diff --git a/Use-system-crypto-policy-by-default.patch b/Use-system-crypto-policy-by-default.patch new file mode 100644 index 0000000..c2c6d4f --- /dev/null +++ b/Use-system-crypto-policy-by-default.patch @@ -0,0 +1,76 @@ +From 7811b36eba8d10f6f9425d120e6999211b3addde Mon Sep 17 00:00:00 2001 +From: Nikolai Kondrashov +Date: Mon, 26 Sep 2016 19:48:36 +0300 +Subject: [PATCH] Use system crypto policy by default + +--- + raddb/mods-available/eap | 2 +- + raddb/mods-available/inner-eap | 2 +- + raddb/sites-available/abfab-tls | 2 +- + raddb/sites-available/tls | 4 ++-- + 4 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap +index 8f38c47..432389a 100644 +--- a/raddb/mods-available/eap ++++ b/raddb/mods-available/eap +@@ -320,7 +320,7 @@ eap { + # Set this option to specify the allowed + # TLS cipher suites. The format is listed + # in "man 1 ciphers". +- cipher_list = "DEFAULT" ++ cipher_list = "PROFILE=SYSTEM" + + # Work-arounds for OpenSSL nonsense + # OpenSSL 1.0.1f and 1.0.1g do not calculate +diff --git a/raddb/mods-available/inner-eap b/raddb/mods-available/inner-eap +index 2b4df62..af9aa88 100644 +--- a/raddb/mods-available/inner-eap ++++ b/raddb/mods-available/inner-eap +@@ -68,7 +68,7 @@ eap inner-eap { + # certificates. If so, edit this file. + ca_file = ${cadir}/ca.pem + +- cipher_list = "DEFAULT" ++ cipher_list = "PROFILE=SYSTEM" + + # You may want to set a very small fragment size. + # The TLS data here needs to go inside of the +diff --git a/raddb/sites-available/abfab-tls b/raddb/sites-available/abfab-tls +index 79d74e6..d04d6be 100644 +--- a/raddb/sites-available/abfab-tls ++++ b/raddb/sites-available/abfab-tls +@@ -19,7 +19,7 @@ listen { + dh_file = ${certdir}/dh + fragment_size = 8192 + ca_path = ${cadir} +- cipher_list = "DEFAULT" ++ cipher_list = "PROFILE=SYSTEM" + + cache { + enable = no +diff --git a/raddb/sites-available/tls b/raddb/sites-available/tls +index eb60fa5..9b340d2 100644 +--- a/raddb/sites-available/tls ++++ b/raddb/sites-available/tls +@@ -197,7 +197,7 @@ listen { + # Set this option to specify the allowed + # TLS cipher suites. The format is listed + # in "man 1 ciphers". +- cipher_list = "DEFAULT" ++ cipher_list = "PROFILE=SYSTEM" + + # + # Session resumption / fast reauthentication +@@ -493,7 +493,7 @@ home_server tls { + # Set this option to specify the allowed + # TLS cipher suites. The format is listed + # in "man 1 ciphers". +- cipher_list = "DEFAULT" ++ cipher_list = "PROFILE=SYSTEM" + } + + } +-- +2.9.3 + diff --git a/freeradius.spec b/freeradius.spec index 3b3c32d..612300d 100644 --- a/freeradius.spec +++ b/freeradius.spec @@ -1,7 +1,7 @@ Summary: High-performance and highly configurable free RADIUS server Name: freeradius Version: 3.0.11 -Release: 2%{?dist} +Release: 3%{?dist} License: GPLv2+ and LGPLv2+ Group: System Environment/Daemons URL: http://www.freeradius.org/ @@ -22,6 +22,7 @@ Source103: freeradius-pam-conf Source104: freeradius-tmpfiles.conf Patch1: freeradius-redhat-config.patch +Patch2: Use-system-crypto-policy-by-default.patch %global docdir %{?_pkgdocdir}%{!?_pkgdocdir:%{_docdir}/%{name}-%{version}} @@ -188,6 +189,7 @@ This plugin provides the REST support for the FreeRADIUS server project. # Note: We explicitly do not make patch backup files because 'make install' # mistakenly includes the backup files, especially problematic for raddb config files. %patch1 -p1 +%patch2 -p1 %build # Force compile/link options, extra security for network facing daemon @@ -782,6 +784,10 @@ exit 0 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/rest %changelog +* Mon Sep 26 2016 Nikolai Kondrashov - 3.0.11-3 +- Switch default configuration to use system's crypto policy. + Resolves: Bug#1179224 + * Tue May 17 2016 Jitka Plesnikova - 3.0.11-2 - Perl 5.24 rebuild