From 5e110dfcd84996c008e340219ae45e2867a6c908 Mon Sep 17 00:00:00 2001 From: Antonio Torres Date: Mon, 1 Apr 2024 14:11:48 +0200 Subject: [PATCH] Comment out unneeded options from mods-available/eap These options are lefotvers from before the OpenSSL3 support backport. They do not harm FreeRADIUS functioning but print warnings on server startup. Resolves: RHEL-30830 Signed-off-by: Antonio Torres --- freeradius-Backport-OpenSSL3-fixes.patch | 28 +++++++++++++++++++++++- freeradius.spec | 6 ++++- 2 files changed, 32 insertions(+), 2 deletions(-) diff --git a/freeradius-Backport-OpenSSL3-fixes.patch b/freeradius-Backport-OpenSSL3-fixes.patch index ed47871..d16aa28 100644 --- a/freeradius-Backport-OpenSSL3-fixes.patch +++ b/freeradius-Backport-OpenSSL3-fixes.patch @@ -11,7 +11,9 @@ Signed-off-by: Antonio Torres to work on top of OpenSSL 3.0 when the system is in FIPS mode. We enable this macro on the specfile. [antorres@redhat.com]: backported tls.c, tls-h changes from 3.2.x branch. [antorres@redhat.com]: the sites-available/tls file has been modified to add the fix_cert_order option. +[antorres@redhat.com]: mods-available/eap has been modified to comment out 'disable_tlsv1' and 'dh_file' options. --- + raddb/mods-available/eap | 6 +- raddb/sites-available/tls | 8 + share/dictionary.freeradius.internal | 54 +- src/include/build.h | 25 +- @@ -68,8 +70,32 @@ to work on top of OpenSSL 3.0 when the system is in FIPS mode. We enable this ma src/modules/rlm_wimax/milenage.h | 128 ++ src/modules/rlm_wimax/rlm_wimax.c | 429 ++++- src/tests/keywords/md4 | 58 + - 56 files changed, 6029 insertions(+), 1196 deletions(-) + 57 files changed, 6032 insertions(+), 1199 deletions(-) +diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap +index a89a783663..bf73485e3c 100644 +--- a/raddb/mods-available/eap ++++ b/raddb/mods-available/eap +@@ -281,7 +281,7 @@ eap { + # + # openssl dhparam -out certs/dh 2048 + # +- dh_file = ${certdir}/dh ++ # dh_file = ${certdir}/dh + + # If your system doesn't have /dev/urandom, + # you will need to create this file, and +@@ -392,8 +392,8 @@ eap { + # tls_max_version. + # + # disable_tlsv1_2 = no +- disable_tlsv1_1 = yes +- disable_tlsv1 = yes ++ # disable_tlsv1_1 = yes ++ # disable_tlsv1 = yes + + # Set min / max TLS version. Mainly for Debian + # "trusty", which disables older versions of TLS, and diff --git a/raddb/sites-available/tls b/raddb/sites-available/tls index e2a3b080ca..25a10b6364 100644 --- a/raddb/sites-available/tls diff --git a/freeradius.spec b/freeradius.spec index da165de..d590122 100644 --- a/freeradius.spec +++ b/freeradius.spec @@ -1,7 +1,7 @@ Summary: High-performance and highly configurable free RADIUS server Name: freeradius Version: 3.0.21 -Release: 39%{?dist} +Release: 40%{?dist} License: GPLv2+ and LGPLv2+ URL: http://www.freeradius.org/ @@ -864,6 +864,10 @@ EOF %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/rest %changelog +* Mon Apr 01 2024 Antonio Torres - 3.0.21-40 +- Comment out unneeded options from mods-available/eap + Resolves: RHEL-30830 + * Mon Nov 06 2023 Antonio Torres - 3.0.21-39 - Fix Python3.8+ library name suffix Resolves: #15503