we get told a little
+@@ -697,7 +690,7 @@
+ {
+ FILE *output = status?stderr:stdout;
+
+- fprintf(output, "Usage: %s [options]\n", main_config.name);
++ fprintf(output, "Usage: freeradius [options]\n");
+ fprintf(output, "Options:\n");
+ fprintf(output, " -C Check configuration and exit.\n");
+ fprintf(stderr, " -d <raddb> Set configuration directory (defaults to " RADDBDIR ").\n");
+--- a/man/man8/radiusd.8
++++ b/man/man8/radiusd.8
+@@ -56,7 +56,7 @@
+ for an informative list of which modules are checked for correct
+ configuration, and which modules are skipped, and therefore not checked.
+ .IP "\-d \fIconfig directory\fP"
+-Defaults to \fI/etc/raddb\fP. \fBRadiusd\fP looks here for its configuration
++Defaults to \fI/etc/freeradius\fP. \fBRadiusd\fP looks here for its configuration
+ files such as the \fIdictionary\fP and the \fIusers\fP files.
+ .IP "\-D \fIdictionary directory\fP"
+ Set main dictionary directory. Defaults to \fI/usr/share/freeradius\fP.
+@@ -80,7 +80,7 @@
+ On SIGINT or SIGQUIT exit cleanly instead of immediately.
+ This is most useful for when running the server with "valgrind".
+ .IP "\-n \fIname\fP"
+-Read \fIraddb/name.conf\fP instead of \fIraddb/radiusd.conf\fP.
++Read \fIfreeradius/name.conf\fP instead of \fIfreeradius/radiusd.conf\fP.
+ .IP "\-p \fIport\fP"
+ Defines which port is used for receiving authentication packets.
+ Accounting packets are received on "port + 1".
+@@ -147,14 +147,14 @@
+ SQL), then:
+ .PP
+ .in +0.3i
+-a) Edit raddb/modules/foo
++a) Edit freeradius/modules/foo
+ .br
+ This file contains the default configuration for the module. It
+ contains comments describing what can be configured, and what those
+ configuration entries mean.
+ .br
+ .br
+-b) Edit raddb/sites-available/default
++b) Edit freeradius/sites-available/default
+ .br
+ This file contains the default policy for the server. e.g. "enable
+ CHAP, MS-CHAP, and EAP authentication". Look in this file for all
+@@ -163,7 +163,7 @@
+ the module.
+ .br
+ .br
+-c) Edit raddb/sites-available/inner-tunnel
++c) Edit freeradius/sites-available/inner-tunnel
+ .br
+ This file contains the default policy for the "tunneled" portion of
+ certain EAP methods. Perform the same kind of edits as above, for the
diff --git a/debian/patches/debian-local/0010-version.c-disable-openssl-version-check.patch b/debian/patches/debian-local/0010-version.c-disable-openssl-version-check.patch
new file mode 100644
index 0000000..82e8a9c
--- /dev/null
+++ b/debian/patches/debian-local/0010-version.c-disable-openssl-version-check.patch
@@ -0,0 +1,32 @@
+From 1b4e8e5751c417ba9d3788d264e76aba4f6baa12 Mon Sep 17 00:00:00 2001
+From: Sam Hartman <hartmans@debian.org>
+Date: Thu, 23 Oct 2014 21:44:03 -0400
+Subject: version.c: disable openssl version check
+
+For Debian we don't want to require that the built OpenSSL be the same
+as the linked OpenSSL. Debian will be responsible for changing the
+soname if the ABI changes. The version check causes the freeradius
+packages to fail whenever a new OpenSSL is built.
+
+Patch-Category: debian-local
+---
+ src/main/version.c | 45 +++++++--------------------------------------
+ 1 file changed, 7 insertions(+), 38 deletions(-)
+
+--- a/src/main/radiusd.c
++++ b/src/main/radiusd.c
+@@ -277,14 +277,6 @@
+
+ if (rad_check_lib_magic(RADIUSD_MAGIC_NUMBER) < 0) exit(EXIT_FAILURE);
+
+- /*
+- * Mismatch between build time OpenSSL and linked SSL, better to die
+- * here than segfault later.
+- */
+-#ifdef HAVE_OPENSSL_CRYPTO_H
+- if (ssl_check_consistency() < 0) exit(EXIT_FAILURE);
+-#endif
+-
+ if (flag && (flag != 0x03)) {
+ fprintf(stderr, "%s: The options -i and -p cannot be used individually.\n",
+ main_config.name);
diff --git a/debian/patches/disable-dhcp-bydefault.diff b/debian/patches/disable-dhcp-bydefault.diff
new file mode 100644
index 0000000..a76a085
--- /dev/null
+++ b/debian/patches/disable-dhcp-bydefault.diff
@@ -0,0 +1,12 @@
+diff a/raddb/all.mk b/raddb/all.mk
+--- a/raddb/all.mk
++++ b/raddb/all.mk
+@@ -8,7 +8,7 @@ DEFAULT_SITES := default inner-tunnel
+ LOCAL_SITES := $(addprefix raddb/sites-enabled/,$(DEFAULT_SITES))
+
+ DEFAULT_MODULES := always attr_filter cache_eap chap \
+- detail detail.log digest dhcp dynamic_clients eap \
++ detail detail.log digest dynamic_clients eap \
+ echo exec expiration expr files linelog logintime \
+ mschap ntlm_auth pap passwd preprocess radutmp realm \
+ replicate soh sradutmp unix unpack utf8
diff --git a/debian/patches/dont-install-tests.diff b/debian/patches/dont-install-tests.diff
new file mode 100644
index 0000000..ff2cfab
--- /dev/null
+++ b/debian/patches/dont-install-tests.diff
@@ -0,0 +1,24 @@
+Author: Michael Stapelberg <stapelberg@debian.org>
+Forwarded: https://github.com/FreeRADIUS/freeradius-server/commit/94c42123517c46474e45e545c264de6e5ce228c6
+Last-Update: 2016-10-08
+
+---
+
+Index: freeradius/src/tests/map/map_unit.mk
+===================================================================
+--- freeradius.orig/src/tests/map/map_unit.mk
++++ freeradius/src/tests/map/map_unit.mk
+@@ -3,3 +3,4 @@ SOURCES := map_unit.c ${top_srcdir}/src
+
+ TGT_PREREQS := libfreeradius-server.a libfreeradius-radius.a
+ TGT_LDLIBS := $(LIBS)
++TGT_INSTALLDIR :=
+Index: freeradius/src/main/radattr.mk
+===================================================================
+--- freeradius.orig/src/main/radattr.mk
++++ freeradius/src/main/radattr.mk
+@@ -8,3 +8,4 @@ TGT_PREREQS += libfreeradius-dhcp.a
+ endif
+
+ TGT_LDLIBS := $(LIBS)
++TGT_INSTALLDIR :=
diff --git a/debian/patches/fix-intermediate-ca.patch b/debian/patches/fix-intermediate-ca.patch
new file mode 100644
index 0000000..e4e1ffc
--- /dev/null
+++ b/debian/patches/fix-intermediate-ca.patch
@@ -0,0 +1,33 @@
+From aa5b642a3d6fed8663e5242d91884d25d14e9f53 Mon Sep 17 00:00:00 2001
+From: "Alan T. DeKok" <aland@freeradius.org>
+Date: Tue, 25 Oct 2022 08:59:53 -0400
+Subject: [PATCH] move partial chain set to after set cert store. Should fix
+ #4753
+
+---
+ src/main/tls.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/src/main/tls.c b/src/main/tls.c
+index 118978b52a3f..8a6844f4939b 100644
+--- a/src/main/tls.c
++++ b/src/main/tls.c
+@@ -3987,14 +3987,15 @@ SSL_CTX *tls_init_ctx(fr_tls_server_conf_t *conf, int client, char const *chain_
+ /*
+ * Load the CAs we trust and configure CRL checks if needed
+ */
+-#if defined(X509_V_FLAG_PARTIAL_CHAIN)
+- X509_STORE_set_flags(SSL_CTX_get_cert_store(ctx), X509_V_FLAG_PARTIAL_CHAIN);
+-#endif
+ if (conf->ca_file || conf->ca_path) {
+ if ((certstore = fr_init_x509_store(conf)) == NULL ) return NULL;
+ SSL_CTX_set_cert_store(ctx, certstore);
+ }
+
++#if defined(X509_V_FLAG_PARTIAL_CHAIN)
++ X509_STORE_set_flags(SSL_CTX_get_cert_store(ctx), X509_V_FLAG_PARTIAL_CHAIN);
++#endif
++
+ if (conf->ca_file && *conf->ca_file) SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(conf->ca_file));
+
+ conf->ca_path_last_reload = time(NULL);
diff --git a/debian/patches/fix-tls-client-cert-common-name-1.patch b/debian/patches/fix-tls-client-cert-common-name-1.patch
new file mode 100644
index 0000000..e0cf181
--- /dev/null
+++ b/debian/patches/fix-tls-client-cert-common-name-1.patch
@@ -0,0 +1,40 @@
+From d23987cbf55821dc56ab70d5ce6af3305cf83289 Mon Sep 17 00:00:00 2001
+From: "Alan T. DeKok" <aland@freeradius.org>
+Date: Tue, 25 Oct 2022 10:51:02 -0400
+Subject: [PATCH] set partial chain always. Helps with #4785
+
+---
+ src/main/tls.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/src/main/tls.c b/src/main/tls.c
+index aa6395d8391f..a33699cbb66e 100644
+--- a/src/main/tls.c
++++ b/src/main/tls.c
+@@ -3546,6 +3546,11 @@ X509_STORE *fr_init_x509_store(fr_tls_server_conf_t *conf)
+ if (conf->check_all_crl)
+ X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK_ALL);
+ #endif
++
++#if defined(X509_V_FLAG_PARTIAL_CHAIN)
++ X509_STORE_set_flags(store, X509_V_FLAG_PARTIAL_CHAIN);
++#endif
++
+ return store;
+ }
+
+@@ -4011,11 +4016,11 @@ SSL_CTX *tls_init_ctx(fr_tls_server_conf_t *conf, int client, char const *chain_
+ if (conf->ca_file || conf->ca_path) {
+ if ((certstore = fr_init_x509_store(conf)) == NULL ) return NULL;
+ SSL_CTX_set_cert_store(ctx, certstore);
+- }
+-
++ } else {
+ #if defined(X509_V_FLAG_PARTIAL_CHAIN)
+- X509_STORE_set_flags(SSL_CTX_get_cert_store(ctx), X509_V_FLAG_PARTIAL_CHAIN);
++ X509_STORE_set_flags(SSL_CTX_get_cert_store(ctx), X509_V_FLAG_PARTIAL_CHAIN);
+ #endif
++ }
+
+ if (conf->ca_file && *conf->ca_file) SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(conf->ca_file));
+
diff --git a/debian/patches/fix-tls-client-cert-common-name-2.patch b/debian/patches/fix-tls-client-cert-common-name-2.patch
new file mode 100644
index 0000000..f7207db
--- /dev/null
+++ b/debian/patches/fix-tls-client-cert-common-name-2.patch
@@ -0,0 +1,29 @@
+From 3d08027f30c6d9c1eaccf7d60c68c8f7d78017c3 Mon Sep 17 00:00:00 2001
+From: "Alan T. DeKok" <aland@freeradius.org>
+Date: Wed, 26 Oct 2022 07:31:43 -0400
+Subject: [PATCH] fix cert order only for lookup=0. Fixes #4785
+
+---
+ src/main/tls.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/src/main/tls.c b/src/main/tls.c
+index a33699cbb66e..c67148cf12c7 100644
+--- a/src/main/tls.c
++++ b/src/main/tls.c
+@@ -3015,7 +3015,14 @@ int cbtls_verify(int ok, X509_STORE_CTX *ctx)
+ */
+ if (lookup > 1) {
+ if (!my_ok) lookup = 1;
+- } else {
++
++ } else if (lookup == 0) {
++ /*
++ * This flag is only set for outbound
++ * connections. And then allows us to remap SSL
++ * offset 0 (server) to our offset 1 (also
++ * server).
++ */
+ lookup = (SSL_get_ex_data(ssl, FR_TLS_EX_INDEX_FIX_CERT_ORDER) != NULL);
+ }
+
diff --git a/debian/patches/fix-ttls-mschapv2.patch b/debian/patches/fix-ttls-mschapv2.patch
new file mode 100644
index 0000000..17581e4
--- /dev/null
+++ b/debian/patches/fix-ttls-mschapv2.patch
@@ -0,0 +1,40 @@
+From 0812bc1768cedc420adc03e86893d798fa19e872 Mon Sep 17 00:00:00 2001
+From: "Alan T. DeKok" <aland@freeradius.org>
+Date: Wed, 1 Feb 2023 14:38:53 -0500
+Subject: [PATCH] be more careful about session established. Fixes #4878
+
+---
+ src/main/tls.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/src/main/tls.c b/src/main/tls.c
+index 5ca2f5fed250..4f34d70faccc 100644
+--- a/src/main/tls.c
++++ b/src/main/tls.c
+@@ -5338,7 +5338,13 @@ fr_tls_status_t tls_ack_handler(tls_session_t *ssn, REQUEST *request)
+ return FR_TLS_FAIL;
+
+ case handshake:
+- if ((ssn->is_init_finished) && (ssn->dirty_out.used == 0)) {
++ if (ssn->dirty_out.used > 0) {
++ RDEBUG2("(TLS) Peer ACKed our handshake fragment");
++ /* Fragmentation handler, send next fragment */
++ return FR_TLS_REQUEST;
++ }
++
++ if (ssn->is_init_finished || SSL_is_init_finished(ssn->ssl)) {
+ RDEBUG2("(TLS) Peer ACKed our handshake fragment. handshake is finished");
+
+ /*
+@@ -5350,9 +5356,8 @@ fr_tls_status_t tls_ack_handler(tls_session_t *ssn, REQUEST *request)
+ return FR_TLS_SUCCESS;
+ } /* else more data to send */
+
+- RDEBUG2("(TLS) Peer ACKed our handshake fragment");
+- /* Fragmentation handler, send next fragment */
+- return FR_TLS_REQUEST;
++ REDEBUG("(TLS) Cannot continue, as the peer is misbehaving.");
++ return FR_TLS_FAIL;
+
+ case application_data:
+ RDEBUG2("(TLS) Peer ACKed our application data fragment");
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..c77bc2e
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1,12 @@
+debian-local/0001-Rename-radius-to-freeradius.patch
+0002-gitignore.diff.patch
+0006-jradius.diff.patch
+0009-dhcp-sqlipool-Comment-out-mysql.patch
+debian-local/0010-version.c-disable-openssl-version-check.patch
+dont-install-tests.diff
+snakeoil-certs.diff
+#python_config_script_update.diff
+fix-ttls-mschapv2.patch
+fix-intermediate-ca.patch
+fix-tls-client-cert-common-name-1.patch
+fix-tls-client-cert-common-name-2.patch
diff --git a/debian/patches/snakeoil-certs.diff b/debian/patches/snakeoil-certs.diff
new file mode 100644
index 0000000..447b329
--- /dev/null
+++ b/debian/patches/snakeoil-certs.diff
@@ -0,0 +1,132 @@
+Description: Use snakeoil certificates.
+Author: Michael Stapelberg <stapelberg@debian.org>
+Last-Updated: 2016-09-16
+Forwarded: not-needed
+
+---
+
+--- a/raddb/mods-available/eap
++++ b/raddb/mods-available/eap
+@@ -176,7 +176,7 @@
+ #
+ tls-config tls-common {
+ private_key_password = whatever
+- private_key_file = ${certdir}/server.pem
++ private_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
+
+ # If Private key & Certificate are located in
+ # the same file, then private_key_file &
+@@ -212,7 +212,7 @@
+ # give advice which will work everywhere. Instead,
+ # we give general guidelines.
+ #
+- certificate_file = ${certdir}/server.pem
++ certificate_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
+
+ # Trusted Root CA list
+ #
+@@ -225,7 +225,7 @@
+ # In that case, this CA file should contain
+ # *one* CA certificate.
+ #
+- ca_file = ${cadir}/ca.pem
++ ca_file = /etc/ssl/certs/ca-certificates.crt
+
+ # OpenSSL will automatically create certificate chains,
+ # unless we tell it to not do that. The problem is that
+--- a/raddb/mods-available/inner-eap
++++ b/raddb/mods-available/inner-eap
+@@ -59,7 +59,7 @@
+ #
+ tls {
+ private_key_password = whatever
+- private_key_file = ${certdir}/inner-server.pem
++ private_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
+
+ # If Private key & Certificate are located in
+ # the same file, then private_key_file &
+@@ -71,11 +71,11 @@
+ # only the server certificate, but ALSO all
+ # of the CA certificates used to sign the
+ # server certificate.
+- certificate_file = ${certdir}/inner-server.pem
++ certificate_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
+
+ # You may want different CAs for inner and outer
+ # certificates. If so, edit this file.
+- ca_file = ${cadir}/ca.pem
++ ca_file = /etc/ssl/certs/ca-certificates.crt
+
+ cipher_list = "DEFAULT"
+
+--- a/raddb/sites-available/abfab-tls
++++ b/raddb/sites-available/abfab-tls
+@@ -14,9 +14,9 @@
+ private_key_password = whatever
+
+ # Moonshot tends to distribute certs separate from keys
+- private_key_file = ${certdir}/server.key
+- certificate_file = ${certdir}/server.pem
+- ca_file = ${cadir}/ca.pem
++ private_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
++ certificate_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
++ ca_file = /etc/ssl/certs/ca-certificates.crt
+ dh_file = ${certdir}/dh
+ fragment_size = 8192
+ ca_path = ${cadir}
+--- a/raddb/sites-available/tls
++++ b/raddb/sites-available/tls
+@@ -161,7 +161,7 @@
+ #
+ tls {
+ private_key_password = whatever
+- private_key_file = ${certdir}/server.pem
++ private_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
+
+ # Accept an expired Certificate Revocation List
+ #
+@@ -177,7 +177,7 @@
+ # only the server certificate, but ALSO all
+ # of the CA certificates used to sign the
+ # server certificate.
+- certificate_file = ${certdir}/server.pem
++ certificate_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
+
+ # Trusted Root CA list
+ #
+@@ -194,7 +194,7 @@
+ # not use client certificates, and you do not want
+ # to permit EAP-TLS authentication, then delete
+ # this configuration item.
+- ca_file = ${cadir}/ca.pem
++ ca_file = /etc/ssl/certs/ca-certificates.crt
+
+ # For DH cipher suites to work in OpenSSL < 1.1.0,
+ # you have to run OpenSSL to create the DH file
+@@ -551,7 +551,7 @@
+ # hostname = "example.com"
+
+ private_key_password = whatever
+- private_key_file = ${certdir}/client.pem
++ private_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
+
+ # If Private key & Certificate are located in
+ # the same file, then private_key_file &
+@@ -563,7 +563,7 @@
+ # only the server certificate, but ALSO all
+ # of the CA certificates used to sign the
+ # server certificate.
+- certificate_file = ${certdir}/client.pem
++ certificate_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
+
+ # Trusted Root CA list
+ #
+@@ -580,7 +580,7 @@
+ # not use client certificates, and you do not want
+ # to permit EAP-TLS authentication, then delete
+ # this configuration item.
+- ca_file = ${cadir}/ca.pem
++ ca_file = /etc/ssl/certs/ca-certificates.crt
+
+ #
+ # Before version 3.2.1, outbound RadSec connections