Use system crypto policy by default

Resolves: Bug#1179224
This commit is contained in:
Nikolai Kondrashov 2016-09-27 12:48:37 +03:00
parent 0ae3e30c65
commit 55d9285155
2 changed files with 83 additions and 1 deletions

View File

@ -0,0 +1,76 @@
From 7811b36eba8d10f6f9425d120e6999211b3addde Mon Sep 17 00:00:00 2001
From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
Date: Mon, 26 Sep 2016 19:48:36 +0300
Subject: [PATCH] Use system crypto policy by default
---
raddb/mods-available/eap | 2 +-
raddb/mods-available/inner-eap | 2 +-
raddb/sites-available/abfab-tls | 2 +-
raddb/sites-available/tls | 4 ++--
4 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap
index 8f38c47..432389a 100644
--- a/raddb/mods-available/eap
+++ b/raddb/mods-available/eap
@@ -320,7 +320,7 @@ eap {
# Set this option to specify the allowed
# TLS cipher suites. The format is listed
# in "man 1 ciphers".
- cipher_list = "DEFAULT"
+ cipher_list = "PROFILE=SYSTEM"
# Work-arounds for OpenSSL nonsense
# OpenSSL 1.0.1f and 1.0.1g do not calculate
diff --git a/raddb/mods-available/inner-eap b/raddb/mods-available/inner-eap
index 2b4df62..af9aa88 100644
--- a/raddb/mods-available/inner-eap
+++ b/raddb/mods-available/inner-eap
@@ -68,7 +68,7 @@ eap inner-eap {
# certificates. If so, edit this file.
ca_file = ${cadir}/ca.pem
- cipher_list = "DEFAULT"
+ cipher_list = "PROFILE=SYSTEM"
# You may want to set a very small fragment size.
# The TLS data here needs to go inside of the
diff --git a/raddb/sites-available/abfab-tls b/raddb/sites-available/abfab-tls
index 79d74e6..d04d6be 100644
--- a/raddb/sites-available/abfab-tls
+++ b/raddb/sites-available/abfab-tls
@@ -19,7 +19,7 @@ listen {
dh_file = ${certdir}/dh
fragment_size = 8192
ca_path = ${cadir}
- cipher_list = "DEFAULT"
+ cipher_list = "PROFILE=SYSTEM"
cache {
enable = no
diff --git a/raddb/sites-available/tls b/raddb/sites-available/tls
index eb60fa5..9b340d2 100644
--- a/raddb/sites-available/tls
+++ b/raddb/sites-available/tls
@@ -197,7 +197,7 @@ listen {
# Set this option to specify the allowed
# TLS cipher suites. The format is listed
# in "man 1 ciphers".
- cipher_list = "DEFAULT"
+ cipher_list = "PROFILE=SYSTEM"
#
# Session resumption / fast reauthentication
@@ -493,7 +493,7 @@ home_server tls {
# Set this option to specify the allowed
# TLS cipher suites. The format is listed
# in "man 1 ciphers".
- cipher_list = "DEFAULT"
+ cipher_list = "PROFILE=SYSTEM"
}
}
--
2.9.3

View File

@ -1,7 +1,7 @@
Summary: High-performance and highly configurable free RADIUS server
Name: freeradius
Version: 3.0.11
Release: 2%{?dist}
Release: 3%{?dist}
License: GPLv2+ and LGPLv2+
Group: System Environment/Daemons
URL: http://www.freeradius.org/
@ -22,6 +22,7 @@ Source103: freeradius-pam-conf
Source104: freeradius-tmpfiles.conf
Patch1: freeradius-redhat-config.patch
Patch2: Use-system-crypto-policy-by-default.patch
%global docdir %{?_pkgdocdir}%{!?_pkgdocdir:%{_docdir}/%{name}-%{version}}
@ -188,6 +189,7 @@ This plugin provides the REST support for the FreeRADIUS server project.
# Note: We explicitly do not make patch backup files because 'make install'
# mistakenly includes the backup files, especially problematic for raddb config files.
%patch1 -p1
%patch2 -p1
%build
# Force compile/link options, extra security for network facing daemon
@ -782,6 +784,10 @@ exit 0
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/rest
%changelog
* Mon Sep 26 2016 Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com> - 3.0.11-3
- Switch default configuration to use system's crypto policy.
Resolves: Bug#1179224
* Tue May 17 2016 Jitka Plesnikova <jplesnik@redhat.com> - 3.0.11-2
- Perl 5.24 rebuild