From 55d9285155ec0311096cf07b765942b2a9b48684 Mon Sep 17 00:00:00 2001
From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
Date: Tue, 27 Sep 2016 12:48:37 +0300
Subject: [PATCH] Use system crypto policy by default

Resolves: Bug#1179224
---
 Use-system-crypto-policy-by-default.patch | 76 +++++++++++++++++++++++
 freeradius.spec                           |  8 ++-
 2 files changed, 83 insertions(+), 1 deletion(-)
 create mode 100644 Use-system-crypto-policy-by-default.patch

diff --git a/Use-system-crypto-policy-by-default.patch b/Use-system-crypto-policy-by-default.patch
new file mode 100644
index 0000000..c2c6d4f
--- /dev/null
+++ b/Use-system-crypto-policy-by-default.patch
@@ -0,0 +1,76 @@
+From 7811b36eba8d10f6f9425d120e6999211b3addde Mon Sep 17 00:00:00 2001
+From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
+Date: Mon, 26 Sep 2016 19:48:36 +0300
+Subject: [PATCH] Use system crypto policy by default
+
+---
+ raddb/mods-available/eap        | 2 +-
+ raddb/mods-available/inner-eap  | 2 +-
+ raddb/sites-available/abfab-tls | 2 +-
+ raddb/sites-available/tls       | 4 ++--
+ 4 files changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap
+index 8f38c47..432389a 100644
+--- a/raddb/mods-available/eap
++++ b/raddb/mods-available/eap
+@@ -320,7 +320,7 @@ eap {
+ 		# Set this option to specify the allowed
+ 		# TLS cipher suites.  The format is listed
+ 		# in "man 1 ciphers".
+-		cipher_list = "DEFAULT"
++		cipher_list = "PROFILE=SYSTEM"
+ 
+ 		# Work-arounds for OpenSSL nonsense
+ 		# OpenSSL 1.0.1f and 1.0.1g do not calculate
+diff --git a/raddb/mods-available/inner-eap b/raddb/mods-available/inner-eap
+index 2b4df62..af9aa88 100644
+--- a/raddb/mods-available/inner-eap
++++ b/raddb/mods-available/inner-eap
+@@ -68,7 +68,7 @@ eap inner-eap {
+ 		#  certificates.  If so, edit this file.
+ 		ca_file = ${cadir}/ca.pem
+ 
+-		cipher_list = "DEFAULT"
++		cipher_list = "PROFILE=SYSTEM"
+ 
+ 		#  You may want to set a very small fragment size.
+ 		#  The TLS data here needs to go inside of the
+diff --git a/raddb/sites-available/abfab-tls b/raddb/sites-available/abfab-tls
+index 79d74e6..d04d6be 100644
+--- a/raddb/sites-available/abfab-tls
++++ b/raddb/sites-available/abfab-tls
+@@ -19,7 +19,7 @@ listen {
+ 		dh_file = ${certdir}/dh
+ 		fragment_size = 8192
+ 		ca_path = ${cadir}
+-		cipher_list = "DEFAULT"
++		cipher_list = "PROFILE=SYSTEM"
+ 
+ 		cache {
+ 			enable = no
+diff --git a/raddb/sites-available/tls b/raddb/sites-available/tls
+index eb60fa5..9b340d2 100644
+--- a/raddb/sites-available/tls
++++ b/raddb/sites-available/tls
+@@ -197,7 +197,7 @@ listen {
+ 		# Set this option to specify the allowed
+ 		# TLS cipher suites.  The format is listed
+ 		# in "man 1 ciphers".
+-		cipher_list = "DEFAULT"
++		cipher_list = "PROFILE=SYSTEM"
+ 
+ 		#
+ 		#  Session resumption / fast reauthentication
+@@ -493,7 +493,7 @@ home_server tls {
+ 		# Set this option to specify the allowed
+ 		# TLS cipher suites.  The format is listed
+ 		# in "man 1 ciphers".
+-		cipher_list = "DEFAULT"
++		cipher_list = "PROFILE=SYSTEM"
+ 	}
+ 
+ }
+-- 
+2.9.3
+
diff --git a/freeradius.spec b/freeradius.spec
index 3b3c32d..612300d 100644
--- a/freeradius.spec
+++ b/freeradius.spec
@@ -1,7 +1,7 @@
 Summary: High-performance and highly configurable free RADIUS server
 Name: freeradius
 Version: 3.0.11
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: GPLv2+ and LGPLv2+
 Group: System Environment/Daemons
 URL: http://www.freeradius.org/
@@ -22,6 +22,7 @@ Source103: freeradius-pam-conf
 Source104: freeradius-tmpfiles.conf
 
 Patch1: freeradius-redhat-config.patch
+Patch2: Use-system-crypto-policy-by-default.patch
 
 %global docdir %{?_pkgdocdir}%{!?_pkgdocdir:%{_docdir}/%{name}-%{version}}
 
@@ -188,6 +189,7 @@ This plugin provides the REST support for the FreeRADIUS server project.
 # Note: We explicitly do not make patch backup files because 'make install'
 # mistakenly includes the backup files, especially problematic for raddb config files.
 %patch1 -p1
+%patch2 -p1
 
 %build
 # Force compile/link options, extra security for network facing daemon
@@ -782,6 +784,10 @@ exit 0
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/rest
 
 %changelog
+* Mon Sep 26 2016 Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com> - 3.0.11-3
+- Switch default configuration to use system's crypto policy.
+  Resolves: Bug#1179224
+
 * Tue May 17 2016 Jitka Plesnikova <jplesnik@redhat.com> - 3.0.11-2
 - Perl 5.24 rebuild