Sophie: freeradius-3.0.15-1.mga6 src

freeradius-3.0.15-1.mga6.src.rpm

diff -Naurp freeradius-server-3.0.11/raddb/mods-available/eap freeradius-server-3.0.11.oden/raddb/mods-available/eap
--- freeradius-server-3.0.11/raddb/mods-available/eap	2016-01-25 19:27:03.000000000 +0100
+++ freeradius-server-3.0.11.oden/raddb/mods-available/eap	2016-02-28 13:12:54.776031462 +0100
@@ -170,8 +170,8 @@ eap {
 	#  ANYONE who has a certificate signed by them can
 	#  authenticate via EAP-TLS!  This is likely not what you want.
 	tls-config tls-common {
-		private_key_password = whatever
-		private_key_file = ${certdir}/server.pem
+		private_key_password = 
+		private_key_file = ${system_ssldir}/private/radiusd.pem
 
 		#  If Private key & Certificate are located in
 		#  the same file, then private_key_file &
@@ -183,7 +183,7 @@ eap {
 		#  only the server certificate, but ALSO all
 		#  of the CA certificates used to sign the
 		#  server certificate.
-		certificate_file = ${certdir}/server.pem
+		certificate_file = ${system_ssldir}/certs/radiusd.pem
 
 		#  Trusted Root CA list
 		#
@@ -195,7 +195,7 @@ eap {
 		#  In that case, this CA file should contain
 		#  *one* CA certificate.
 		#
-		ca_file = ${cadir}/ca.pem
+		ca_file = ${system_ssldir}/certs/ca-bundle.crt
 
 	 	#  OpenSSL will automatically create certificate chains,
 	 	#  unless we tell it to not do that.  The problem is that
@@ -236,7 +236,7 @@ eap {
 		#
 		#  	openssl dhparam -out certs/dh 2048
 		#
-		dh_file = ${certdir}/dh
+		dh_file = ${local_ssldir}/dh
 
 		#
 		#  If your system doesn't have /dev/urandom,
@@ -283,7 +283,7 @@ eap {
 		# Check if intermediate CAs have been revoked.
 	#	check_all_crl = yes
 
-		ca_path = ${cadir}
+		ca_path = ${local_ssldir}
 
 		#
 		#  If check_cert_issuer is set, the value will
diff -Naurp freeradius-server-3.0.11/raddb/mods-available/inner-eap freeradius-server-3.0.11.oden/raddb/mods-available/inner-eap
--- freeradius-server-3.0.11/raddb/mods-available/inner-eap	2016-01-25 19:27:03.000000000 +0100
+++ freeradius-server-3.0.11.oden/raddb/mods-available/inner-eap	2016-02-28 13:12:54.776031462 +0100
@@ -49,8 +49,8 @@ eap inner-eap {
 	#  It might work, or it might not.
 	#
 	tls {
-		private_key_password = whatever
-		private_key_file = ${certdir}/inner-server.pem
+		private_key_password = 
+		private_key_file = ${system_ssldir}/private/inner-radiusd.pem
 
 		#  If Private key & Certificate are located in
 		#  the same file, then private_key_file &
@@ -62,11 +62,11 @@ eap inner-eap {
 		#  only the server certificate, but ALSO all
 		#  of the CA certificates used to sign the
 		#  server certificate.
-		certificate_file = ${certdir}/inner-server.pem
+		certificate_file = ${system_ssldir}/private/inner-radiusd.pem
 
 		#  You may want different CAs for inner and outer
 		#  certificates.  If so, edit this file.
-		ca_file = ${cadir}/ca.pem
+		ca_file = ${system_ssldir}/certs/ca-bundle.crt
 
 		cipher_list = "DEFAULT"
 
@@ -78,7 +78,7 @@ eap inner-eap {
 	#	fragment_size = 1024
 
 		#  Other needful things
-		dh_file = ${certdir}/dh
+		dh_file = ${local_ssldir}/dh
 		random_file = /dev/urandom
 
 		#  CRL and OCSP things go here.  See the main "eap"
diff -Naurp freeradius-server-3.0.11/raddb/mods-available/ldap freeradius-server-3.0.11.oden/raddb/mods-available/ldap
--- freeradius-server-3.0.11/raddb/mods-available/ldap	2016-01-25 19:27:03.000000000 +0100
+++ freeradius-server-3.0.11.oden/raddb/mods-available/ldap	2016-02-28 13:12:54.776031462 +0100
@@ -486,11 +486,11 @@ ldap {
 		# using ldaps (port 636) connections
 #		start_tls = yes
 
-#		ca_file	= ${certdir}/cacert.pem
+#		ca_file	= ${system_ssldir}/certs/ca-bundle.crt
 
-#		ca_path	= ${certdir}
-#		certificate_file = /path/to/radius.crt
-#		private_key_file = /path/to/radius.key
+#		ca_path	= ${local_ssldir}
+#		certificate_file = ${system_ssldir}/certs/radiusd.pem
+#		private_key_file = ${system_ssldir}/private/radiusd.key
 #		random_file = /dev/urandom
 
  		#  Certificate Verification requirements.  Can be:
diff -Naurp freeradius-server-3.0.11/raddb/mods-available/rest freeradius-server-3.0.11.oden/raddb/mods-available/rest
--- freeradius-server-3.0.11/raddb/mods-available/rest	2016-01-25 19:27:03.000000000 +0100
+++ freeradius-server-3.0.11.oden/raddb/mods-available/rest	2016-02-28 13:12:54.776031462 +0100
@@ -5,12 +5,12 @@ rest {
 	#  server.
 	#
 	tls {
-#		ca_file	= ${certdir}/cacert.pem
-#		ca_path	= ${certdir}
+#		ca_file	= ${system_ssldir}/certs/ca-bundle.crt
+#		ca_path	= ${local_ssldir}
 
-#		certificate_file        = /path/to/radius.crt
-#		private_key_file	= /path/to/radius.key
-#		private_key_password	= "supersecret"
+#		certificate_file        = ${system_ssldir}/certs/radiusd.pem
+#		private_key_file	= ${system_ssldir}/private/radiusd.pem
+#		private_key_password	= 
 #		random_file		= /dev/urandom
 
 		#  Server certificate verification requirements.  Can be:
diff -Naurp freeradius-server-3.0.11/raddb/radiusd.conf.in freeradius-server-3.0.11.oden/raddb/radiusd.conf.in
--- freeradius-server-3.0.11/raddb/radiusd.conf.in	2016-01-25 19:27:03.000000000 +0100
+++ freeradius-server-3.0.11.oden/raddb/radiusd.conf.in	2016-02-28 13:12:54.776031462 +0100
@@ -66,8 +66,8 @@ name = radiusd
 #  Location of config and logfiles.
 confdir = ${raddbdir}
 modconfdir = ${confdir}/mods-config
-certdir = ${confdir}/certs
-cadir   = ${confdir}/certs
+system_ssldir = /etc/pki/tls
+local_ssldir = ${confdir}/certs
 run_dir = ${localstatedir}/run/${name}
 
 # Should likely be ${localstatedir}/lib/radiusd
diff -Naurp freeradius-server-3.0.11/raddb/sites-available/abfab-tls freeradius-server-3.0.11.oden/raddb/sites-available/abfab-tls
--- freeradius-server-3.0.11/raddb/sites-available/abfab-tls	2016-01-25 19:27:03.000000000 +0100
+++ freeradius-server-3.0.11.oden/raddb/sites-available/abfab-tls	2016-02-28 13:12:54.776031462 +0100
@@ -10,15 +10,15 @@ listen {
 	proto = tcp
 
 	tls {
-		private_key_password = whatever
+		private_key_password = 
 
 		# Moonshot tends to distribute certs separate from keys
-		private_key_file = ${certdir}/server.key
-		certificate_file = ${certdir}/server.pem
-		ca_file = ${cadir}/ca.pem
-		dh_file = ${certdir}/dh
+		private_key_file = ${system_ssldir}/private/radiusd.key
+		certificate_file = ${system_ssldir}/certs/radiusd.pem
+		ca_file = ${system_ssldir}/certs/ca-bundle.crt
+		dh_file = ${local_ssldir}/dh
 		fragment_size = 8192
-		ca_path = ${cadir}
+		ca_path = ${local_ssldir}
 		cipher_list = "DEFAULT"
 
 		cache {
diff -Naurp freeradius-server-3.0.11/raddb/sites-available/tls freeradius-server-3.0.11.oden/raddb/sites-available/tls
--- freeradius-server-3.0.11/raddb/sites-available/tls	2016-01-25 19:27:03.000000000 +0100
+++ freeradius-server-3.0.11.oden/raddb/sites-available/tls	2016-02-28 13:12:54.776031462 +0100
@@ -81,8 +81,8 @@ listen {
 	#  to refer to the "site1" sub-section of the "tls" section.
 	#
 	tls {
-		private_key_password = whatever
-		private_key_file = ${certdir}/server.pem
+		private_key_password = 
+		private_key_file = ${system_ssldir}/private/radiusd.pem
 
 		#  If Private key & Certificate are located in
 		#  the same file, then private_key_file &
@@ -94,7 +94,7 @@ listen {
 		#  only the server certificate, but ALSO all
 		#  of the CA certificates used to sign the
 		#  server certificate.
-		certificate_file = ${certdir}/server.pem
+		certificate_file = ${system_ssldir}/certs/radiusd.pem
 
 		#  Trusted Root CA list
 		#
@@ -111,7 +111,7 @@ listen {
 		#  not use client certificates, and you do not want
 		#  to permit EAP-TLS authentication, then delete
 		#  this configuration item.
-		ca_file = ${cadir}/ca.pem
+		ca_file = ${system_ssldir}/certs/ca-bundle.crt
 
 		#
 		#  For DH cipher suites to work, you have to
@@ -119,7 +119,7 @@ listen {
 		#
 		#  	openssl dhparam -out certs/dh 1024
 		#
-		dh_file = ${certdir}/dh
+		dh_file = ${local_ssldir}/dh
 
 		#
 		#  If your system doesn't have /dev/urandom,
@@ -160,7 +160,7 @@ listen {
 		#  3) uncomment the line below.
 		#  5) Restart radiusd
 	#	check_crl = yes
-		ca_path = ${cadir}
+		ca_path = ${local_ssldir}
 
 	       #
 	       #  If check_cert_issuer is set, the value will
@@ -376,8 +376,8 @@ home_server tls {
 	status_check = none
 
 	tls {
-		private_key_password = whatever
-		private_key_file = ${certdir}/client.pem
+		private_key_password = 
+		private_key_file = ${system_ssldir}/private/client.pem
 
 		#  If Private key & Certificate are located in
 		#  the same file, then private_key_file &
@@ -389,7 +389,7 @@ home_server tls {
 		#  only the server certificate, but ALSO all
 		#  of the CA certificates used to sign the
 		#  server certificate.
-		certificate_file = ${certdir}/client.pem
+		certificate_file = ${system_ssldir}/certs/client.pem
 
 		#  Trusted Root CA list
 		#
@@ -406,7 +406,7 @@ home_server tls {
 		#  not use client certificates, and you do not want
 		#  to permit EAP-TLS authentication, then delete
 		#  this configuration item.
-		ca_file = ${cadir}/ca.pem
+		ca_file = ${system_ssldir}/certs/ca-bundle.crt
 
 		#
 		#  For TLS-PSK, the key should be specified
@@ -428,7 +428,7 @@ home_server tls {
 		#
 		#  	openssl dhparam -out certs/dh 1024
 		#
-		dh_file = ${certdir}/dh
+		dh_file = ${local_ssldir}/dh
 		random_file = /dev/urandom
 
 		#
@@ -456,7 +456,7 @@ home_server tls {
 		#  3) uncomment the line below.
 		#  5) Restart radiusd
 	#	check_crl = yes
-		ca_path = ${cadir}
+		ca_path = ${local_ssldir}
 
 	       #
 	       #  If check_cert_issuer is set, the value will