13 files changed, 574 insertions, 0 deletions

diff --git a/debian/patches/0002-gitignore.diff.patch b/debian/patches/0002-gitignore.diff.patch
new file mode 100644
index 0000000..22013a1
--- /dev/null
+++ b/debian/patches/0002-gitignore.diff.patch
@@ -0,0 +1,29 @@
+From 993eba48a171e70dfe83fa25f04c4d19b257ea1b Mon Sep 17 00:00:00 2001
+From: Sam Hartman <hartmans@debian.org>
+Date: Thu, 18 Sep 2014 15:55:47 -0400
+Subject: gitignore.diff
+
+---
+ .gitignore | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+--- a/.gitignore
++++ b/.gitignore
+@@ -1,3 +1,17 @@
++*.la
++*.o
++*.lo
++.libs
++.deps
++build-arch-stamp
++build-indep-stamp
++config.h
++config.log
++config.status
++config.cache
++config.guess.dist
++config.sub.dist
++Make.inc
+ *~
+ *.o
+ *.a
diff --git a/debian/patches/0006-jradius.diff.patch b/debian/patches/0006-jradius.diff.patch
new file mode 100644
index 0000000..2eeee49
--- /dev/null
+++ b/debian/patches/0006-jradius.diff.patch
@@ -0,0 +1,17 @@
+From b72e1d985e709e4c5fd7355747cde8697e665b44 Mon Sep 17 00:00:00 2001
+From: Sam Hartman <hartmans@debian.org>
+Date: Thu, 18 Sep 2014 15:55:52 -0400
+Subject: jradius.diff
+
+---
+ src/modules/stable | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/src/modules/stable
++++ b/src/modules/stable
+@@ -40,3 +40,5 @@
+ rlm_yubikey
+ rlm_redis
+ rlm_rediswho
++rlm_policy
++rlm_jradius
diff --git a/debian/patches/0009-dhcp-sqlipool-Comment-out-mysql.patch b/debian/patches/0009-dhcp-sqlipool-Comment-out-mysql.patch
new file mode 100644
index 0000000..8e09238
--- /dev/null
+++ b/debian/patches/0009-dhcp-sqlipool-Comment-out-mysql.patch
@@ -0,0 +1,22 @@
+From f39ef7f317a49c4e959bed7e9d954e473f49d602 Mon Sep 17 00:00:00 2001
+From: Sam Hartman <hartmans@debian.org>
+Date: Wed, 1 Oct 2014 16:38:16 -0400
+Subject: dhcp sqlipool: Comment out mysql
+
+So freeradius does not depend on freeradius-mysql
+---
+ raddb/modules/dhcp_sqlippool | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/raddb/mods-available/dhcp_sqlippool
++++ b/raddb/mods-available/dhcp_sqlippool
+@@ -97,5 +97,8 @@
+ 		nopool = "DHCP: No ${..pool_name} defined (cid %{DHCP-Client-Identifier} chaddr %{DHCP-Client-Hardware-Address} giaddr %{DHCP-Gateway-IP-Address})"
+ 	}
+ 
+-	$INCLUDE ${modconfdir}/sql/ippool-dhcp/${dialect}/queries.conf
++	# This line is commented by default to enable clean startup when you
++	# don't have freeradius-mysql installed. Uncomment this line if you 
++	# use this module.
++	#$INCLUDE ${modconfdir}/sql/ippool-dhcp/${dialect}/queries.conf
+ }
diff --git a/debian/patches/debian-local/0001-Rename-radius-to-freeradius.patch b/debian/patches/debian-local/0001-Rename-radius-to-freeradius.patch
new file mode 100644
index 0000000..fda1cf0
--- /dev/null
+++ b/debian/patches/debian-local/0001-Rename-radius-to-freeradius.patch
@@ -0,0 +1,152 @@
+Author: Sam Hartman <hartmans@debian.org>
+Description: Rename radius to freeradius
+Last-Updated: 2016-09-16
+Forwarded: not-needed
+
+---
+
+--- a/Make.inc.in
++++ b/Make.inc.in
+@@ -98,7 +98,7 @@
+ 
+ LOGDIR		= ${logdir}
+ RADDBDIR	= ${raddbdir}
+-RUNDIR		= ${localstatedir}/run/radiusd
++RUNDIR		= ${localstatedir}/run/freeradius
+ SBINDIR		= ${sbindir}
+ RADIR		= ${radacctdir}
+ LIBRADIUS	= $(top_builddir)/src/lib/$(LIBPREFIX)freeradius-radius.la $(TALLOC_LIBS)
+--- a/raddb/radiusd.conf.in
++++ b/raddb/radiusd.conf.in
+@@ -91,7 +91,7 @@
+ 
+ #
+ #  name of the running server.  See also the "-n" command-line option.
+-name = radiusd
++name = freeradius
+ 
+ #  Location of config and logfiles.
+ confdir = ${raddbdir}
+@@ -447,8 +447,8 @@
+ 	#  member.  This can allow for some finer-grained access
+ 	#  controls.
+ 	#
+-#	user = radius
+-#	group = radius
++	user = freerad
++	group = freerad
+ 
+ 	#  Core dumps are a bad thing.  This should only be set to
+ 	#  'yes' if you're debugging a problem with the server.
+--- a/scripts/monit/freeradius.monitrc
++++ b/scripts/monit/freeradius.monitrc
+@@ -8,9 +8,9 @@
+ #  Totalmem limit should be lowered to 200.0 if none of the
+ #  interpreted language modules or rlm_cache are being used.
+ #
+-check process radiusd with pidfile /var/run/radiusd/radiusd.pid
+-   start program = "/etc/init.d/radiusd start"
+-   stop program = "/etc/init.d/radiusd stop"
++check process freeradius with pidfile /var/run/freeradius/freeradius.pid
++   start program = "/etc/init.d/freeradius start"
++   stop program = "/etc/init.d/freeradius stop"
+    if failed host 127.0.0.1 port 1812 type udp protocol radius secret testing123 then alert
+    if failed host 127.0.0.1 port 1813 type udp protocol radius secret testing123 then alert
+    if cpu > 95% for 2 cycles then alert
+--- a/raddb/sites-available/control-socket
++++ b/raddb/sites-available/control-socket
+@@ -72,12 +72,12 @@
+ 	#
+ 	#  Name of user that is allowed to connect to the control socket.
+ 	#
+-#	uid = radius
++#	uid = freerad
+ 
+ 	#
+ 	#  Name of group that is allowed to connect to the control socket.
+ 	#
+-#	gid = radius
++#	gid = freerad
+ 
+ 	#
+ 	#  Access mode.
+--- a/src/main/radiusd.c
++++ b/src/main/radiusd.c
+@@ -102,7 +102,6 @@
+ 	bool display_version = false;
+ 	int flag = 0;
+ 	int from_child[2] = {-1, -1};
+-	char *p;
+ 	fr_state_t *state = NULL;
+ 
+ 	/*
+@@ -137,13 +136,7 @@
+ 	main_config.myip.af = AF_UNSPEC;
+ 	main_config.port = 0;
+ 	main_config.daemonize = true;
+-
+-	p = strrchr(argv[0], FR_DIR_SEP);
+-	if (!p) {
+-		main_config.name = argv[0];
+-	} else {
+-		main_config.name = p + 1;
+-	}
++	main_config.name = "radiusd";
+ 
+ 	/*
+ 	 *	Don't put output anywhere until we get told a little
+@@ -697,7 +690,7 @@
+ {
+ 	FILE *output = status?stderr:stdout;
+ 
+-	fprintf(output, "Usage: %s [options]\n", main_config.name);
++	fprintf(output, "Usage: freeradius [options]\n");
+ 	fprintf(output, "Options:\n");
+ 	fprintf(output, "  -C            Check configuration and exit.\n");
+ 	fprintf(stderr, "  -d <raddb>    Set configuration directory (defaults to " RADDBDIR ").\n");
+--- a/man/man8/radiusd.8
++++ b/man/man8/radiusd.8
+@@ -56,7 +56,7 @@
+ for an informative list of which modules are checked for correct
+ configuration, and which modules are skipped, and therefore not checked.
+ .IP "\-d \fIconfig directory\fP"
+-Defaults to \fI/etc/raddb\fP. \fBRadiusd\fP looks here for its configuration
++Defaults to \fI/etc/freeradius\fP. \fBRadiusd\fP looks here for its configuration
+ files such as the \fIdictionary\fP and the \fIusers\fP files.
+ .IP "\-D \fIdictionary directory\fP"
+ Set main dictionary directory. Defaults to \fI/usr/share/freeradius\fP.
+@@ -80,7 +80,7 @@
+ On SIGINT or SIGQUIT exit cleanly instead of immediately.
+ This is most useful for when running the server with "valgrind".
+ .IP "\-n \fIname\fP"
+-Read \fIraddb/name.conf\fP instead of \fIraddb/radiusd.conf\fP.
++Read \fIfreeradius/name.conf\fP instead of \fIfreeradius/radiusd.conf\fP.
+ .IP "\-p \fIport\fP"
+ Defines which port is used for receiving authentication packets.
+ Accounting packets are received on "port + 1".
+@@ -147,14 +147,14 @@
+ SQL), then:
+ .PP
+ .in +0.3i
+-a) Edit raddb/modules/foo
++a) Edit freeradius/modules/foo
+ .br
+ This file contains the default configuration for the module.  It
+ contains comments describing what can be configured, and what those
+ configuration entries mean.
+ .br
+ .br
+-b) Edit raddb/sites-available/default
++b) Edit freeradius/sites-available/default
+ .br
+ This file contains the default policy for the server.  e.g. "enable
+ CHAP, MS-CHAP, and EAP authentication".  Look in this file for all
+@@ -163,7 +163,7 @@
+ the module.
+ .br
+ .br
+-c) Edit raddb/sites-available/inner-tunnel
++c) Edit freeradius/sites-available/inner-tunnel
+ .br
+ This file contains the default policy for the "tunneled" portion of
+ certain EAP methods.  Perform the same kind of edits as above, for the
diff --git a/debian/patches/debian-local/0010-version.c-disable-openssl-version-check.patch b/debian/patches/debian-local/0010-version.c-disable-openssl-version-check.patch
new file mode 100644
index 0000000..82e8a9c
--- /dev/null
+++ b/debian/patches/debian-local/0010-version.c-disable-openssl-version-check.patch
@@ -0,0 +1,32 @@
+From 1b4e8e5751c417ba9d3788d264e76aba4f6baa12 Mon Sep 17 00:00:00 2001
+From: Sam Hartman <hartmans@debian.org>
+Date: Thu, 23 Oct 2014 21:44:03 -0400
+Subject: version.c: disable openssl version check
+
+For Debian we don't want to require that the built OpenSSL be the same
+as the linked OpenSSL.  Debian will be responsible for changing the
+soname if the ABI changes.  The version check causes the freeradius
+packages to fail whenever a new OpenSSL is built.
+
+Patch-Category: debian-local
+---
+ src/main/version.c | 45 +++++++--------------------------------------
+ 1 file changed, 7 insertions(+), 38 deletions(-)
+
+--- a/src/main/radiusd.c
++++ b/src/main/radiusd.c
+@@ -277,14 +277,6 @@
+ 
+ 	if (rad_check_lib_magic(RADIUSD_MAGIC_NUMBER) < 0) exit(EXIT_FAILURE);
+ 
+-	/*
+-	 *  Mismatch between build time OpenSSL and linked SSL, better to die
+-	 *  here than segfault later.
+-	 */
+-#ifdef HAVE_OPENSSL_CRYPTO_H
+-	if (ssl_check_consistency() < 0) exit(EXIT_FAILURE);
+-#endif
+-
+ 	if (flag && (flag != 0x03)) {
+ 		fprintf(stderr, "%s: The options -i and -p cannot be used individually.\n",
+ 			main_config.name);
diff --git a/debian/patches/disable-dhcp-bydefault.diff b/debian/patches/disable-dhcp-bydefault.diff
new file mode 100644
index 0000000..a76a085
--- /dev/null
+++ b/debian/patches/disable-dhcp-bydefault.diff
@@ -0,0 +1,12 @@
+diff a/raddb/all.mk b/raddb/all.mk
+--- a/raddb/all.mk
++++ b/raddb/all.mk
+@@ -8,7 +8,7 @@ DEFAULT_SITES :=	default inner-tunnel
+ LOCAL_SITES :=		$(addprefix raddb/sites-enabled/,$(DEFAULT_SITES))
+ 
+ DEFAULT_MODULES :=	always attr_filter cache_eap chap \
+-			detail detail.log digest dhcp dynamic_clients eap \
++			detail detail.log digest dynamic_clients eap \
+ 			echo exec expiration expr files linelog logintime \
+ 			mschap ntlm_auth pap passwd preprocess radutmp realm \
+ 			replicate soh sradutmp unix unpack utf8
diff --git a/debian/patches/dont-install-tests.diff b/debian/patches/dont-install-tests.diff
new file mode 100644
index 0000000..ff2cfab
--- /dev/null
+++ b/debian/patches/dont-install-tests.diff
@@ -0,0 +1,24 @@
+Author: Michael Stapelberg <stapelberg@debian.org>
+Forwarded: https://github.com/FreeRADIUS/freeradius-server/commit/94c42123517c46474e45e545c264de6e5ce228c6
+Last-Update: 2016-10-08
+
+---
+
+Index: freeradius/src/tests/map/map_unit.mk
+===================================================================
+--- freeradius.orig/src/tests/map/map_unit.mk
++++ freeradius/src/tests/map/map_unit.mk
+@@ -3,3 +3,4 @@ SOURCES		:= map_unit.c ${top_srcdir}/src
+ 
+ TGT_PREREQS	:= libfreeradius-server.a libfreeradius-radius.a
+ TGT_LDLIBS	:= $(LIBS)
++TGT_INSTALLDIR	:=
+Index: freeradius/src/main/radattr.mk
+===================================================================
+--- freeradius.orig/src/main/radattr.mk
++++ freeradius/src/main/radattr.mk
+@@ -8,3 +8,4 @@ TGT_PREREQS	+= libfreeradius-dhcp.a
+ endif
+ 
+ TGT_LDLIBS	:= $(LIBS)
++TGT_INSTALLDIR	:=
diff --git a/debian/patches/fix-intermediate-ca.patch b/debian/patches/fix-intermediate-ca.patch
new file mode 100644
index 0000000..e4e1ffc
--- /dev/null
+++ b/debian/patches/fix-intermediate-ca.patch
@@ -0,0 +1,33 @@
+From aa5b642a3d6fed8663e5242d91884d25d14e9f53 Mon Sep 17 00:00:00 2001
+From: "Alan T. DeKok" <aland@freeradius.org>
+Date: Tue, 25 Oct 2022 08:59:53 -0400
+Subject: [PATCH] move partial chain set to after set cert store.  Should fix
+ #4753
+
+---
+ src/main/tls.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/src/main/tls.c b/src/main/tls.c
+index 118978b52a3f..8a6844f4939b 100644
+--- a/src/main/tls.c
++++ b/src/main/tls.c
+@@ -3987,14 +3987,15 @@ SSL_CTX *tls_init_ctx(fr_tls_server_conf_t *conf, int client, char const *chain_
+ 	/*
+ 	 *	Load the CAs we trust and configure CRL checks if needed
+ 	 */
+-#if defined(X509_V_FLAG_PARTIAL_CHAIN)
+-	X509_STORE_set_flags(SSL_CTX_get_cert_store(ctx), X509_V_FLAG_PARTIAL_CHAIN);
+-#endif
+ 	if (conf->ca_file || conf->ca_path) {
+ 		if ((certstore = fr_init_x509_store(conf)) == NULL ) return NULL;
+ 		SSL_CTX_set_cert_store(ctx, certstore);
+ 	}
+ 
++#if defined(X509_V_FLAG_PARTIAL_CHAIN)
++	X509_STORE_set_flags(SSL_CTX_get_cert_store(ctx), X509_V_FLAG_PARTIAL_CHAIN);
++#endif
++
+ 	if (conf->ca_file && *conf->ca_file) SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(conf->ca_file));
+ 
+ 	conf->ca_path_last_reload = time(NULL);
diff --git a/debian/patches/fix-tls-client-cert-common-name-1.patch b/debian/patches/fix-tls-client-cert-common-name-1.patch
new file mode 100644
index 0000000..e0cf181
--- /dev/null
+++ b/debian/patches/fix-tls-client-cert-common-name-1.patch
@@ -0,0 +1,40 @@
+From d23987cbf55821dc56ab70d5ce6af3305cf83289 Mon Sep 17 00:00:00 2001
+From: "Alan T. DeKok" <aland@freeradius.org>
+Date: Tue, 25 Oct 2022 10:51:02 -0400
+Subject: [PATCH] set partial chain always.  Helps with #4785
+
+---
+ src/main/tls.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/src/main/tls.c b/src/main/tls.c
+index aa6395d8391f..a33699cbb66e 100644
+--- a/src/main/tls.c
++++ b/src/main/tls.c
+@@ -3546,6 +3546,11 @@ X509_STORE *fr_init_x509_store(fr_tls_server_conf_t *conf)
+ 	if (conf->check_all_crl)
+ 		X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK_ALL);
+ #endif
++
++#if defined(X509_V_FLAG_PARTIAL_CHAIN)
++	X509_STORE_set_flags(store, X509_V_FLAG_PARTIAL_CHAIN);
++#endif
++
+ 	return store;
+ }
+ 
+@@ -4011,11 +4016,11 @@ SSL_CTX *tls_init_ctx(fr_tls_server_conf_t *conf, int client, char const *chain_
+ 	if (conf->ca_file || conf->ca_path) {
+ 		if ((certstore = fr_init_x509_store(conf)) == NULL ) return NULL;
+ 		SSL_CTX_set_cert_store(ctx, certstore);
+-	}
+-
++	} else {
+ #if defined(X509_V_FLAG_PARTIAL_CHAIN)
+-	X509_STORE_set_flags(SSL_CTX_get_cert_store(ctx), X509_V_FLAG_PARTIAL_CHAIN);
++		X509_STORE_set_flags(SSL_CTX_get_cert_store(ctx), X509_V_FLAG_PARTIAL_CHAIN);
+ #endif
++	}
+ 
+ 	if (conf->ca_file && *conf->ca_file) SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(conf->ca_file));
+ 
diff --git a/debian/patches/fix-tls-client-cert-common-name-2.patch b/debian/patches/fix-tls-client-cert-common-name-2.patch
new file mode 100644
index 0000000..f7207db
--- /dev/null
+++ b/debian/patches/fix-tls-client-cert-common-name-2.patch
@@ -0,0 +1,29 @@
+From 3d08027f30c6d9c1eaccf7d60c68c8f7d78017c3 Mon Sep 17 00:00:00 2001
+From: "Alan T. DeKok" <aland@freeradius.org>
+Date: Wed, 26 Oct 2022 07:31:43 -0400
+Subject: [PATCH] fix cert order only for lookup=0.  Fixes #4785
+
+---
+ src/main/tls.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/src/main/tls.c b/src/main/tls.c
+index a33699cbb66e..c67148cf12c7 100644
+--- a/src/main/tls.c
++++ b/src/main/tls.c
+@@ -3015,7 +3015,14 @@ int cbtls_verify(int ok, X509_STORE_CTX *ctx)
+ 	 */
+ 	if (lookup > 1) {
+ 		if (!my_ok) lookup = 1;
+-	} else {
++
++	} else if (lookup == 0) {
++		/*
++		 *	This flag is only set for outbound
++		 *	connections.  And then allows us to remap SSL
++		 *	offset 0 (server) to our offset 1 (also
++		 *	server).
++		 */
+ 		lookup = (SSL_get_ex_data(ssl, FR_TLS_EX_INDEX_FIX_CERT_ORDER) != NULL);
+ 	}
+ 
diff --git a/debian/patches/fix-ttls-mschapv2.patch b/debian/patches/fix-ttls-mschapv2.patch
new file mode 100644
index 0000000..17581e4
--- /dev/null
+++ b/debian/patches/fix-ttls-mschapv2.patch
@@ -0,0 +1,40 @@
+From 0812bc1768cedc420adc03e86893d798fa19e872 Mon Sep 17 00:00:00 2001
+From: "Alan T. DeKok" <aland@freeradius.org>
+Date: Wed, 1 Feb 2023 14:38:53 -0500
+Subject: [PATCH] be more careful about session established.  Fixes #4878
+
+---
+ src/main/tls.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/src/main/tls.c b/src/main/tls.c
+index 5ca2f5fed250..4f34d70faccc 100644
+--- a/src/main/tls.c
++++ b/src/main/tls.c
+@@ -5338,7 +5338,13 @@ fr_tls_status_t tls_ack_handler(tls_session_t *ssn, REQUEST *request)
+ 		return FR_TLS_FAIL;
+ 
+ 	case handshake:
+-		if ((ssn->is_init_finished) && (ssn->dirty_out.used == 0)) {
++		if (ssn->dirty_out.used > 0) {
++			RDEBUG2("(TLS) Peer ACKed our handshake fragment");
++			/* Fragmentation handler, send next fragment */
++			return FR_TLS_REQUEST;
++		}
++
++		if (ssn->is_init_finished || SSL_is_init_finished(ssn->ssl)) {
+ 			RDEBUG2("(TLS) Peer ACKed our handshake fragment.  handshake is finished");
+ 
+ 			/*
+@@ -5350,9 +5356,8 @@ fr_tls_status_t tls_ack_handler(tls_session_t *ssn, REQUEST *request)
+ 			return FR_TLS_SUCCESS;
+ 		} /* else more data to send */
+ 
+-		RDEBUG2("(TLS) Peer ACKed our handshake fragment");
+-		/* Fragmentation handler, send next fragment */
+-		return FR_TLS_REQUEST;
++		REDEBUG("(TLS) Cannot continue, as the peer is misbehaving.");
++		return FR_TLS_FAIL;
+ 
+ 	case application_data:
+ 		RDEBUG2("(TLS) Peer ACKed our application data fragment");
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..c77bc2e
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1,12 @@
+debian-local/0001-Rename-radius-to-freeradius.patch
+0002-gitignore.diff.patch
+0006-jradius.diff.patch
+0009-dhcp-sqlipool-Comment-out-mysql.patch
+debian-local/0010-version.c-disable-openssl-version-check.patch
+dont-install-tests.diff
+snakeoil-certs.diff
+#python_config_script_update.diff
+fix-ttls-mschapv2.patch
+fix-intermediate-ca.patch
+fix-tls-client-cert-common-name-1.patch
+fix-tls-client-cert-common-name-2.patch
diff --git a/debian/patches/snakeoil-certs.diff b/debian/patches/snakeoil-certs.diff
new file mode 100644
index 0000000..447b329
--- /dev/null
+++ b/debian/patches/snakeoil-certs.diff
@@ -0,0 +1,132 @@
+Description: Use snakeoil certificates.
+Author: Michael Stapelberg <stapelberg@debian.org>
+Last-Updated: 2016-09-16
+Forwarded: not-needed
+
+---
+
+--- a/raddb/mods-available/eap
++++ b/raddb/mods-available/eap
+@@ -176,7 +176,7 @@
+ 	#
+ 	tls-config tls-common {
+ 		private_key_password = whatever
+-		private_key_file = ${certdir}/server.pem
++		private_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
+ 
+ 		#  If Private key & Certificate are located in
+ 		#  the same file, then private_key_file &
+@@ -212,7 +212,7 @@
+ 		#  give advice which will work everywhere.  Instead,
+ 		#  we give general guidelines.
+ 		#
+-		certificate_file = ${certdir}/server.pem
++		certificate_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
+ 
+ 		#  Trusted Root CA list
+ 		#
+@@ -225,7 +225,7 @@
+ 		#  In that case, this CA file should contain
+ 		#  *one* CA certificate.
+ 		#
+-		ca_file = ${cadir}/ca.pem
++		ca_file = /etc/ssl/certs/ca-certificates.crt
+ 
+ 	 	#  OpenSSL will automatically create certificate chains,
+ 	 	#  unless we tell it to not do that.  The problem is that
+--- a/raddb/mods-available/inner-eap
++++ b/raddb/mods-available/inner-eap
+@@ -59,7 +59,7 @@
+ 	#
+ 	tls {
+ 		private_key_password = whatever
+-		private_key_file = ${certdir}/inner-server.pem
++		private_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
+ 
+ 		#  If Private key & Certificate are located in
+ 		#  the same file, then private_key_file &
+@@ -71,11 +71,11 @@
+ 		#  only the server certificate, but ALSO all
+ 		#  of the CA certificates used to sign the
+ 		#  server certificate.
+-		certificate_file = ${certdir}/inner-server.pem
++		certificate_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
+ 
+ 		#  You may want different CAs for inner and outer
+ 		#  certificates.  If so, edit this file.
+-		ca_file = ${cadir}/ca.pem
++		ca_file = /etc/ssl/certs/ca-certificates.crt
+ 
+ 		cipher_list = "DEFAULT"
+ 
+--- a/raddb/sites-available/abfab-tls
++++ b/raddb/sites-available/abfab-tls
+@@ -14,9 +14,9 @@
+ 		private_key_password = whatever
+ 
+ 		# Moonshot tends to distribute certs separate from keys
+-		private_key_file = ${certdir}/server.key
+-		certificate_file = ${certdir}/server.pem
+-		ca_file = ${cadir}/ca.pem
++		private_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
++		certificate_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
++		ca_file = /etc/ssl/certs/ca-certificates.crt
+ 		dh_file = ${certdir}/dh
+ 		fragment_size = 8192
+ 		ca_path = ${cadir}
+--- a/raddb/sites-available/tls
++++ b/raddb/sites-available/tls
+@@ -161,7 +161,7 @@
+ 	#
+ 	tls {
+ 		private_key_password = whatever
+-		private_key_file = ${certdir}/server.pem
++		private_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
+ 
+ 		# Accept an expired Certificate Revocation List
+ 		#
+@@ -177,7 +177,7 @@
+ 		#  only the server certificate, but ALSO all
+ 		#  of the CA certificates used to sign the
+ 		#  server certificate.
+-		certificate_file = ${certdir}/server.pem
++		certificate_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
+ 
+ 		#  Trusted Root CA list
+ 		#
+@@ -194,7 +194,7 @@
+ 		#  not use client certificates, and you do not want
+ 		#  to permit EAP-TLS authentication, then delete
+ 		#  this configuration item.
+-		ca_file = ${cadir}/ca.pem
++		ca_file = /etc/ssl/certs/ca-certificates.crt
+ 
+ 		#  For DH cipher suites to work in OpenSSL < 1.1.0,
+ 		#  you have to run OpenSSL to create the DH file
+@@ -551,7 +551,7 @@
+ 	#	hostname = "example.com"
+ 
+ 		private_key_password = whatever
+-		private_key_file = ${certdir}/client.pem
++		private_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
+ 
+ 		#  If Private key & Certificate are located in
+ 		#  the same file, then private_key_file &
+@@ -563,7 +563,7 @@
+ 		#  only the server certificate, but ALSO all
+ 		#  of the CA certificates used to sign the
+ 		#  server certificate.
+-		certificate_file = ${certdir}/client.pem
++		certificate_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
+ 
+ 		#  Trusted Root CA list
+ 		#
+@@ -580,7 +580,7 @@
+ 		#  not use client certificates, and you do not want
+ 		#  to permit EAP-TLS authentication, then delete
+ 		#  this configuration item.
+-		ca_file = ${cadir}/ca.pem
++		ca_file = /etc/ssl/certs/ca-certificates.crt
+ 
+ 		#
+ 		#  Before version 3.2.1, outbound RadSec connections