Package: freeradius / 3.0.12+dfsg-5+deb9u1

snakeoil-certs.diff Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
Description: Use snakeoil certificates.
Author: Michael Stapelberg <stapelberg@debian.org>
Last-Updated: 2016-09-16
Forwarded: not-needed

---

Index: freeradius-new/raddb/mods-available/eap
===================================================================
--- freeradius-new.orig/raddb/mods-available/eap
+++ freeradius-new/raddb/mods-available/eap
@@ -171,7 +171,7 @@ eap {
 	#  authenticate via EAP-TLS!  This is likely not what you want.
 	tls-config tls-common {
 		private_key_password = whatever
-		private_key_file = ${certdir}/server.pem
+		private_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
 
 		#  If Private key & Certificate are located in
 		#  the same file, then private_key_file &
@@ -183,7 +183,7 @@ eap {
 		#  only the server certificate, but ALSO all
 		#  of the CA certificates used to sign the
 		#  server certificate.
-		certificate_file = ${certdir}/server.pem
+		certificate_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
 
 		#  Trusted Root CA list
 		#
@@ -195,7 +195,7 @@ eap {
 		#  In that case, this CA file should contain
 		#  *one* CA certificate.
 		#
-		ca_file = ${cadir}/ca.pem
+		ca_file = /etc/ssl/certs/ca-certificates.crt
 
 	 	#  OpenSSL will automatically create certificate chains,
 	 	#  unless we tell it to not do that.  The problem is that
Index: freeradius-new/raddb/mods-available/inner-eap
===================================================================
--- freeradius-new.orig/raddb/mods-available/inner-eap
+++ freeradius-new/raddb/mods-available/inner-eap
@@ -50,7 +50,7 @@ eap inner-eap {
 	#
 	tls {
 		private_key_password = whatever
-		private_key_file = ${certdir}/inner-server.pem
+		private_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
 
 		#  If Private key & Certificate are located in
 		#  the same file, then private_key_file &
@@ -62,11 +62,11 @@ eap inner-eap {
 		#  only the server certificate, but ALSO all
 		#  of the CA certificates used to sign the
 		#  server certificate.
-		certificate_file = ${certdir}/inner-server.pem
+		certificate_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
 
 		#  You may want different CAs for inner and outer
 		#  certificates.  If so, edit this file.
-		ca_file = ${cadir}/ca.pem
+		ca_file = /etc/ssl/certs/ca-certificates.crt
 
 		cipher_list = "DEFAULT"
 
Index: freeradius-new/raddb/sites-available/abfab-tls
===================================================================
--- freeradius-new.orig/raddb/sites-available/abfab-tls
+++ freeradius-new/raddb/sites-available/abfab-tls
@@ -13,9 +13,9 @@ listen {
 		private_key_password = whatever
 
 		# Moonshot tends to distribute certs separate from keys
-		private_key_file = ${certdir}/server.key
-		certificate_file = ${certdir}/server.pem
-		ca_file = ${cadir}/ca.pem
+		private_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
+		certificate_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
+		ca_file = /etc/ssl/certs/ca-certificates.crt
 		dh_file = ${certdir}/dh
 		fragment_size = 8192
 		ca_path = ${cadir}
Index: freeradius-new/raddb/sites-available/tls
===================================================================
--- freeradius-new.orig/raddb/sites-available/tls
+++ freeradius-new/raddb/sites-available/tls
@@ -82,7 +82,7 @@ listen {
 	#
 	tls {
 		private_key_password = whatever
-		private_key_file = ${certdir}/server.pem
+		private_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
 
 		#  If Private key & Certificate are located in
 		#  the same file, then private_key_file &
@@ -94,7 +94,7 @@ listen {
 		#  only the server certificate, but ALSO all
 		#  of the CA certificates used to sign the
 		#  server certificate.
-		certificate_file = ${certdir}/server.pem
+		certificate_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
 
 		#  Trusted Root CA list
 		#
@@ -111,7 +111,7 @@ listen {
 		#  not use client certificates, and you do not want
 		#  to permit EAP-TLS authentication, then delete
 		#  this configuration item.
-		ca_file = ${cadir}/ca.pem
+		ca_file = /etc/ssl/certs/ca-certificates.crt
 
 		#
 		#  For DH cipher suites to work, you have to
@@ -377,7 +377,7 @@ home_server tls {
 
 	tls {
 		private_key_password = whatever
-		private_key_file = ${certdir}/client.pem
+		private_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
 
 		#  If Private key & Certificate are located in
 		#  the same file, then private_key_file &
@@ -389,7 +389,7 @@ home_server tls {
 		#  only the server certificate, but ALSO all
 		#  of the CA certificates used to sign the
 		#  server certificate.
-		certificate_file = ${certdir}/client.pem
+		certificate_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
 
 		#  Trusted Root CA list
 		#
@@ -406,7 +406,7 @@ home_server tls {
 		#  not use client certificates, and you do not want
 		#  to permit EAP-TLS authentication, then delete
 		#  this configuration item.
-		ca_file = ${cadir}/ca.pem
+		ca_file = /etc/ssl/certs/ca-certificates.crt
 
 		#
 		#  For TLS-PSK, the key should be specified