Blame SOURCES/freeradius-Use-system-crypto-policy-by-default.patch

c52eca
From a7ed62fbcc043a9ec7a4f09962a2cd2acffa019b Mon Sep 17 00:00:00 2001
c52eca
From: Alexander Scheel <ascheel@redhat.com>
c52eca
Date: Wed, 8 May 2019 10:16:31 -0400
c52eca
Subject: [PATCH] Use system-provided crypto-policies by default
c52eca
c52eca
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
c52eca
---
c52eca
 raddb/mods-available/eap        | 4 ++--
c52eca
 raddb/mods-available/inner-eap  | 2 +-
c52eca
 raddb/sites-available/abfab-tls | 2 +-
c52eca
 raddb/sites-available/tls       | 4 ++--
c52eca
 4 files changed, 6 insertions(+), 6 deletions(-)
c52eca
c52eca
diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap
c52eca
index 36849e10f2..b28c0f19c6 100644
c52eca
--- a/raddb/mods-available/eap
c52eca
+++ b/raddb/mods-available/eap
c52eca
@@ -368,7 +368,7 @@ eap {
c52eca
 		#
c52eca
 		#  For EAP-FAST, use "ALL:!EXPORT:!eNULL:!SSLv2"
c52eca
 		#
c52eca
-		cipher_list = "DEFAULT"
c52eca
+		cipher_list = "PROFILE=SYSTEM"
c52eca
 
c52eca
 		#  If enabled, OpenSSL will use server cipher list
c52eca
 		#  (possibly defined by cipher_list option above)
c52eca
@@ -912,7 +912,7 @@ eap {
c52eca
 		#  Note - for OpenSSL 1.1.0 and above you may need
c52eca
 		#  to add ":@SECLEVEL=0"
c52eca
 		#
c52eca
-	#	cipher_list = "ALL:!EXPORT:!eNULL:!SSLv2"
c52eca
+	#	cipher_list = "PROFILE=SYSTEM"
c52eca
 
c52eca
 		#  PAC lifetime in seconds (default: seven days)
c52eca
 		#
c52eca
diff --git a/raddb/mods-available/inner-eap b/raddb/mods-available/inner-eap
c52eca
index 576eb7739e..ffa07188e2 100644
c52eca
--- a/raddb/mods-available/inner-eap
c52eca
+++ b/raddb/mods-available/inner-eap
c52eca
@@ -77,7 +77,7 @@ eap inner-eap {
c52eca
 		#  certificates.  If so, edit this file.
c52eca
 		ca_file = ${cadir}/ca.pem
c52eca
 
c52eca
-		cipher_list = "DEFAULT"
c52eca
+		cipher_list = "PROFILE=SYSTEM"
c52eca
 
c52eca
 		#  You may want to set a very small fragment size.
c52eca
 		#  The TLS data here needs to go inside of the
c52eca
diff --git a/raddb/sites-available/abfab-tls b/raddb/sites-available/abfab-tls
c52eca
index 92f1d6330e..cd69b3905a 100644
c52eca
--- a/raddb/sites-available/abfab-tls
c52eca
+++ b/raddb/sites-available/abfab-tls
c52eca
@@ -19,7 +19,7 @@ listen {
c52eca
 		dh_file = ${certdir}/dh
c52eca
 		fragment_size = 8192
c52eca
 		ca_path = ${cadir}
c52eca
-		cipher_list = "DEFAULT"
c52eca
+		cipher_list = "PROFILE=SYSTEM"
c52eca
 
c52eca
 		cache {
c52eca
 			enable = no
c52eca
diff --git a/raddb/sites-available/tls b/raddb/sites-available/tls
c52eca
index bbc761b1c5..83cd35b851 100644
c52eca
--- a/raddb/sites-available/tls
c52eca
+++ b/raddb/sites-available/tls
c52eca
@@ -215,7 +215,7 @@ listen {
c52eca
 		# Set this option to specify the allowed
c52eca
 		# TLS cipher suites.  The format is listed
c52eca
 		# in "man 1 ciphers".
c52eca
-		cipher_list = "DEFAULT"
c52eca
+		cipher_list = "PROFILE=SYSTEM"
c52eca
 
c52eca
 		# If enabled, OpenSSL will use server cipher list
c52eca
 		# (possibly defined by cipher_list option above)
c52eca
@@ -517,7 +517,7 @@ home_server tls {
c52eca
 		# Set this option to specify the allowed
c52eca
 		# TLS cipher suites.  The format is listed
c52eca
 		# in "man 1 ciphers".
c52eca
-		cipher_list = "DEFAULT"
c52eca
+		cipher_list = "PROFILE=SYSTEM"
c52eca
 	}
c52eca
 
c52eca
 }
c52eca
-- 
c52eca
2.21.0
c52eca