import freeradius-3.0.21-26.el9
This commit is contained in:
parent
4e81757a03
commit
62cba018de
10880
SOURCES/freeradius-Backport-OpenSSL3-fixes.patch
Normal file
10880
SOURCES/freeradius-Backport-OpenSSL3-fixes.patch
Normal file
File diff suppressed because it is too large
Load Diff
31
SOURCES/freeradius-ldap-infinite-timeout-on-starttls.patch
Normal file
31
SOURCES/freeradius-ldap-infinite-timeout-on-starttls.patch
Normal file
@ -0,0 +1,31 @@
|
||||
From: Antonio Torres <antorres@redhat.com>
|
||||
Date: Fri, 28 Jan 2022
|
||||
Subject: Use infinite timeout when using LDAP+start-TLS
|
||||
|
||||
This will ensure that the TLS connection to the LDAP server will complete
|
||||
before starting FreeRADIUS, as it forces libldap to use a blocking socket during
|
||||
the process. Infinite timeout is the OpenLDAP default.
|
||||
Avoids this: https://git.openldap.org/openldap/openldap/-/blob/87ffc60006298069a5a044b8e63dab27a61d3fdf/libraries/libldap/tls2.c#L1134
|
||||
|
||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1992551
|
||||
Signed-off-by: Antonio Torres <antorres@redhat.com>
|
||||
---
|
||||
src/modules/rlm_ldap/ldap.c | 5 ++++-
|
||||
1 file changed, 4 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/modules/rlm_ldap/ldap.c b/src/modules/rlm_ldap/ldap.c
|
||||
index cf7a84e069..841bf888a1 100644
|
||||
--- a/src/modules/rlm_ldap/ldap.c
|
||||
+++ b/src/modules/rlm_ldap/ldap.c
|
||||
@@ -1472,7 +1472,10 @@ void *mod_conn_create(TALLOC_CTX *ctx, void *instance)
|
||||
}
|
||||
|
||||
#ifdef LDAP_OPT_NETWORK_TIMEOUT
|
||||
- if (inst->net_timeout) {
|
||||
+ bool using_tls = inst->start_tls ||
|
||||
+ inst->port == 636 ||
|
||||
+ strncmp(inst->server, "ldaps://", strlen("ldaps://")) == 0;
|
||||
+ if (inst->net_timeout && !using_tls) {
|
||||
memset(&tv, 0, sizeof(tv));
|
||||
tv.tv_sec = inst->net_timeout;
|
||||
|
@ -1 +1,2 @@
|
||||
D /run/radiusd 0710 radiusd radiusd -
|
||||
D /run/radiusd/tmp 0700 radiusd radiusd -
|
||||
|
@ -1,7 +1,7 @@
|
||||
Summary: High-performance and highly configurable free RADIUS server
|
||||
Name: freeradius
|
||||
Version: 3.0.21
|
||||
Release: 21%{?dist}
|
||||
Release: 26%{?dist}
|
||||
License: GPLv2+ and LGPLv2+
|
||||
URL: http://www.freeradius.org/
|
||||
|
||||
@ -26,6 +26,8 @@ Patch3: freeradius-bootstrap-create-only.patch
|
||||
Patch4: freeradius-no-buildtime-cert-gen.patch
|
||||
Patch5: freeradius-bootstrap-make-permissions.patch
|
||||
Patch6: freeradius-Fix-resource-hard-limit-error.patch
|
||||
Patch7: freeradius-ldap-infinite-timeout-on-starttls.patch
|
||||
Patch8: freeradius-Backport-OpenSSL3-fixes.patch
|
||||
|
||||
%global docdir %{?_pkgdocdir}%{!?_pkgdocdir:%{_docdir}/%{name}-%{version}}
|
||||
|
||||
@ -53,7 +55,7 @@ BuildRequires: ykclient-devel
|
||||
|
||||
# Require OpenSSL version we built with, or newer, to avoid startup failures
|
||||
# due to runtime OpenSSL version checks.
|
||||
Requires: openssl >= %(rpm -q --queryformat '%%{EPOCH}:%%{VERSION}' openssl)
|
||||
Requires: openssl >= %(rpm -q --queryformat '%%{VERSION}' openssl)
|
||||
Requires(pre): shadow-utils glibc-common
|
||||
Requires(post): systemd-sysv
|
||||
Requires(post): systemd-units
|
||||
@ -209,6 +211,8 @@ This plugin provides the REST support for the FreeRADIUS server project.
|
||||
%patch4 -p1
|
||||
%patch5 -p1
|
||||
%patch6 -p1
|
||||
%patch7 -p1
|
||||
%patch8 -p1
|
||||
|
||||
%build
|
||||
# Force compile/link options, extra security for network facing daemon
|
||||
@ -851,6 +855,28 @@ exit 0
|
||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/rest
|
||||
|
||||
%changelog
|
||||
* Mon Jan 31 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-26
|
||||
- Move remaining files from /var/run to /run
|
||||
Related: rhbz#2047972
|
||||
|
||||
* Fri Jan 28 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-25
|
||||
- Revert "Allow to connect to partially open LDAP handle"
|
||||
- Use infinite timeout (openldap default) when using LDAP+start-TLS
|
||||
- Update openssl dependency to not check epoch (was causing detection issues)
|
||||
Related: rhbz#1992551
|
||||
|
||||
* Thu Jan 13 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-24
|
||||
- Avoid segfault when trying to use MD4 without legacy provider
|
||||
Related: rhbz#1978216
|
||||
|
||||
* Wed Jan 12 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-23
|
||||
- Backport OpenSSL3 fixes
|
||||
Related: rhbz#1978216
|
||||
|
||||
* Wed Oct 13 2021 Antonio Torres <antorres@redhat.com> - 3.0.21-22
|
||||
- Allow to connect to partially open LDAP handle
|
||||
Related: rhbz#1992551
|
||||
|
||||
* Mon Sep 27 2021 Antonio Torres <antorres@redhat.com> - 3.0.21-21
|
||||
- Move FR's systemd unit PID file from /var/run to /run
|
||||
Related: rhbz#2006368
|
||||
|
Loading…
Reference in New Issue
Block a user