From a7ed62fbcc043a9ec7a4f09962a2cd2acffa019b Mon Sep 17 00:00:00 2001 From: Alexander Scheel Date: Wed, 8 May 2019 10:16:31 -0400 Subject: [PATCH] Use system-provided crypto-policies by default Signed-off-by: Alexander Scheel [antorres@redhat.com]: update patch to 3.2.1 state --- raddb/mods-available/eap | 4 ++-- raddb/mods-available/inner-eap | 2 +- raddb/sites-available/abfab-tls | 2 +- raddb/sites-available/tls | 4 ++-- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap index 62152a6dfc..9f64963034 100644 --- a/raddb/mods-available/eap +++ b/raddb/mods-available/eap @@ -400,7 +400,7 @@ eap { # TLS cipher suites. The format is listed # in "man 1 ciphers". # - cipher_list = "DEFAULT" + cipher_list = "PROFILE=SYSTEM" # Set this option to specify the allowed # TLS signature algorithms for OpenSSL 1.1.1 and above. @@ -1082,7 +1082,7 @@ eap { # "DEFAULT" as "DEFAULT" contains "!aNULL" so instead it is # recommended "ALL:!EXPORT:!eNULL:!SSLv2" is used # - # cipher_list = "ALL:!EXPORT:!eNULL:!SSLv2" + # cipher_list = "PROFILE=SYSTEM" # PAC lifetime in seconds (default: seven days) # diff --git a/raddb/mods-available/inner-eap b/raddb/mods-available/inner-eap index 576eb7739e..ffa07188e2 100644 --- a/raddb/mods-available/inner-eap +++ b/raddb/mods-available/inner-eap @@ -77,7 +77,7 @@ eap inner-eap { # certificates. If so, edit this file. ca_file = ${cadir}/ca.pem - cipher_list = "DEFAULT" + cipher_list = "PROFILE=SYSTEM" # You may want to set a very small fragment size. # The TLS data here needs to go inside of the diff --git a/raddb/sites-available/abfab-tls b/raddb/sites-available/abfab-tls index b8d0626bbe..073b2933c2 100644 --- a/raddb/sites-available/abfab-tls +++ b/raddb/sites-available/abfab-tls @@ -20,7 +20,7 @@ listen { dh_file = ${certdir}/dh fragment_size = 8192 ca_path = ${cadir} - cipher_list = "DEFAULT" + cipher_list = "PROFILE=SYSTEM" cache { enable = no lifetime = 24 # hours diff --git a/raddb/sites-available/tls b/raddb/sites-available/tls index 137fcbc6cc..a65f8a8711 100644 --- a/raddb/sites-available/tls +++ b/raddb/sites-available/tls @@ -292,7 +292,7 @@ listen { # Set this option to specify the allowed # TLS cipher suites. The format is listed # in "man 1 ciphers". - cipher_list = "DEFAULT" + cipher_list = "PROFILE=SYSTEM" # If enabled, OpenSSL will use server cipher list # (possibly defined by cipher_list option above) @@ -676,7 +676,7 @@ home_server tls { # Set this option to specify the allowed # TLS cipher suites. The format is listed # in "man 1 ciphers". - cipher_list = "DEFAULT" + cipher_list = "PROFILE=SYSTEM" # # Connection timeout for outgoing TLS connections. -- 2.21.0