|
 |
8ba9e1 |
From a7ed62fbcc043a9ec7a4f09962a2cd2acffa019b Mon Sep 17 00:00:00 2001
|
|
|
8ba9e1 |
From: Alexander Scheel <ascheel@redhat.com>
|
|
|
8ba9e1 |
Date: Wed, 8 May 2019 10:16:31 -0400
|
|
|
8ba9e1 |
Subject: [PATCH] Use system-provided crypto-policies by default
|
|
|
8ba9e1 |
|
|
|
8ba9e1 |
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
|
|
|
8ba9e1 |
---
|
|
|
8ba9e1 |
raddb/mods-available/eap | 4 ++--
|
|
|
8ba9e1 |
raddb/mods-available/inner-eap | 2 +-
|
|
|
8ba9e1 |
raddb/sites-available/abfab-tls | 2 +-
|
|
|
8ba9e1 |
raddb/sites-available/tls | 4 ++--
|
|
|
8ba9e1 |
4 files changed, 6 insertions(+), 6 deletions(-)
|
|
|
8ba9e1 |
|
|
|
8ba9e1 |
diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap
|
|
|
8ba9e1 |
index 36849e10f2..b28c0f19c6 100644
|
|
|
8ba9e1 |
--- a/raddb/mods-available/eap
|
|
|
8ba9e1 |
+++ b/raddb/mods-available/eap
|
|
|
8ba9e1 |
@@ -368,7 +368,7 @@ eap {
|
|
|
8ba9e1 |
#
|
|
|
8ba9e1 |
# For EAP-FAST, use "ALL:!EXPORT:!eNULL:!SSLv2"
|
|
|
8ba9e1 |
#
|
|
|
8ba9e1 |
- cipher_list = "DEFAULT"
|
|
|
8ba9e1 |
+ cipher_list = "PROFILE=SYSTEM"
|
|
|
8ba9e1 |
|
|
|
8ba9e1 |
# If enabled, OpenSSL will use server cipher list
|
|
|
8ba9e1 |
# (possibly defined by cipher_list option above)
|
|
|
8ba9e1 |
@@ -912,7 +912,7 @@ eap {
|
|
|
8ba9e1 |
# Note - for OpenSSL 1.1.0 and above you may need
|
|
|
8ba9e1 |
# to add ":@SECLEVEL=0"
|
|
|
8ba9e1 |
#
|
|
|
8ba9e1 |
- # cipher_list = "ALL:!EXPORT:!eNULL:!SSLv2"
|
|
|
8ba9e1 |
+ # cipher_list = "PROFILE=SYSTEM"
|
|
|
8ba9e1 |
|
|
|
8ba9e1 |
# PAC lifetime in seconds (default: seven days)
|
|
|
8ba9e1 |
#
|
|
|
8ba9e1 |
diff --git a/raddb/mods-available/inner-eap b/raddb/mods-available/inner-eap
|
|
|
8ba9e1 |
index 576eb7739e..ffa07188e2 100644
|
|
|
8ba9e1 |
--- a/raddb/mods-available/inner-eap
|
|
|
8ba9e1 |
+++ b/raddb/mods-available/inner-eap
|
|
|
8ba9e1 |
@@ -77,7 +77,7 @@ eap inner-eap {
|
|
|
8ba9e1 |
# certificates. If so, edit this file.
|
|
|
8ba9e1 |
ca_file = ${cadir}/ca.pem
|
|
|
8ba9e1 |
|
|
|
8ba9e1 |
- cipher_list = "DEFAULT"
|
|
|
8ba9e1 |
+ cipher_list = "PROFILE=SYSTEM"
|
|
|
8ba9e1 |
|
|
|
8ba9e1 |
# You may want to set a very small fragment size.
|
|
|
8ba9e1 |
# The TLS data here needs to go inside of the
|
|
|
8ba9e1 |
diff --git a/raddb/sites-available/abfab-tls b/raddb/sites-available/abfab-tls
|
|
|
8ba9e1 |
index 92f1d6330e..cd69b3905a 100644
|
|
|
8ba9e1 |
--- a/raddb/sites-available/abfab-tls
|
|
|
8ba9e1 |
+++ b/raddb/sites-available/abfab-tls
|
|
|
8ba9e1 |
@@ -19,7 +19,7 @@ listen {
|
|
|
8ba9e1 |
dh_file = ${certdir}/dh
|
|
|
8ba9e1 |
fragment_size = 8192
|
|
|
8ba9e1 |
ca_path = ${cadir}
|
|
|
8ba9e1 |
- cipher_list = "DEFAULT"
|
|
|
8ba9e1 |
+ cipher_list = "PROFILE=SYSTEM"
|
|
|
8ba9e1 |
|
|
|
8ba9e1 |
cache {
|
|
|
8ba9e1 |
enable = no
|
|
|
8ba9e1 |
diff --git a/raddb/sites-available/tls b/raddb/sites-available/tls
|
|
|
8ba9e1 |
index bbc761b1c5..83cd35b851 100644
|
|
|
8ba9e1 |
--- a/raddb/sites-available/tls
|
|
|
8ba9e1 |
+++ b/raddb/sites-available/tls
|
|
|
8ba9e1 |
@@ -215,7 +215,7 @@ listen {
|
|
|
8ba9e1 |
# Set this option to specify the allowed
|
|
|
8ba9e1 |
# TLS cipher suites. The format is listed
|
|
|
8ba9e1 |
# in "man 1 ciphers".
|
|
|
8ba9e1 |
- cipher_list = "DEFAULT"
|
|
|
8ba9e1 |
+ cipher_list = "PROFILE=SYSTEM"
|
|
|
8ba9e1 |
|
|
|
8ba9e1 |
# If enabled, OpenSSL will use server cipher list
|
|
|
8ba9e1 |
# (possibly defined by cipher_list option above)
|
|
|
8ba9e1 |
@@ -517,7 +517,7 @@ home_server tls {
|
|
|
8ba9e1 |
# Set this option to specify the allowed
|
|
|
8ba9e1 |
# TLS cipher suites. The format is listed
|
|
|
8ba9e1 |
# in "man 1 ciphers".
|
|
|
8ba9e1 |
- cipher_list = "DEFAULT"
|
|
|
8ba9e1 |
+ cipher_list = "PROFILE=SYSTEM"
|
|
|
8ba9e1 |
}
|
|
|
8ba9e1 |
|
|
|
8ba9e1 |
}
|
|
|
8ba9e1 |
--
|
|
|
8ba9e1 |
2.21.0
|
|
|
8ba9e1 |
|