Update crypto-policies patch

Since introduction, more places for ciphersuites have been introduced by
FreeRADIUS; update the crypto-policies patch accordingly.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
This commit is contained in:
Alexander Scheel 2019-05-08 10:20:13 -04:00
parent 40d2550f5f
commit 60fac0135f
No known key found for this signature in database
GPG Key ID: C0D6C737D0003143

View File

@ -1,20 +1,30 @@
From d78bf5ab1f5c8102b2b6051cfb1198488be9597d Mon Sep 17 00:00:00 2001
From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
Date: Mon, 26 Sep 2016 19:48:36 +0300
Subject: [PATCH] Use system crypto policy by default
From a7ed62fbcc043a9ec7a4f09962a2cd2acffa019b Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Wed, 8 May 2019 10:16:31 -0400
Subject: [PATCH] Use system-provided crypto-policies by default
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
raddb/mods-available/eap | 2 +-
raddb/mods-available/eap | 4 ++--
raddb/mods-available/inner-eap | 2 +-
raddb/sites-available/abfab-tls | 2 +-
raddb/sites-available/tls | 4 ++--
4 files changed, 5 insertions(+), 5 deletions(-)
4 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap
index 94494b2c6..9a8dc9327 100644
index 36849e10f2..b28c0f19c6 100644
--- a/raddb/mods-available/eap
+++ b/raddb/mods-available/eap
@@ -912,7 +912,7 @@
@@ -368,7 +368,7 @@ eap {
#
# For EAP-FAST, use "ALL:!EXPORT:!eNULL:!SSLv2"
#
- cipher_list = "DEFAULT"
+ cipher_list = "PROFILE=SYSTEM"
# If enabled, OpenSSL will use server cipher list
# (possibly defined by cipher_list option above)
@@ -912,7 +912,7 @@ eap {
# Note - for OpenSSL 1.1.0 and above you may need
# to add ":@SECLEVEL=0"
#
@ -24,10 +34,10 @@ index 94494b2c6..9a8dc9327 100644
# PAC lifetime in seconds (default: seven days)
#
diff --git a/raddb/mods-available/inner-eap b/raddb/mods-available/inner-eap
index 2b4df6267..af9aa88cd 100644
index 576eb7739e..ffa07188e2 100644
--- a/raddb/mods-available/inner-eap
+++ b/raddb/mods-available/inner-eap
@@ -68,7 +68,7 @@ eap inner-eap {
@@ -77,7 +77,7 @@ eap inner-eap {
# certificates. If so, edit this file.
ca_file = ${cadir}/ca.pem
@ -37,7 +47,7 @@ index 2b4df6267..af9aa88cd 100644
# You may want to set a very small fragment size.
# The TLS data here needs to go inside of the
diff --git a/raddb/sites-available/abfab-tls b/raddb/sites-available/abfab-tls
index 5dbe143da..46b5fea78 100644
index 92f1d6330e..cd69b3905a 100644
--- a/raddb/sites-available/abfab-tls
+++ b/raddb/sites-available/abfab-tls
@@ -19,7 +19,7 @@ listen {
@ -50,10 +60,10 @@ index 5dbe143da..46b5fea78 100644
cache {
enable = no
diff --git a/raddb/sites-available/tls b/raddb/sites-available/tls
index cf1cd7a8a..7dd59cb6f 100644
index bbc761b1c5..83cd35b851 100644
--- a/raddb/sites-available/tls
+++ b/raddb/sites-available/tls
@@ -197,7 +197,7 @@ listen {
@@ -215,7 +215,7 @@ listen {
# Set this option to specify the allowed
# TLS cipher suites. The format is listed
# in "man 1 ciphers".
@ -62,7 +72,7 @@ index cf1cd7a8a..7dd59cb6f 100644
# If enabled, OpenSSL will use server cipher list
# (possibly defined by cipher_list option above)
@@ -499,7 +499,7 @@ home_server tls {
@@ -517,7 +517,7 @@ home_server tls {
# Set this option to specify the allowed
# TLS cipher suites. The format is listed
# in "man 1 ciphers".
@ -72,5 +82,5 @@ index cf1cd7a8a..7dd59cb6f 100644
}
--
2.13.2
2.21.0