- resolves: bug #526559 initial install should run bootstrap to create
certificates running radiusd in debug mode to generate inital temporary
certificates is no longer necessary, the /etc/raddb/certs/bootstrap is
invoked on initial rpm install (not upgrade) if there is no existing
/etc/raddb/certs/server.pem file
- resolves: bug #528493 use sha1 algorithm instead of md5 during cert
generation the certificate configuration
(/etc/raddb/certs/{ca,server,client}.cnf) files were modifed to use
sha1 instead of md5 and the validity reduced from 1 year to 2 months
This commit is contained in:
John Dennis
parent
dd59821020
commit
19b7b49d75
68
freeradius-cert-config.patch
Normal file
68
freeradius-cert-config.patch
Normal file
@ -0,0 +1,68 @@
|
||||
diff -r -u freeradius-server-2.1.8.orig/raddb/certs/ca.cnf freeradius-server-2.1.8/raddb/certs/ca.cnf
|
||||
--- freeradius-server-2.1.8.orig/raddb/certs/ca.cnf 2009-12-30 10:44:35.000000000 -0500
|
||||
+++ freeradius-server-2.1.8/raddb/certs/ca.cnf 2010-01-08 12:35:23.000000000 -0500
|
||||
@@ -14,9 +14,9 @@
|
||||
RANDFILE = $dir/.rand
|
||||
name_opt = ca_default
|
||||
cert_opt = ca_default
|
||||
-default_days = 365
|
||||
+default_days = 60
|
||||
default_crl_days = 30
|
||||
-default_md = md5
|
||||
+default_md = sha1
|
||||
preserve = no
|
||||
policy = policy_match
|
||||
|
||||
Only in freeradius-server-2.1.8/raddb/certs: ca.cnf~
|
||||
diff -r -u freeradius-server-2.1.8.orig/raddb/certs/client.cnf freeradius-server-2.1.8/raddb/certs/client.cnf
|
||||
--- freeradius-server-2.1.8.orig/raddb/certs/client.cnf 2009-12-30 10:44:35.000000000 -0500
|
||||
+++ freeradius-server-2.1.8/raddb/certs/client.cnf 2010-01-08 12:35:37.000000000 -0500
|
||||
@@ -14,9 +14,9 @@
|
||||
RANDFILE = $dir/.rand
|
||||
name_opt = ca_default
|
||||
cert_opt = ca_default
|
||||
-default_days = 365
|
||||
+default_days = 60
|
||||
default_crl_days = 30
|
||||
-default_md = md5
|
||||
+default_md = sha1
|
||||
preserve = no
|
||||
policy = policy_match
|
||||
|
||||
Only in freeradius-server-2.1.8/raddb/certs: client.cnf~
|
||||
diff -r -u freeradius-server-2.1.8.orig/raddb/certs/server.cnf freeradius-server-2.1.8/raddb/certs/server.cnf
|
||||
--- freeradius-server-2.1.8.orig/raddb/certs/server.cnf 2009-12-30 10:44:35.000000000 -0500
|
||||
+++ freeradius-server-2.1.8/raddb/certs/server.cnf 2010-01-08 12:35:05.000000000 -0500
|
||||
@@ -14,9 +14,9 @@
|
||||
RANDFILE = $dir/.rand
|
||||
name_opt = ca_default
|
||||
cert_opt = ca_default
|
||||
-default_days = 365
|
||||
+default_days = 60
|
||||
default_crl_days = 30
|
||||
-default_md = md5
|
||||
+default_md = sha1
|
||||
preserve = no
|
||||
policy = policy_match
|
||||
|
||||
Only in freeradius-server-2.1.8/raddb/certs: server.cnf~
|
||||
diff -r -u freeradius-server-2.1.8.orig/raddb/eap.conf freeradius-server-2.1.8/raddb/eap.conf
|
||||
--- freeradius-server-2.1.8.orig/raddb/eap.conf 2009-12-30 10:44:35.000000000 -0500
|
||||
+++ freeradius-server-2.1.8/raddb/eap.conf 2010-01-08 12:36:04.000000000 -0500
|
||||
@@ -251,15 +251,6 @@
|
||||
cipher_list = "DEFAULT"
|
||||
|
||||
#
|
||||
-
|
||||
- # This configuration entry should be deleted
|
||||
- # once the server is running in a normal
|
||||
- # configuration. It is here ONLY to make
|
||||
- # initial deployments easier.
|
||||
- #
|
||||
- make_cert_command = "${certdir}/bootstrap"
|
||||
-
|
||||
- #
|
||||
# Session resumption / fast reauthentication
|
||||
# cache.
|
||||
#
|
||||
Only in freeradius-server-2.1.8/raddb: eap.conf~
|
||||
@ -21,18 +21,20 @@
|
||||
. /etc/rc.d/init.d/functions
|
||||
|
||||
prog=radiusd
|
||||
exec=/usr/sbin/$prog
|
||||
config=/etc/raddb/radiusd.conf
|
||||
pidfile=/var/run/$prog/$prog.pid
|
||||
lockfile=/var/lock/subsys/radiusd
|
||||
|
||||
[ -e /etc/sysconfig/$prog ] && . /etc/sysconfig/$prog
|
||||
|
||||
exec=${exec:=/usr/sbin/$prog}
|
||||
config_dir=${config_dir:=/etc/raddb}
|
||||
config=${config:=$config_dir/radiusd.conf}
|
||||
pidfile=${pidfile:=/var/run/$prog/$prog.pid}
|
||||
lockfile=${lockfile:=/var/lock/subsys/radiusd}
|
||||
|
||||
start() {
|
||||
[ -x $exec ] || exit 5
|
||||
[ -f $config ] || exit 6
|
||||
echo -n $"Starting $prog: "
|
||||
daemon --pidfile $pidfile $exec
|
||||
daemon --pidfile $pidfile $exec -d $config_dir
|
||||
retval=$?
|
||||
echo
|
||||
[ $retval -eq 0 ] && touch $lockfile
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
Summary: High-performance and highly configurable free RADIUS server
|
||||
Name: freeradius
|
||||
Version: 2.1.8
|
||||
Release: 1%{?dist}
|
||||
Release: 2%{?dist}
|
||||
License: GPLv2+ and LGPLv2+
|
||||
Group: System Environment/Daemons
|
||||
URL: http://www.freeradius.org/
|
||||
@ -11,6 +11,8 @@ Source100: freeradius-radiusd-init
|
||||
Source102: freeradius-logrotate
|
||||
Source103: freeradius-pam-conf
|
||||
|
||||
Patch1: freeradius-cert-config.patch
|
||||
|
||||
Obsoletes: freeradius-devel
|
||||
Obsoletes: freeradius-libs
|
||||
|
||||
@ -139,6 +141,7 @@ This plugin provides the unixODBC support for the FreeRADIUS server project.
|
||||
|
||||
%prep
|
||||
%setup -q -n freeradius-server-%{version}
|
||||
%patch1 -p1 -b .cert-config
|
||||
# Some source files mistakenly have execute permissions set
|
||||
find $RPM_BUILD_DIR/freeradius-server-%{version} \( -name '*.c' -o -name '*.h' \) -a -perm /0111 -exec chmod a-x {} +
|
||||
|
||||
@ -248,6 +251,9 @@ exit 0
|
||||
%post
|
||||
if [ $1 = 1 ]; then
|
||||
/sbin/chkconfig --add radiusd
|
||||
if [ ! -e /etc/raddb/certs/server.pem ]; then
|
||||
/sbin/runuser -g radiusd -c 'umask 007; /etc/raddb/certs/bootstrap' > /dev/null 2>&1 || :
|
||||
fi
|
||||
fi
|
||||
|
||||
%preun
|
||||
@ -551,6 +557,15 @@ fi
|
||||
%{_libdir}/freeradius/rlm_sql_unixodbc-%{version}.so
|
||||
|
||||
%changelog
|
||||
* Thu Jan 7 2010 John Dennis <jdennis@redhat.com> - 2.1.8-2
|
||||
- resolves: bug #526559 initial install should run bootstrap to create certificates
|
||||
running radiusd in debug mode to generate inital temporary certificates
|
||||
is no longer necessary, the /etc/raddb/certs/bootstrap is invoked on initial
|
||||
rpm install (not upgrade) if there is no existing /etc/raddb/certs/server.pem file
|
||||
- resolves: bug #528493 use sha1 algorithm instead of md5 during cert generation
|
||||
the certificate configuration (/etc/raddb/certs/{ca,server,client}.cnf) files
|
||||
were modifed to use sha1 instead of md5 and the validity reduced from 1 year to 2 months
|
||||
|
||||
* Wed Dec 30 2009 John Dennis <jdennis@redhat.com> - 2.1.8-1
|
||||
- update to latest upstream
|
||||
Feature improvements
|
||||
|
||||
Loading…
Reference in New Issue
Block a user