- resolves: bug #526559 initial install should run bootstrap to create

certificates running radiusd in debug mode to generate inital temporary
    certificates is no longer necessary, the /etc/raddb/certs/bootstrap is
    invoked on initial rpm install (not upgrade) if there is no existing
    /etc/raddb/certs/server.pem file
- resolves: bug #528493 use sha1 algorithm instead of md5 during cert
    generation the certificate configuration
    (/etc/raddb/certs/{ca,server,client}.cnf) files were modifed to use
    sha1 instead of md5 and the validity reduced from 1 year to 2 months

freeradius-cert-config.patch

@@ -0,0 +1,68 @@
+diff -r -u freeradius-server-2.1.8.orig/raddb/certs/ca.cnf freeradius-server-2.1.8/raddb/certs/ca.cnf
+--- freeradius-server-2.1.8.orig/raddb/certs/ca.cnf	2009-12-30 10:44:35.000000000 -0500
++++ freeradius-server-2.1.8/raddb/certs/ca.cnf	2010-01-08 12:35:23.000000000 -0500
+@@ -14,9 +14,9 @@
+ RANDFILE		= $dir/.rand
+ name_opt		= ca_default
+ cert_opt		= ca_default
+-default_days		= 365
++default_days		= 60
+ default_crl_days	= 30
+-default_md		= md5
++default_md		= sha1
+ preserve		= no
+ policy			= policy_match
+ 
+Only in freeradius-server-2.1.8/raddb/certs: ca.cnf~
+diff -r -u freeradius-server-2.1.8.orig/raddb/certs/client.cnf freeradius-server-2.1.8/raddb/certs/client.cnf
+--- freeradius-server-2.1.8.orig/raddb/certs/client.cnf	2009-12-30 10:44:35.000000000 -0500
++++ freeradius-server-2.1.8/raddb/certs/client.cnf	2010-01-08 12:35:37.000000000 -0500
+@@ -14,9 +14,9 @@
+ RANDFILE		= $dir/.rand
+ name_opt		= ca_default
+ cert_opt		= ca_default
+-default_days		= 365
++default_days		= 60
+ default_crl_days	= 30
+-default_md		= md5
++default_md		= sha1
+ preserve		= no
+ policy			= policy_match
+ 
+Only in freeradius-server-2.1.8/raddb/certs: client.cnf~
+diff -r -u freeradius-server-2.1.8.orig/raddb/certs/server.cnf freeradius-server-2.1.8/raddb/certs/server.cnf
+--- freeradius-server-2.1.8.orig/raddb/certs/server.cnf	2009-12-30 10:44:35.000000000 -0500
++++ freeradius-server-2.1.8/raddb/certs/server.cnf	2010-01-08 12:35:05.000000000 -0500
+@@ -14,9 +14,9 @@
+ RANDFILE		= $dir/.rand
+ name_opt		= ca_default
+ cert_opt		= ca_default
+-default_days		= 365
++default_days		= 60
+ default_crl_days	= 30
+-default_md		= md5
++default_md		= sha1
+ preserve		= no
+ policy			= policy_match
+ 
+Only in freeradius-server-2.1.8/raddb/certs: server.cnf~
+diff -r -u freeradius-server-2.1.8.orig/raddb/eap.conf freeradius-server-2.1.8/raddb/eap.conf
+--- freeradius-server-2.1.8.orig/raddb/eap.conf	2009-12-30 10:44:35.000000000 -0500
++++ freeradius-server-2.1.8/raddb/eap.conf	2010-01-08 12:36:04.000000000 -0500
+@@ -251,15 +251,6 @@
+ 			cipher_list = "DEFAULT"
+ 
+ 			#
+-
+-			#  This configuration entry should be deleted
+-			#  once the server is running in a normal
+-			#  configuration.  It is here ONLY to make
+-			#  initial deployments easier.
+-			#
+-			make_cert_command = "${certdir}/bootstrap"
+-
+-			#
+ 			#  Session resumption / fast reauthentication
+ 			#  cache.
+ 			#
+Only in freeradius-server-2.1.8/raddb: eap.conf~

freeradius-radiusd-init

@@ -21,18 +21,20 @@
 . /etc/rc.d/init.d/functions
 
 prog=radiusd
-exec=/usr/sbin/$prog
-config=/etc/raddb/radiusd.conf
-pidfile=/var/run/$prog/$prog.pid
-lockfile=/var/lock/subsys/radiusd
 
 [ -e /etc/sysconfig/$prog ] && . /etc/sysconfig/$prog
 
+exec=${exec:=/usr/sbin/$prog}
+config_dir=${config_dir:=/etc/raddb}
+config=${config:=$config_dir/radiusd.conf}
+pidfile=${pidfile:=/var/run/$prog/$prog.pid}
+lockfile=${lockfile:=/var/lock/subsys/radiusd}
+
 start() {
     [ -x $exec ] || exit 5
     [ -f $config ] || exit 6
     echo -n $"Starting $prog: "
-    daemon --pidfile $pidfile $exec
+    daemon --pidfile $pidfile $exec -d $config_dir
     retval=$?
     echo
     [ $retval -eq 0 ] && touch $lockfile

freeradius.spec

@@ -1,7 +1,7 @@
 Summary: High-performance and highly configurable free RADIUS server
 Name: freeradius
 Version: 2.1.8
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: GPLv2+ and LGPLv2+
 Group: System Environment/Daemons
 URL: http://www.freeradius.org/
@@ -11,6 +11,8 @@ Source100: freeradius-radiusd-init
 Source102: freeradius-logrotate
 Source103: freeradius-pam-conf
 
+Patch1: freeradius-cert-config.patch
+
 Obsoletes: freeradius-devel
 Obsoletes: freeradius-libs
 
@@ -139,6 +141,7 @@ This plugin provides the unixODBC support for the FreeRADIUS server project.
 
 %prep
 %setup -q -n freeradius-server-%{version}
+%patch1 -p1 -b .cert-config
 # Some source files mistakenly have execute permissions set
 find $RPM_BUILD_DIR/freeradius-server-%{version} \( -name '*.c' -o -name '*.h' \) -a -perm /0111 -exec chmod a-x {} +
 
@@ -248,6 +251,9 @@ exit 0
 %post
 if [ $1 = 1 ]; then
   /sbin/chkconfig --add radiusd
+  if [ ! -e /etc/raddb/certs/server.pem ]; then
+    /sbin/runuser -g radiusd -c 'umask 007; /etc/raddb/certs/bootstrap' > /dev/null 2>&1 || :
+  fi
 fi
 
 %preun
@@ -551,6 +557,15 @@ fi
 %{_libdir}/freeradius/rlm_sql_unixodbc-%{version}.so
 
 %changelog
+* Thu Jan  7 2010 John Dennis <jdennis@redhat.com> - 2.1.8-2
+- resolves: bug #526559 initial install should run bootstrap to create certificates
+  running radiusd in debug mode to generate inital temporary certificates
+  is no longer necessary, the /etc/raddb/certs/bootstrap is invoked on initial
+  rpm install (not upgrade) if there is no existing /etc/raddb/certs/server.pem file
+- resolves: bug #528493 use sha1 algorithm instead of md5 during cert generation
+  the certificate configuration (/etc/raddb/certs/{ca,server,client}.cnf) files
+  were modifed to use sha1 instead of md5 and the validity reduced from 1 year to 2 months
+
 * Wed Dec 30 2009 John Dennis <jdennis@redhat.com> - 2.1.8-1
 - update to latest upstream
   Feature improvements