Bug#919236: [Pkg-freeradius-maintainers] Bug#919236: Inappropriately broad default CA for EAP configuration
Am 16.04.20 um 17:18 schrieb Bernhard Schmidt: Am 16.04.20 um 17:11 schrieb sauro...@gmx.de: Hi, Well at least i thought that this would let me on Squeeze, but i was wrong Could you please rephrase your question? BTW, Squeeze is Debian 6 and out of LTS since 2016. I assume you mean Stretch aka Debian 9? Bernhard Yes Stretch was what i meant, sorry. I don´t have any further questions, at the beginning i was thinking that this bug prevent me from upgrading to Buster, but in fact it has nothing to do with it. Nevertheless i think when you upgrade from 9 to 10 the "sites-available" folder disappears on any machine which causes freeradius to not start. Best regards!
Bug#919236: [Pkg-freeradius-maintainers] Bug#919236: Inappropriately broad default CA for EAP configuration
Am 16.04.20 um 17:11 schrieb sauro...@gmx.de: Hi, > Well at least i thought that this would let me on Squeeze, but i was wrong Could you please rephrase your question? BTW, Squeeze is Debian 6 and out of LTS since 2016. I assume you mean Stretch aka Debian 9? Bernhard
Bug#919236: [Pkg-freeradius-maintainers] Bug#919236: Inappropriately broad default CA for EAP configuration
Well at least i thought that this would let me on Squeeze, but i was wrong. I´ve did the upgrade to Buster today now on two machines, both with the following result. After upgrading freeradius wouldn´t start, so i looked into it and found out that somehow the folder: /etc/freeradius/3.0/sites-available was gone after the upgrade. Actually that caused the software to not start. I did a fresh Buster installation then, copied the folder and files to my old machines, changed the owner of the folder to "freerad" and now it´s up and running again. Im not really qualified i think to answer your question and though as you can read im not an Freeradius expert. Thanks for your input!
Bug#919236: [Pkg-freeradius-maintainers] Bug#919236: Inappropriately broad default CA for EAP configuration
Am 15.04.20 um 13:57 schrieb sauro...@gmx.de: Hi, >> > "Michael" == Michael Stapelberg writes: >> I really don't think I'm going to be able to provide more on this prior >> to the buster release. I'm struggling trying to get through my own list >> of things to fix in my packages. > Is there any news on this? This bug keeps my last important machines i > have here on Squeeze, unfortunately. Why is this keeping your machine at Squeeze? It is a problem in the _default_ configuration, you can change it at will. And since it is a conffile (in /etc) it won't be overwritten by updates. I agree that this should be fixed though, but I need some input on how to do this properly, both on upgrades and on new installations. I think the option of dropping snakeoil-certs.diff and running make in /etc/freeradius/3.0/certs on postinst (accompanied by a NEWS entry) should be okay. What do you think? Bernhard
Bug#919236: [Pkg-freeradius-maintainers] Bug#919236: Inappropriately broad default CA for EAP configuration
On Mon, 14 Jan 2019 08:48:03 -0500 Sam Hartman wrote: > > "Michael" == Michael Stapelberg writes: > I really don't think I'm going to be able to provide more on this prior > to the buster release. I'm struggling trying to get through my own list > of things to fix in my packages. > Is there any news on this? This bug keeps my last important machines i have here on Squeeze, unfortunately.
Bug#919236: [Pkg-freeradius-maintainers] Bug#919236: Inappropriately broad default CA for EAP configuration
control: tags -1 help > "Michael" == Michael Stapelberg writes: Michael>Can you send a patch please? Its been like Michael> that since before I touched the package. My suspicion is that it's removing parts of a patch. In fact, it looks like most of what's needed is to remove snakeoil-certs.diff from the patch series. Yes, doing that requires the user run make in /tec/freeradius/3.0/certs, but they really probably do want a different certificate hierarchy for EAP. I really don't think I'm going to be able to provide more on this prior to the buster release. I'm struggling trying to get through my own list of things to fix in my packages.
Bug#919236: [Pkg-freeradius-maintainers] Bug#919236: Inappropriately broad default CA for EAP configuration
Can you send a patch please? It’s been like that since before I touched the package. On Sun, Jan 13, 2019 at 11:39 PM Sam Hartman wrote: > package: freeradius > tags: security > version: 3.0.17+dfsg-1 > severity: important > justification: Inappropriately broad default authorization > > The debian freeradius package changes the default eap configuration to > use the default list of Debian certification authorities as the default > CAs for verifying client certificates for incoming EAP connections. > > The package leaves the following notice in > /etc/freeradius/3.0/mods-available/eap: > > # See also: > # > # http://www.dslreports.com/forum/remark,9286052~mode=flat > # > # Note that you should NOT use a globally known CA here! > # e.g. using a Verisign cert as a "known CA" means that > # ANYONE who has a certificate signed by them can > > And then proceeds to do something even worse: it sets the default CA to > the entire list of Debian trusted CAs. > > As discussed by the freeradius docs, you want the default for EAP > certificates to be an organization-specific CA. > > --Sam > > ___ > Pkg-freeradius-maintainers mailing list > pkg-freeradius-maintain...@alioth-lists.debian.net > > https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-freeradius-maintainers > -- Best regards, Michael