diff -Nrup a/raddb/mods-available/eap b/raddb/mods-available/eap
--- a/raddb/mods-available/eap 2019-04-10 11:11:23.000000000 +0200
+++ b/raddb/mods-available/eap 2019-04-10 20:51:14.681446581 +0200
@@ -181,8 +181,8 @@ eap {
# authenticate via EAP-TLS! This is likely not what you want.
#
tls-config tls-common {
- private_key_password = whatever
- private_key_file = ${certdir}/server.pem
+ private_key_password =
+ private_key_file = ${system_ssldir}/private/radiusd.pem
# If Private key & Certificate are located in
# the same file, then private_key_file &
@@ -218,7 +218,7 @@ eap {
# give advice which will work everywhere. Instead,
# we give general guidelines.
#
- certificate_file = ${certdir}/server.pem
+ certificate_file = ${system_ssldir}/certs/radiusd.pem
# Trusted Root CA list
#
@@ -231,7 +231,7 @@ eap {
# In that case, this CA file should contain
# *one* CA certificate.
#
- ca_file = ${cadir}/ca.pem
+ ca_file = ${system_ssldir}/certs/ca-bundle.crt
# OpenSSL will automatically create certificate chains,
# unless we tell it to not do that. The problem is that
@@ -281,7 +281,7 @@ eap {
#
# openssl dhparam -out certs/dh 2048
#
- dh_file = ${certdir}/dh
+ dh_file = ${local_ssldir}/dh
# If your system doesn't have /dev/urandom,
# you will need to create this file, and
@@ -326,7 +326,7 @@ eap {
# Check if intermediate CAs have been revoked.
# check_all_crl = yes
- ca_path = ${cadir}
+ ca_path = ${local_ssldir}
# Accept an expired Certificate Revocation List
#
diff -Nrup a/raddb/mods-available/inner-eap b/raddb/mods-available/inner-eap
--- a/raddb/mods-available/inner-eap 2019-04-10 11:11:23.000000000 +0200
+++ b/raddb/mods-available/inner-eap 2019-04-10 20:52:52.126006616 +0200
@@ -58,8 +58,8 @@ eap inner-eap {
# It might work, or it might not.
#
tls {
- private_key_password = whatever
- private_key_file = ${certdir}/inner-server.pem
+ private_key_password =
+ private_key_file = ${system_ssldir}/private/inner-radiusd.pem
# If Private key & Certificate are located in
# the same file, then private_key_file &
@@ -71,11 +71,11 @@ eap inner-eap {
# only the server certificate, but ALSO all
# of the CA certificates used to sign the
# server certificate.
- certificate_file = ${certdir}/inner-server.pem
+ certificate_file = ${system_ssldir}/private/inner-radiusd.pem
# You may want different CAs for inner and outer
# certificates. If so, edit this file.
- ca_file = ${cadir}/ca.pem
+ ca_file = ${system_ssldir}/certs/ca-bundle.crt
cipher_list = "DEFAULT"
@@ -87,7 +87,7 @@ eap inner-eap {
# fragment_size = 1024
# Other needful things
- dh_file = ${certdir}/dh
+ dh_file = ${local_ssldir}/dh
random_file = /dev/urandom
# CRL and OCSP things go here. See the main "eap"
diff -Nrup a/raddb/mods-available/ldap b/raddb/mods-available/ldap
--- a/raddb/mods-available/ldap 2019-04-10 11:11:23.000000000 +0200
+++ b/raddb/mods-available/ldap 2019-04-10 20:53:59.523394198 +0200
@@ -548,11 +548,11 @@ ldap {
# using ldaps (port 636) connections
# start_tls = yes
-# ca_file = ${certdir}/cacert.pem
+# ca_file = ${system_ssldir}/certs/ca-bundle.crt
-# ca_path = ${certdir}
-# certificate_file = /path/to/radius.crt
-# private_key_file = /path/to/radius.key
+# ca_path = ${local_ssldir}
+# certificate_file = ${system_ssldir}/certs/radiusd.pem
+# private_key_file = ${system_ssldir}/private/radiusd.key
# random_file = /dev/urandom
# Certificate Verification requirements. Can be:
diff -Nrup a/raddb/mods-available/rest b/raddb/mods-available/rest
--- a/raddb/mods-available/rest 2019-04-10 11:11:23.000000000 +0200
+++ b/raddb/mods-available/rest 2019-04-10 20:57:56.045755453 +0200
@@ -14,13 +14,13 @@ rest {
# certificate chain validation.
# "ca_path" (libcurl option CURLOPT_CAPATH).
# Directory holding CA certificates to verify the peer with.
-# ca_file = ${certdir}/cacert.pem
-# ca_info_file = ${certdir}/cacert_bundle.pem
-# ca_path = ${certdir}
+# ca_file = ${system_ssldir}/certs/ca-bundle.crt
+# ca_info_file = ${system_ssldir}/certs/ca-bundle.crt
+# ca_path = ${local_ssldir}
-# certificate_file = /path/to/radius.crt
-# private_key_file = /path/to/radius.key
-# private_key_password = "supersecret"
+# certificate_file = ${system_ssldir}/certs/radiusd.pem
+# private_key_file = ${system_ssldir}/private/radiusd.pem
+# private_key_password =
# random_file = /dev/urandom
# Server certificate verification requirements. Can be:
diff -Nrup a/raddb/radiusd.conf.in b/raddb/radiusd.conf.in
--- a/raddb/radiusd.conf.in 2019-04-10 11:11:23.000000000 +0200
+++ b/raddb/radiusd.conf.in 2019-04-10 21:00:50.788761973 +0200
@@ -96,8 +96,8 @@ name = radiusd
# Location of config and logfiles.
confdir = ${raddbdir}
modconfdir = ${confdir}/mods-config
-certdir = ${confdir}/certs
-cadir = ${confdir}/certs
+system_ssldir = /etc/pki/tls
+local_ssldir = ${confdir}/certs
run_dir = ${localstatedir}/run/${name}
# Should likely be ${localstatedir}/lib/radiusd
diff -Nrup a/raddb/sites-available/abfab-tls b/raddb/sites-available/abfab-tls
--- a/raddb/sites-available/abfab-tls 2019-04-10 11:11:23.000000000 +0200
+++ b/raddb/sites-available/abfab-tls 2019-04-10 21:02:04.022183946 +0200
@@ -10,15 +10,15 @@ listen {
proto = tcp
tls {
- private_key_password = whatever
+ private_key_password =
# Moonshot tends to distribute certs separate from keys
- private_key_file = ${certdir}/server.key
- certificate_file = ${certdir}/server.pem
- ca_file = ${cadir}/ca.pem
- dh_file = ${certdir}/dh
+ private_key_file = ${system_ssldir}/private/radiusd.key
+ certificate_file = ${system_ssldir}/certs/radiusd.pem
+ ca_file = ${system_ssldir}/certs/ca-bundle.crt
+ dh_file = ${local_ssldir}/dh
fragment_size = 8192
- ca_path = ${cadir}
+ ca_path = ${local_ssldir}
cipher_list = "DEFAULT"
cache {
diff -Nrup a/raddb/sites-available/tls b/raddb/sites-available/tls
--- a/raddb/sites-available/tls 2019-04-10 11:11:23.000000000 +0200
+++ b/raddb/sites-available/tls 2019-04-10 21:05:00.549201381 +0200
@@ -96,8 +96,8 @@ listen {
# to refer to the "site1" sub-section of the "tls" section.
#
tls {
- private_key_password = whatever
- private_key_file = ${certdir}/server.pem
+ private_key_password =
+ certificate_file = ${system_ssldir}/certs/radiusd.pem
# Accept an expired Certificate Revocation List
#
@@ -130,7 +130,7 @@ listen {
# not use client certificates, and you do not want
# to permit EAP-TLS authentication, then delete
# this configuration item.
- ca_file = ${cadir}/ca.pem
+ ca_file = ${system_ssldir}/certs/ca-bundle.crt
#
# For DH cipher suites to work, you have to
@@ -138,7 +138,7 @@ listen {
#
# openssl dhparam -out certs/dh 1024
#
- dh_file = ${certdir}/dh
+ dh_file = ${local_ssldir}/dh
#
# If your system doesn't have /dev/urandom,
@@ -179,7 +179,7 @@ listen {
# 3) uncomment the line below.
# 5) Restart radiusd
# check_crl = yes
- ca_path = ${cadir}
+ ca_path = ${local_ssldir}
#
# If check_cert_issuer is set, the value will
@@ -400,8 +400,8 @@ home_server tls {
status_check = none
tls {
- private_key_password = whatever
- private_key_file = ${certdir}/client.pem
+ private_key_password =
+ private_key_file = ${system_ssldir}/private/client.pem
# If Private key & Certificate are located in
# the same file, then private_key_file &
@@ -413,7 +413,7 @@ home_server tls {
# only the server certificate, but ALSO all
# of the CA certificates used to sign the
# server certificate.
- certificate_file = ${certdir}/client.pem
+ certificate_file = ${system_ssldir}/certs/client.pem
# Trusted Root CA list
#
@@ -430,7 +430,7 @@ home_server tls {
# not use client certificates, and you do not want
# to permit EAP-TLS authentication, then delete
# this configuration item.
- ca_file = ${cadir}/ca.pem
+ ca_file = ${system_ssldir}/certs/ca-bundle.crt
#
# For TLS-PSK, the key should be specified
@@ -452,7 +452,7 @@ home_server tls {
#
# openssl dhparam -out certs/dh 1024
#
- dh_file = ${certdir}/dh
+ dh_file = ${local_ssldir}/dh
random_file = /dev/urandom
#
@@ -480,7 +480,7 @@ home_server tls {
# 3) uncomment the line below.
# 5) Restart radiusd
# check_crl = yes
- ca_path = ${cadir}
+ ca_path = ${local_ssldir}
#
# If check_cert_issuer is set, the value will
distrib
>
Mageia
>
7
>
i586
>
media
>
core-updates-src
>
by-pkgid
>
86a48e64c4c634885af2fadd60598ae6
>
files
>
1
